Intro

There are many challenges that engineering teams face when attempting to incorporate a multi-cloud approach into their infrastructure goals. Kubernetes does a good job of addressing some of these issues, but managing the communication of clusters that span multiple cloud providers in multiple regions can become a daunting task for teams. Often this requires complex VPNs and special firewall rules to multi-cloud cluster communication.

In this post, I will be introducing you to Skupper, an open source project for enabling secure communication across Kubernetes cluster. Skupper allows your application to span multiple cloud providers, data centers, and regions. Let's see it in action!

Getting Started

This tutorial will demonstrate how to distribute the Istio Bookinfo Application microservices across multiple public and private clusters. The services require no coding changes to work in the distributed application environment. With Skupper, the application behaves as if all the services are running in the same cluster.
In this tutorial, you will deploy the productpage and ratings services on a remote, public cluster in namespace 
aws-eu-west
 and the details and reviews services in a local, on-premises cluster in namespace 
laptop
.
OverviewFigure 1 - Bookinfo service deployment
The image above shows how the services will be deployed.
If all services were installed on the public cluster, then the application would work as originally designed. However, since two of the services are on the laptop cluster, the application fails. productpage can not send requests to details or to reviews.
This demo will show how Skupper can solve the connectivity problem presented by this arrangement of service deployments.
Figure 2 - Bookinfo service deployment with Skupper
Skupper is a distributed system with installations running in one or more clusters or namespaces. Connected Skupper installations share information about what services each installation exposes. Each Skupper installation learns which services are exposed on every other installation. Skupper then runs proxy service endpoints in each namespace to properly route requests to or from every exposed service.

Prerequisites

To run this tutorial you will need:

Step 1: Deploy the Bookinfo application

This step creates a service and a deployment for each of the four Bookinfo microservices.
Namespace 
aws-eu-west
:
$ kubectl apply -f public-cloud.yaml
service/productpage created
deployment.extensions/productpage-v1 created
service/ratings created
deployment.extensions/ratings-v1 created
Namespace 
laptop
:
$ kubectl apply -f private-cloud.yaml 
service/details created
deployment.extensions/details-v1 created
service/reviews created
deployment.extensions/reviews-v3 created

Step 2: Expose the public productpage service

Namespace 
aws-eu-west
:
kubectl expose deployment/productpage-v1 --port 9080 --type LoadBalancer
The Bookinfo application is accessed from the public internet through this ingress port to the productpage service.

Step 3: Observe that the application does not work

The web address for the Bookinfo application can be discovered from namespace 
aws-eu-west
:
$ echo $(kubectl get service/productpage -o jsonpath='http://{.status.loadBalancer.ingress[0].hostname}:9080')
Open the address in a web browser. Productpage responds but the page will show errors as services in namespace 
laptop
 are not reachable.
We can fix that now.

Step 4: Set up Skupper

This step initializes the Skupper environment on each cluster.
Namespace 
laptop
:
skupper init
Namespace 
aws-eu-west
:
skupper init
Now the Skupper infrastructure is running. Use 
skupper status
 in each console terminal to see that Skupper is available.

Step 5: Connect your Skupper installations

Now you need to connect your namespaces with a Skupper connection. This is a two step process.
The 
skupper connection-token <file>
 command directs Skupper to generate a secret token file with certificates that grant permission to other Skupper instances to connect to this Skupper's network.
Note: Protect this file as you would do for any file that holds login credentials.
Note that in this arrangement the Skupper instances join to form peer networks. Typically the Skupper opening the network port will be on the public cluster. A cluster running on 
laptop
 may not even have an address that is reachable from the internet. After the connection is made, the Skupper network members are peers and it does not matter which Skupper opened the network port and which connected to it.
The console terminals in this demo are run by the same user on the same host. This makes the token file in the ${HOME} directory available to both terminals. If your terminals are on different machines then you may need to use 
scp
 or a similar tool to transfer the token file to the system hosting the 
laptop
 terminal.

Generate a Skupper network connection token

Namespace 
aws-eu-west
:
skupper connection-token ${HOME}/PVT-to-PUB-connection-token.yaml

Open a Skupper connection

Namespace 
laptop
:
skupper connect ${HOME}/PVT-to-PUB-connection-token.yaml

Check the connection

Namespace 
aws-eu-west
:
$ skupper status
Skupper enabled for "aws-eu-west". It is connected to 1 other sites.
Namespace 
laptop
:
$ skupper status
Skupper enabled for "laptop". It is connected to 1 other sites.

Step 6: Virtualize the services you want shared

You now have a Skupper network capable of multi-cluster communication but no services are associated with it. This step uses the 
kubectl annotate
 command to notify Skupper that a service is to be included in the Skupper network.
Skupper uses the annotation as the indication that a service must be virtualized. The service that receives the annotation is the physical target for network requests and the proxies that Skupper deploys in other namespaces are the virtual targets for network requests. The Skupper infrastructure then routes requests between the virtual services and the target service.
Namespace 
aws-eu-west
:
$ kubectl annotate service ratings skupper.io/proxy=http
service/ratings annotated
Namespace 
laptop
:
$ kubectl annotate service details skupper.io/proxy=http
service/details annotated

$ kubectl annotate service reviews skupper.io/proxy=http
service/reviews annotated
Skupper is now making the annotated services available to every namespace in the Skupper network. The Bookinfo application will work as the productpage service on the public cluster has access to the details and reviews services on the private cluster and as the reviews service on the private cluster has access to the ratings service on the public cluster.

Step 7: Observe that the application works

The web address for the Bookinfo app can be discovered from namespace 
aws-eu-west
:
$ echo $(kubectl get service/productpage -o jsonpath='http://{.status.loadBalancer.ingress[0].hostname}:9080')
Open the address in a web browser. The application should now work with no errors.

Clean up

Skupper and the Bookinfo services may be removed from the clusters.
Namespace 
aws-eu-west
:
skupper delete
kubectl delete -f public-cloud.yaml
Namespace 
laptop
:
skupper delete
kubectl delete -f private-cloud.yaml

Final Thoughts

Enabling a multi-cloud approach has a lot of benefits and is getting easier, thanks to tools like Skupper. If you have time, try some of  Skupper's other examples on its Github Repo. I hope you learned something from this post. Stay tuned for more!
About the author - Sudip is a Solution Architect with more than 15 years of working experience, and is the founder of Javelynn. He likes sharing his knowledge through writing, and while he is not doing that, he must be fishing or playing chess.
Previously posted at https://appfleet.com/.