From f0c5ffb013e85f8c0f3d517b4c65fa8a35c9a294 Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Fri, 12 Jan 2024 12:36:48 -0600 Subject: [PATCH] Add docs for specifying inaccessible clusters (#744) --- .../en/docs/Configuration/multi-cluster.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/content/en/docs/Configuration/multi-cluster.md b/content/en/docs/Configuration/multi-cluster.md index 0f81d5db..9489c07f 100644 --- a/content/en/docs/Configuration/multi-cluster.md +++ b/content/en/docs/Configuration/multi-cluster.md @@ -19,6 +19,10 @@ Before proceeding with the setup, ensure you meet the requirements. The unified Kiali multi-cluster setup requires the Kiali Service Account (SA) to have read access to each Kubernetes cluster in the mesh. This is separate from the user credentials that are required when a user logs into Kiali. The user credentials are used to check user access to a namespace and to perform write operations. In anonymous mode, the Kiali SA is used for all operations and write access is also required. To give the Kiali SA access to each remote cluster, a kubeconfig with credentials needs to be created and mounted into the Kiali pod. While the location of Kiali in relation to the controlplane and dataplane may change depending on your istio deployment model, the requirements will remain the same. +{{% alert color="info" %}} +If you would like to keep a separate Kiali per cluster and do not want to give Kiali access to remote clusters, you can still manually specify the remote cluster and remote Kiali URLs in the Kiali configuration and the UI will try to provide links to the external Kiali where appropriate. See [below](#adding-an-inaccessible-cluster) for more details. +{{% /alert %}} + 1. **Create a remote cluster secret.** In order to access a remote cluster, you must provide a kubeconfig to Kiali via a Kubernetes secret. You can use [this script](https://github.com/kiali/kiali/blob/master/hack/istio/multicluster/kiali-prepare-remote-cluster.sh) to simplify this process for you. Running this script will: - Create a Kiali Service Account in the remote cluster. @@ -81,3 +85,33 @@ That's it! From here you can login to Kiali and manage your mesh across both clu To remove a cluster from Kiali, you must delete the associated remote cluster secret. If you originally created the remote cluster secret via the [kiali-prepare-remote-cluster.sh script](https://github.com/kiali/kiali/blob/master/hack/istio/multicluster/kiali-prepare-remote-cluster.sh), run that script again with the same command line options as before but also pass in the command line option `--delete true`. After the remote cluster secret has been removed, you must then tell the Kiali Operator to re-deploy the Kiali Server so the Kiali Server no longer attempts to access the now-deleted remote cluster secret. If you are using [auto-discovery](/docs/configuration/kialis.kiali.io/#.spec.kiali_feature_flags.clustering.autodetect_secrets), you can tell the Kiali Operator to do this by touching the Kiali CR. The easiest way to do this is to simply add or modify any annotation on the Kiali CR. It is recommended that you use the `kiali.io/reconcile` annotation as described [here](/docs/installation/installation-guide/creating-updating-kiali-cr). If you did not rely on auto-discovery but instead [explicitly specified each remote cluster secret](/docs/configuration/kialis.kiali.io/#.spec.kiali_feature_flags.clustering.clusters) in the Kiali CR, then you simply have to remove the now-deleted remote cluster secret's information from the Kiali CR's `kiali_feature_flags.clustering.clusters` section. + +### Adding an Inaccessible Cluster + +In situations where Kiali does not have access to remote clusters, you can manually specify the remote cluster info along with any external Kialis running on the remote clusters and Kiali will try to provide links to these in the UI. For example, if there is a Kiali on the `east` cluster that does not have access to the `west` cluster and a Kiali on the `west` cluster that does not have access to the `east` cluster, you can add the following to your Kiali configurations to have each Kiali generate links to the external Kiali for that cluster. + +East Kiali configuration + +``` +clustering: + clusters: + name: west + kiali_urls: + cluster_name: west + instance_name: kiali + namespace: istio-system + url: https://kiali-external.west.example.com +``` + +West Kiali configuration + +``` +clustering: + clusters: + name: east + kiali_urls: + cluster_name: east + instance_name: kiali + namespace: istio-system + url: https://kiali-external.east.example.com +```