Multicluster tutorial (#681)

* tutorial

* mc tutorial

* fixes

* addressing feedback

* Update content/en/docs/Tutorials/multicluster/04-Install-Istio-east-cluster.md

Co-authored-by: John Mazzitelli <mazz@redhat.com>

* Apply suggestions from code review

Co-authored-by: John Mazzitelli <mazz@redhat.com>

---------

Co-authored-by: John Mazzitelli <mazz@redhat.com>

Author: leandroberetta

content/en/docs/Tutorials/multicluster/01-Introduction.md

@@ -0,0 +1,15 @@
+---
+title: "Introduction"
+description: "Observe the Travels application deployed in multiple clusters with the new capabilities of Kiali."
+weight: 1
+---
+
+So far, we know how good Kiali can be to understand applications, their relationships with itself and also with external applications.
+ 
+In the past, Kiali was installed just to observe one cluster with all the applications that conforms to it. Today, we are expanding its capabilities to also observe more than one cluster. The extra clusters are remotes, meaning that there is not a control plane on them, they only have user applications.
+
+This topology is called [primary-remote](http://istio.io/latest/docs/setup/install/multicluster/primary-remote/) and it is very useful to spread applications into different clusters having just one primary cluster, which is where Istio and Kiali are installed. 
+
+This scenario is a good choice when as an application administrator or architect, you want to give a different set of clusters to different sets of developers and you also want that all these applications belong to the same mesh. This scenario is also very helpful to give applications high availability capabilities while keeping the observability together (we are referring to just applications in terms of high availability, for Istio, we might want to install a multi-primary deployment model, which is on the [roadmap](http://github.com/kiali/kiali/issues/5618) for the multicluster journey for Kiali).
+
+At first, we will install one cluster with Istio, then we will add a new cluster, the remote, and we will join it to the mesh and we will see how Kiali allows us to observe and manage both of them and their applications.

content/en/docs/Tutorials/multicluster/02-Prerequisites.md

@@ -0,0 +1,43 @@
+---
+title: "Prerequisites"
+description: "How to prepare for running the tutorial."
+weight: 2
+---
+
+This tutorial is a walkthrough guide to install everything. For this reason, we will need:
+
+* minikube
+* istioctl
+* helm
+
+This tutorial was tested on:
+
+* Minikube v1.30.1
+* Istio v1.18.1
+* Kiali v1.70
+
+Clusters are provided by minikube instances, but we can choose others instead, like OpenShift or just vanilla Kubernetes installations.
+
+We will set up some environment variables for the following commands:
+
+```
+CLUSTER_EAST="east"
+CLUSTER_WEST="west"
+ISTIO_DIR="absolute-path-to-istio-folder"
+```
+
+As Istio will be installed on more than one cluster and needs to communicate between clusters, we need to create certificates for the Istio installation. We will follow the [Istio documentation related to certificates](http://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/) to achieve this:
+
+```
+mkdir -p certs
+pushd certs
+
+make -f $ISTIO_DIR/tools/certs/Makefile.selfsigned.mk root-ca
+
+make -f $ISTIO_DIR/tools/certs/Makefile.selfsigned.mk $CLUSTER_EAST-cacerts
+make -f $ISTIO_DIR/tools/certs/Makefile.selfsigned.mk $CLUSTER_WEST-cacerts
+
+popd
+```
+
+The result is two certificates for then use when installing Istio in the future.

content/en/docs/Tutorials/multicluster/03-Deploy-east-cluster.md

@@ -0,0 +1,41 @@
+---
+title: "Deploy East cluster"
+description: "Deploy the East cluster which will be the primary cluster"
+weight: 3
+---
+
+Run the following commands to deploy the first cluster:
+
+```
+minikube start -p $CLUSTER_EAST --network istio --memory 8g --cpus 4
+```
+
+For both clusters, we need to configure MetalLB, which is a load balancer. This is because we need to assign an external IP to the required ingress gateways to enable cross cluster communication between Istio and the applications installed.
+
+```
+minikube addons enable metallb -p $CLUSTER_EAST
+```
+
+We set up some environment variables with IP ranges that MetalLB will then assign to the services:
+
+```
+MINIKUBE_IP=$(minikube ip -p $CLUSTER_EAST)
+MINIKUBE_IP_NETWORK=$(echo $MINIKUBE_IP | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/\1/')
+MINIKUBE_LB_RANGE="${MINIKUBE_IP_NETWORK}.20-${MINIKUBE_IP_NETWORK}.29"
+
+cat <<EOF | kubectl --context $CLUSTER_EAST apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: metallb-system
+  name: config
+data:
+  config: |
+    address-pools:
+    - name: default
+      protocol: layer2
+      addresses: [${MINIKUBE_LB_RANGE}]
+EOF
+```
+
+We should have the first cluster deployed and ready to use.

content/en/docs/Tutorials/multicluster/04-Install-Istio-east-cluster.md

@@ -0,0 +1,64 @@
+---
+title: "Install Istio on East cluster"
+description: "Install Istio on the primary cluster"
+weight: 4
+---
+
+The east cluster is the primary one, consequently is where the istiod process will be installed alongside other applications like Kiali. 
+
+Run the following commands to install Istio:
+
+```
+kubectl create namespace istio-system --context $CLUSTER_EAST
+
+kubectl create secret generic cacerts -n istio-system --context $CLUSTER_EAST \
+      --from-file=certs/$CLUSTER_EAST/ca-cert.pem \
+      --from-file=certs/$CLUSTER_EAST/ca-key.pem \
+      --from-file=certs/$CLUSTER_EAST/root-cert.pem \
+      --from-file=certs/$CLUSTER_EAST/cert-chain.pem
+
+kubectl --context=$CLUSTER_EAST label namespace istio-system topology.istio.io/network=network1
+
+cat <<EOF > $CLUSTER_EAST.yaml
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  values:
+    global:
+      meshID: mesh1
+      multiCluster:
+        clusterName: $CLUSTER_EAST
+      network: network1
+EOF
+
+istioctl install -y --set values.pilot.env.EXTERNAL_ISTIOD=true --context=$CLUSTER_EAST -f $CLUSTER_EAST.yaml
+```
+
+After the installation, we need to create what we called an “east-west” gateway. It’s an ingress gateway just for the cross cluster configuration as we are opting to use the installation for different networks (this will be the case in the majority of the production scenarios). 
+
+```
+$ISTIO_DIR/samples/multicluster/gen-eastwest-gateway.sh \
+    --mesh mesh1 --cluster $CLUSTER_EAST --network network1 | \
+    istioctl --context=$CLUSTER_EAST install -y -f -
+```
+
+Then, we need to expose the istiod service as well as the applications for the cross cluster communication:
+
+```
+kubectl apply --context=$CLUSTER_EAST -n istio-system -f \
+    $ISTIO_DIR/samples/multicluster/expose-istiod.yaml
+
+kubectl --context=$CLUSTER_EAST apply -n istio-system -f \
+    $ISTIO_DIR/samples/multicluster/expose-services.yaml
+
+export DISCOVERY_ADDRESS=$(kubectl \
+    --context=$CLUSTER_EAST \
+    -n istio-system get svc istio-eastwestgateway \
+    -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+```
+
+Finally, we need to install Prometheus, which is important and required for Kiali to operate:
+
+```
+kubectl --context $CLUSTER_EAST -n istio-system apply -f $ISTIO_DIR/samples/addons/prometheus.yaml
+```

content/en/docs/Tutorials/multicluster/05-Install-Kiali.md

@@ -0,0 +1,21 @@
+---
+title: "Install Kiali"
+description: "Install Kiali on the primary cluster"
+weight: 5
+---
+
+Run the following command to install Kiali using the Kiali operator:
+
+```
+kubectl config use-context $CLUSTER_EAST
+
+helm upgrade --install --namespace istio-system --set auth.strategy=anonymous --set deployment.logger.log_level=debug --set deployment.ingress.enabled=true --repo http://kiali.org/helm-charts kiali-server kiali-server 
+```
+
+Verify that Kiali is running with the following command:
+
+```
+istioctl dashboard kiali
+```
+
+There are other alternatives to expose Kiali or other Addons in Istio. Check [Remotely Accessing Telemetry Addons for more information](http://istio.io/latest/docs/tasks/observability/gateways/).

content/en/docs/Tutorials/multicluster/06-Install-Travels-east-cluster.md

@@ -0,0 +1,35 @@
+---
+title: "Install Travels on East cluster"
+description: "Install the Travels application just on East cluster"
+weight: 6
+---
+
+Run the following commands to install Travels application on east cluster:
+
+```
+kubectl create namespace travel-agency --context $CLUSTER_EAST
+kubectl create namespace travel-portal --context $CLUSTER_EAST
+kubectl create namespace travel-control --context $CLUSTER_EAST
+
+kubectl label namespace travel-agency istio-injection=enabled --context $CLUSTER_EAST
+kubectl label namespace travel-portal istio-injection=enabled --context $CLUSTER_EAST
+kubectl label namespace travel-control istio-injection=enabled --context $CLUSTER_EAST
+
+kubectl apply -f <(curl -L http://raw.githubusercontent.com/kiali/demos/master/travels/travel_agency.yaml) -n travel-agency --context $CLUSTER_EAST
+kubectl apply -f <(curl -L http://raw.githubusercontent.com/kiali/demos/master/travels/travel_portal.yaml) -n travel-portal --context $CLUSTER_EAST
+kubectl apply -f <(curl -L http://raw.githubusercontent.com/kiali/demos/master/travels/travel_control.yaml) -n travel-control --context $CLUSTER_EAST
+```
+
+After the installation, we can see that the Travels application is running on the east cluster:
+
+![Overview](/images/mc-tutorial/01.png "Overview")
+
+It is important to note that Kiali only observes one istio-system namespace as we did not configure it for multicluster yet.
+
+Go to the Graph page and select the three namespaces related to the Travels demo in the namespace dropdown menu. This shows you the in-cluster traffic:
+
+![Graph](/images/mc-tutorial/02.png "Graph")
+
+So far, we installed everything on one cluster, similarly to the Travels tutorial for a single cluster.
+
+Now we will expand this topology to include a remote cluster. As we commented this situation can be very common in a production scenario, either because we might want to split some applications into different clusters, generally because they are maintained by different developers or for high availability or just making applications available in other zones to reduce latencies.

content/en/docs/Tutorials/multicluster/07-Deploy-west-cluster.md

@@ -0,0 +1,35 @@
+---
+title: "Deploy West cluster"
+description: "Deploy the West cluster which will be the remote cluster"
+weight: 7
+---
+
+Run the following commands to deploy the second cluster:
+
+```
+minikube start -p $CLUSTER_WEST --network istio --memory 8g --cpus 4
+```
+
+Similar to the east cluster, we configure MetalLB:
+
+```
+minikube addons enable metallb -p $CLUSTER_WEST
+
+MINIKUBE_IP=$(minikube ip -p $CLUSTER_WEST)
+MINIKUBE_IP_NETWORK=$(echo $MINIKUBE_IP | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/\1/')
+MINIKUBE_LB_RANGE="${MINIKUBE_IP_NETWORK}.30-${MINIKUBE_IP_NETWORK}.39"
+
+cat <<EOF | kubectl --context $CLUSTER_WEST apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: metallb-system
+  name: config
+data:
+  config: |
+    address-pools:
+    - name: default
+      protocol: layer2
+      addresses: [${MINIKUBE_LB_RANGE}]
+EOF
+```

content/en/docs/Tutorials/multicluster/08-Install-Istio-west-cluster.md

@@ -0,0 +1,76 @@
+---
+title: "Install Istio on West cluster"
+description: "Install Istio on the remote cluster"
+weight: 8
+---
+
+This installation will be different as this cluster will be a remote. In a remote cluster, it won't be an Istio control plane. Istio will install some resources that allows the primary control plane to configure the workloads in the remote cluster like injecting the sidecars and configuring the low level routing.
+
+```
+kubectl create namespace istio-system --context $CLUSTER_WEST
+
+kubectl create secret generic cacerts -n istio-system --context $CLUSTER_WEST \
+      --from-file=certs/$CLUSTER_WEST/ca-cert.pem \
+      --from-file=certs/$CLUSTER_WEST/ca-key.pem \
+      --from-file=certs/$CLUSTER_WEST/root-cert.pem \
+      --from-file=certs/$CLUSTER_WEST/cert-chain.pem
+
+kubectl --context=$CLUSTER_WEST annotate namespace istio-system topology.istio.io/controlPlaneClusters=$CLUSTER_EAST
+kubectl --context=$CLUSTER_WEST label namespace istio-system topology.istio.io/network=network2
+
+cat <<EOF > $CLUSTER_WEST.yaml
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+spec:
+  profile: remote
+  values:
+    istiodRemote:
+      injectionPath: /inject/cluster/$CLUSTER_WEST/net/network2
+    global:
+      remotePilotAddress: ${DISCOVERY_ADDRESS}
+EOF
+
+istioctl install -y --context=$CLUSTER_WEST -f $CLUSTER_WEST.yaml
+```
+
+We will also install a Prometheus instance on the remote. We will federate both Prometheus, with the east's one being the place where all metrics will be gathered together:
+
+```
+kubectl apply -f $ISTIO_DIR/samples/addons/prometheus.yaml --context $CLUSTER_WEST
+```
+
+An important step is to create a secret on east cluster allowing it to fetch information of the remote cluster:
+
+```
+istioctl x create-remote-secret \
+    --context=$CLUSTER_WEST \
+    --name=$CLUSTER_WEST | \
+    kubectl apply -f - --context=$CLUSTER_EAST
+```
+
+Finally, we create the east-west gateway
+
+```
+$ISTIO_DIR/samples/multicluster/gen-eastwest-gateway.sh \
+    --mesh mesh1 --cluster $CLUSTER_WEST --network network2 | \
+    istioctl --context=$CLUSTER_WEST install -y -f -
+
+```
+
+## Prometheus federation
+
+An important design decision for Kiali was to decide that it will continue consuming data from one Prometheus instance per all clusters. For this reason, Prometheus needs to be federated, meaning that all the remote’s metrics should be fetched by the main Prometheus.
+
+We will configure east's Prometheus to fetch west's metrics:
+
+```
+kubectl patch svc prometheus -n istio-system --context $CLUSTER_WEST -p "{\"spec\": {\"type\": \"LoadBalancer\"}}"
+
+WEST_PROMETHEUS_ADDRESS=$(kubectl --context=$CLUSTER_WEST -n istio-system get svc prometheus -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+
+curl -L -o prometheus.yaml http://raw.githubusercontent.com/kiali/kiali/master/hack/istio/multicluster/prometheus.yaml
+
+sed -i "s/WEST_PROMETHEUS_ADDRESS/$WEST_PROMETHEUS_ADDRESS/g" prometheus.yaml
+
+kubectl --context=$CLUSTER_EAST apply -f prometheus.yaml -n istio-system
+```

content/en/docs/Tutorials/multicluster/09-Configure-Kiali.md

@@ -0,0 +1,27 @@
+---
+title: "Configure Kiali for multicluster"
+description: "In this section we will add some configuration for Kiali to start observing the remote cluster."
+weight: 9
+---
+
+We will configure Kiali to access the remote cluster. This will require a secret (similar to the Istio secret) containing the credentials for Kiali to fetch information for the remote cluster:
+
+```
+curl -L -o kiali-prepare-remote-cluster.sh http://raw.githubusercontent.com/kiali/kiali/master/hack/istio/multicluster/kiali-prepare-remote-cluster.sh
+
+chmod +x kiali-prepare-remote-cluster.sh
+
+./kiali-prepare-remote-cluster.sh --kiali-cluster-context $CLUSTER_EAST --remote-cluster-context $CLUSTER_WEST
+```
+
+Finally, upgrade the installation for Kiali to pick up the secret:
+
+```
+kubectl config use-context $CLUSTER_EAST
+
+helm upgrade --install --namespace istio-system --set auth.strategy=anonymous --set deployment.logger.log_level=debug --set deployment.ingress.enabled=true --repo http://kiali.org/helm-charts kiali-server kiali-server 
+```
+
+As result, we can quickly see that a new namespace appear in the Overview, the istio-system namespace from west cluster:
+
+![Kiali MC](/images/mc-tutorial/03.png "Kiali MC")