Configuring external client access by using the Mesh console

Use the IBM® Hybrid Cloud Mesh (Mesh) console to connect client applications that run on non-Kubernetes infrastructure to services over the Mesh network segment.

Before you begin

Note:

These instructions use the example of a single-node MicroK8s cluster that is installed on a VM. However, the instructions also apply to multi-node and managed Kubernetes clusters.

For more information about supported Kubernetes distributions, see Supported platforms and software.
Ensure that the following prerequisites are completed:
  1. MicroK8s is installed on a separate VM in the same VPC or local network as the external client. See Getting started with MicroK8s.
  2. MetalLB is installed in the MicroK8s cluster, in the metallb-system namespace.

    MetalLB provides load-balancer services for bare metal and on-premises environments such as VMs running MicroK8s. To enable the MetalLB add-on for MicroK8s, see Enabling MetalLB for MicroK8s. For other Kubernetes distributions, see Installing MetalLB.

    To enable Mesh to manage the necessary MetalLB resources, complete the following steps:
    1. Create a Kubernetes role in the metallb-system namespace that grants permission to manage MetalLB resources such as address pools.
    2. Bind this role to a service account in the namespace on the MicroK8s cluster where you install the Mesh gateway.
    For an example of the configuration commands that you might use, see Example: Granting Mesh access to MetalLB.
  3. A set of IP addresses is reserved on the local network for the primary network interface of the MicroK8s VM.

    For cloud environments, the primary network interface of the VM might need to be configured to accept these IP addresses, which are used to expose services.

About this task

An external client is a client application that operates outside of a Kubernetes cluster but can connect to services within a Mesh network segment. External clients can operate in non-Kubernetes environments such as VMs, mainframes, and bare metal servers.

For on-premises environments, the equivalent to a virtual private cloud (VPC) might be, for example, a VLAN or subnet.

Procedure

  1. Register the MicroK8s cluster in Mesh.
    1. Click Deployment environments on the navigation panel in the Mesh console, then click Register environment.
    2. Click the cloud and location of the MicroK8s cluster, then click the Kubernetes environment type.

      For other Kubernetes distributions, click the appropriate environment type.

    3. Click Next.
    4. Enter the cluster details. Click the VPC where the cluster is installed.
    5. Click Register.
  2. Install the Open Horizon agent on the MicroK8s cluster.
    See Installing an Open Horizon agent.

    After the Open Horizon agent is installed, the Service Interconnect edge gateway is automatically registered in Mesh and is shown on the Unmanaged gateways tab on the Gateways page.

  3. Deploy the Service Interconnect edge gateway on the MicroK8s cluster and enable external client access.
    By default, external client access is disabled for the gateway. To enable external client access, specify the following values when you deploy the gateway with the Mesh console:
    1. Select Enabled (LoadBalancer).
    2. Specify the IP addresses that the gateway can assign to services that are exposed at this gateway.
    See Deploying and connecting Service Interconnect edge gateways by using the Mesh console.
  4. Create a Mesh remote connection to connect the gateway on the MicroK8s cluster to the gateway on the cluster where the service is available.
  5. Create a connection policy for each service that you want to expose to external clients.
    Set the namespace to the namespace on the MicroK8s cluster where you deployed the gateway.

    See Creating connection policies by using the Mesh console.

    Assigning an IP address to a service:

    When external client access is enabled and a service is exposed at the gateway by a connection policy, the gateway assigns an available IP address to the service. A service entry point, which is the IP address and port on the local network that external clients use to connect to a service, is created in Mesh automatically.

  6. Update the external client to use the service entry point.
    For example, if DNS is used, update the corresponding DNS record so that is resolves to the service entry point.

What to do next

Use the Topology view to monitor traffic and visualize relationships between the external client and the other Mesh resources in the network segment.

On the Gateway details page, view the service entry points that are assigned to services at the gateway.