How to manage multi-cluster gateways - Container Service for Kubernetes

This topic describes how to enable and disable the multi-cluster gateway feature on a Distributed Cloud Container Platform for Kubernetes (ACK One) Fleet instance. This topic also describes how to connect associated clusters to a multi-cluster gateway.

Billing

Fees are charged when you use multi-cluster gateways. For more information about the billing of multi-cluster gateways, see Billing overview.

Prerequisites

Microservices Engine (MSE) cloud-native gateway authorization is completed.

The AliyunAdcpManagedMseRolePolicy policy is attached to the AliyunAdcpManagedMseRole Resource Access Management (RAM) role. The following code block shows the content of the AliyunAdcpManagedMseRolePolicy policy.

View the content of the AliyunAdcpManagedMseRolePolicy policy

{
    "Statement": [
        {
            "Action": [
                "mse:AddBlackWhiteList",
                "mse:AddGateway",
                "mse:AddServiceSource",
                "mse:CreateApplication",
                "mse:DeleteGateway",
                "mse:DeleteServiceSource",
                "mse:GetBlackWhiteList",
                "mse:GetGateway",
                "mse:GetGatewayDetail",
                "mse:GetGatewayOption",
                "mse:ListServiceSource",
                "mse:ListTagResources",
                "mse:ModifyLosslessRule",
                "mse:TagResources",
                "mse:UntagResources",
                "mse:UpdateBlackWhiteList",
                "mse:UpdateGatewayOption",
                "mse:UpdateServiceSource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CloseProductDataCollection",
                "log:OpenProductDataCollection",
                "log:GetProductDataCollection"
            ],
            "Resource": [
                "acs:mse:*:*:instance/*",
                "acs:log:*:*:project/*/logstore/mse_*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "audit.log.aliyuncs.com"
                    ]
                }
            },
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}

The Fleet management feature is enabled. The kubeconfig file of the Fleet instance is obtained in the ACK One console and a kubectl client is connected to the Fleet instance.
Associated clusters are added. The associated clusters and the ACK One Fleet instance are deployed in the same virtual private cloud (VPC).
The latest version of Alibaba Cloud CLI is installed and Alibaba Cloud CLI is configured.

Enable the multi-cluster gateway feature

Make sure that Alibaba Cloud CLI is up-to-date and run the following command to enable the multi-cluster gateway feature.
Replace <your_fleet_clusterid> with the ID of your Fleet instance.
```
aliyun adcp UpdateHubClusterFeature --ClusterId <your_fleet_clusterid> --GatewayEnabled true
```

Run the following command to check whether the multi-cluster gateway feature is enabled:

aliyun adcp DescribeHubClusterDetails --ClusterId <your_fleet_clusterid> |grep -B4 -A1 EnabledMSE`

Expected output: If the Status parameter is True, the multi-cluster gateway feature is enabled.

			{
				"Message": "",
				"Reason": "",
				"Status": "True",
				"Type": "EnabledMSE"
			},

Create a multi-cluster gateway

Obtain and record the vSwitch ID of the ACK One Fleet instance.
Use Alibaba Cloud CLI
1. Run the following command to query the vSwitch ID:
```
aliyun adcp DescribeHubClusterDetails --ClusterId <your_fleet_clusterid>
```
2. Record the vSwitch ID in the VSwitches field of the output.
Use the console
1. Log on to the ACK One console. In the left-side navigation pane, choose Fleet > Fleet Information.
2. On the Fleet Information page, click the Basic Information tab. Find vSwitch in the Associated Resources section, and copy the vSwitch ID.

Create a file named mseingressconfig.yaml and add the following content to the file.

Replace ${vsw-id1} with the vSwitch ID that you recorded. You can add an annotation to the gateway configuration file to specify the associated clusters to be connected to the gateway.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: ackone-gateway
  # Connect associated clusters to the MSE gateway. 
  #annotations:
  #  mse.alibabacloud.com/remote-clusters: ${cluster1},${cluster2}
spec:
  common:
    instance:
      replicas: 3
      spec: 2c4g
    network:
      # You can configure both an Internet-facing Server load Balancer (SLB) instance and an internal-facing SLB instance. If no SLB instance is specified, an Internet-facing SLB instance is used by default. 
      #publicSLBSpec: slb.s2.small
      #privateSLBSpec: slb.s2.small
      vSwitches:
      - ${vsw-id1}
  ingress:
    local:
      ingressClass: mse
  name: mse-ingress

Run the following command to create a gateway named mse-ingress on the ACK One Fleet instance:
```
kubectl apply -f mseingressconfig.yaml
```
Run the following command to verify that the gateway is created:
```
kubectl get mseingressconfig ackone-gateway
```
Expected output:
```
NAME             STATUS      AGE
ackone-gateway   Listening   3m15s
```
The output indicates that the gateway is in the Listening state. This means that the cloud-native gateway is created and running. The gateway listens on Ingresses whose IngressClasses are mse.
A gateway created from an MseIngressConfig goes through the following states: Pending, Running, and Listening. State description:
- Pending: The cloud-native gateway is being created. It requires about 3 minutes to create the gateway.
- Running: The cloud-native gateway is created and running.
- Listening: The cloud-native gateway is running and listens on Ingresses.
- Failed: The cloud-native gateway is abnormal. You can check the message in the Status field to troubleshoot the issue.

Add or remove associated clusters

You can modify the corresponding annotation in the mseingressconfig of the ACK One Fleet instance to add or remove associated clusters. Replace ${cluster1} and ${cluster2} with the IDs of the associated clusters. Separate multiple cluster IDs with commas (,).
```
annotations:
  mse.alibabacloud.com/remote-clusters: ${cluster1},${cluster2}
```
Run the following command to check whether the associated clusters are connected to the multi-cluster gateway:
```
kubectl get mseingressconfig ackone-gateway -ojsonpath="{.status.remoteClusters}"
```
Expected output:
```
[{"clusterId":"c7fb82****"},{"clusterId":"cd3007****"}]
```
The output indicates the IDs of the associated clusters and no Failed information is returned. This means that the associated clusters are connected to the multi-cluster gateway.
Run the following command to query the associated clusters that are connected to the multi-cluster gateway:
```
kubectl get mseingressconfig ackone-gateway
```
Run the following command to add more associated clusters or remove associated clusters:
Modify the mse.alibabacloud.com/remote-clusters=${cluster1},${cluster2} setting to add or remove associated clusters.
```
kubectl annotate mseingressconfig ackone-gateway mse.alibabacloud.com/remote-clusters=${cluster1},${cluster2} --overwrite=true
```

Disable the multi-cluster gateway feature

Important

Deleting multi-cluster gateways can adversely affect your businesses. Proceed with caution.
When you no longer need multi-cluster gateways, you can delete the multi-cluster gateway and then disable the multi-cluster gateway feature to avoid incurring unexpected fees.

Run the following command to delete the multi-cluster gateway:
```
kubectl delete mseingressconfig ackone-gateway
```

Run the following command to disable the multi-cluster gateway feature:

aliyun adcp UpdateHubClusterFeature --ClusterId <your_fleet_clusterid> --GatewayEnabled false