In-cluster service communication between subsystems

Key points and limitations of in-cluster inter-subsystem communication.

  • In-cluster communication is only possible between subsystems that are in the same cluster.
  • In-cluster communication cannot be used in two data center disaster recovery deployments, Two data center deployment strategy on Kubernetes and OpenShift.
  • If you are upgrading from a pre-10.0.5.3 release, all existing subsystems continue to use external communication. If you want to change upgraded subsystems to use in-cluster, then you must reregister them.
  • If you are adding new subsystems to an upgraded deployment you can set the subsystems to use in-cluster communication, but you must use different certificates and secrets for the subsystem endpoints. The default certificate and secret names for the subsystem endpoints are:
    • Analytics: ai-endpoint.
    • Portal: portal-admin.
    • Gateway: gwv6-manager-endpoint or gw-gateway-manager
    Do not use these same certificate and secret names if your additional subsystems are in the same namespace.
  • After a portal, gateway, or analytics subsystem is registered with the management subsystem, to change the communication mechanism you must reregister the subsystem. For more information on this procedure, see:
    Important: Backups of the management subsystem cannot be restored if the communication type of any registered subsystem is changed after the backup was taken. Do not change the communication type of any of your subsystems if you might want to restore your management subsystem from a previous backup.
  • If you customize any TLS certificates used for inter-subsystem communication, then to use in-cluster communication the TLS certificates must include the service hostname in the DNS section of the SAN, for example:
    X509v3 Subject Alternative Name: critical
                DNS: ptladmin.mydomain.com, DNS: portal.apic.svc, DNS: portal.apic.svc.cluster.local
  • On Cloud Pak for Integration, all subsystems are registered automatically during deployment with external communication specified.