How to manage MSE multi-cluster gateways - Container Service for Kubernetes

This topic describes how to enable and disable multi-cluster gateways on an ACK One Fleet instance and how to add associated clusters to a multi-cluster gateway.

Billing

You are charged for using multi-cluster gateways. For more information about the billing of multi-cluster gateways, see Billing overview of common instances.

Prerequisites

Microservices Engine (MSE) cloud-native gateway authorization is complete.

The AliyunAdcpManagedMseRolePolicy policy is attached to the AliyunAdcpManagedMseRole Resource Access Management (RAM) role. The following code block shows the policy document of AliyunAdcpManagedMseRolePolicy.

Policy document of AliyunAdcpManagedMseRolePolicy

{
    "Statement": [
        {
            "Action": [
                "mse:AddBlackWhiteList",
                "mse:AddGateway",
                "mse:AddServiceSource",
                "mse:CreateApplication",
                "mse:DeleteGateway",
                "mse:DeleteServiceSource",
                "mse:GetBlackWhiteList",
                "mse:GetGateway",
                "mse:GetGatewayDetail",
                "mse:GetGatewayOption",
                "mse:ListServiceSource",
                "mse:ListTagResources",
                "mse:ModifyLosslessRule",
                "mse:TagResources",
                "mse:UntagResources",
                "mse:UpdateBlackWhiteList",
                "mse:UpdateGatewayOption",
                "mse:UpdateServiceSource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CloseProductDataCollection",
                "log:OpenProductDataCollection",
                "log:GetProductDataCollection"
            ],
            "Resource": [
                "acs:mse:*:*:instance/*",
                "acs:log:*:*:project/*/logstore/mse_*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "audit.log.aliyuncs.com"
                    ]
                }
            },
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}

The Fleet management feature is enabled, and the kubeconfig file of the Fleet instance is obtained from the ACK One console and a kubectl client is connected to the Fleet instance.
Associated clusters are added. The associated clusters and the ACK One Fleet instance are deployed in the same VPC.
(Optional) The latest version of Cloud Assistant CLI is installed and configured.

Enable the multi-cluster gateway feature

Console

Log on to the ACK One console. In the left-side navigation pane, choose Fleet > Multi-cluster Gateways.
On the Multi-cluster Gateway page, click the Create Multi-cluster Gateway drop-down list, and then click Enable MSE Multi-cluster Gateway. In the dialog box that appears, click OK.

Command line

Make sure that Cloud Assistant CLI is up-to-date and run the following command to enable the multi-cluster gateway feature.
Replace <YOUR_FLEET_CLUSTERID> with the ID of your Fleet instance.
```
aliyun adcp UpdateHubClusterFeature --ClusterId <YOUR_FLEET_CLUSTERID> --GatewayEnabled true
```

Run the following command to check whether the multi-cluster gateway feature is enabled:

aliyun adcp DescribeHubClusterDetails --ClusterId <YOUR_FLEET_CLUSTERID> |grep -B4 -A1 EnabledMSE`

Expected output: If the value of the Status parameter is True, the multi-cluster gateway feature is enabled.

			{
				"Message": "",
				"Reason": "",
				"Status": "True",
				"Type": "EnabledMSE"
			},

Create a multi-cluster gateway

Console

Log on to the ACK One console. In the left-side navigation pane, choose Fleet > Multi-cluster Gateways.
In the upper-right corner of the Multi-cluster Gateway page, click the Create Multi-cluster Gateway drop-down list, and then click MSE Multi-cluster Gateway.
In the panel that appears, modify the YAML file that is used to create the multi-cluster gateway as needed and click Create.

Command line

Obtain and record the virtual switch ID of the ACK One Fleet instance.
1. Run the following command to query the vSwitch ID:
```
aliyun adcp DescribeHubClusterDetails --ClusterId <YOUR_FLEET_CLUSTERID>
```
1. Record the vSwitch ID in the VSwitches field of the output.

Create a file named mseingressconfig.yaml and add the following content to the file.

Replace ${vsw-id1} with the vSwitch ID that you recorded. You can add an annotation to the gateway configuration file to specify the associated clusters that you want to add to the gateway.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: ackone-gateway
  # Connect associated clusters to the MSE gateway.
  #annotations:
  #  mse.alibabacloud.com/remote-clusters: ${cluster1},${cluster2}
spec:
  common:
    instance:
      replicas: 3
      spec: 2c4g
    network:
      # You can configure both an Internet-facing SLB and an internal-facing SLB. If no SLB instance is specified, an Internet-facing SLB is used by default.
      #publicSLBSpec: slb.s2.small
      #privateSLBSpec: slb.s2.small
      vSwitches:
      - ${vsw-id1}
  ingress:
    local:
      ingressClass: mse
  name: mse-ingress

Run the following command to create a gateway named mse-ingress on the ACK One Fleet instance:
```
kubectl apply -f mseingressconfig.yaml
```
Run the following command to check whether the gateway is created:
```
kubectl get mseingressconfig ackone-gateway
```
Expected output:
```
NAME             STATUS      AGE
ackone-gateway   Listening   3m15s
```
The output indicates that the gateway is in the Listening state. This means that the cloud-native gateway is created and running. The gateway listens on Ingresses whose IngressClasses are mse.
The status of a gateway created from an MseIngressConfig changes in the following order: Pending, Running, and Listening. State description:
- Pending: The cloud-native gateway is being created. This process may take about 3 minutes.
- Running: The cloud-native gateway is created and running.
- Listening: The cloud-native gateway is running and listens on Ingresses.
- Failed: The cloud-native gateway is in an abnormal state. You can check the message in the Status field to identify the cause.

Add or remove associated clusters

Console

Log on to the ACK One console. In the left-side navigation pane, choose Fleet > Multi-cluster Gateways.
In the upper part of the Multi-cluster Gateway page, select the multi-cluster gateway that you want to manage from the drop-down list, and then click Edit in the upper-right corner.
In the panel that appears, edit the YAML content. Modify the cluster IDs in the annotations parameter and click Update.
Sample code:
```
annotations:
  mse.alibabacloud.com/remote-clusters: ${cluster1-id},${cluster2-id}
```
- ${cluster1-id} and ${cluster2-id} are the IDs of the associated clusters. Separate multiple cluster IDs with commas (,). You can modify the cluster IDs to add or remove associated clusters.
- If you do not associate any clusters when you create a multi-cluster gateway, the YAML content does not include the annotations parameter. Therefore, to add associated clusters, you must add the preceding example to the metadata object in the YAML content, and then add or modify the cluster IDs.

Command line

You can modify the corresponding annotation in the mseingressconfig object of the ACK One Fleet instance to add or remove associated clusters. Replace ${cluster1-id} and ${cluster2-id} with the IDs of the associated clusters. Separate multiple cluster IDs with commas (,).
```
annotations:
  mse.alibabacloud.com/remote-clusters: ${cluster1-id},${cluster2-id}
```
If you do not associate any clusters when you create a multi-cluster gateway, the YAML content does not include the annotations parameter. Therefore, to add associated clusters, you must add the preceding example to the metadata object in the YAML content, and then add or modify the cluster IDs.
Run the following command to check whether the associated clusters are added to the multi-cluster gateway:
```
kubectl get mseingressconfig ackone-gateway -ojsonpath="{.status.remoteClusters}"
```
Expected output:
```
[{"clusterId":"c7fb82****"},{"clusterId":"cd3007****"}]
```
The output indicates the IDs of the associated clusters and that no failure message is returned. This means that the associated clusters are added to the multi-cluster gateway.
Run the following command to query the associated clusters that are added to the multi-cluster gateway:
```
kubectl get mseingressconfig ackone-gateway
```
Run the following command to add more associated clusters or remove associated clusters.
mse.alibabacloud.com/remote-clusters=${cluster1},${cluster2} indicates the associated clusters that you want to add to the multi-cluster gateway.
```
kubectl annotate mseingressconfig ackone-gateway mse.alibabacloud.com/remote-clusters=${cluster1},${cluster2} --overwrite=true
```

Disable the multi-cluster gateway feature

Important

Deleting multi-cluster gateways can adversely affect your businesses. Proceed with caution.
If you no longer need multi-cluster gateways, you can delete the multi-cluster gateways and then disable the multi-cluster gateway feature to avoid wasting resources.

Console

Log on to the ACK One console. In the left-side navigation pane, choose Fleet > Multi-cluster Gateways.
On the Multi-cluster Gateway page, select MSE from the Gateway Type drop-down list, select the multi-cluster gateway that you want to delete from the Select Gateway Instance drop-down list, and then click Delete in the upper-right corner.
In the dialog box that appears, enter the name of the multi-cluster gateway that you want to delete and click Delete.
Confirm that all multi-cluster gateways within the ACK One Fleet instance are deleted, and then click Disable MSE Gateway in the upper-right corner of the page. In the message that appears, click OK.

Command line

Run the following command to delete a multi-cluster gateway:
```
kubectl delete mseingressconfig ackone-gateway
```

Run the following command to disable the multi-cluster gateway feature:

aliyun adcp UpdateHubClusterFeature --ClusterId <YOUR_FLEET_CLUSTERID> --GatewayEnabled false