Deploying Service Interconnect edge gateways with the Mesh console
Deploy your Red Hat® Service Interconnect gateways with the Mesh console.
Prerequisites
- Install the Open Horizon agent. See Installing an Open Horizon agent.
After the Open Horizon agent is installed, the Service Interconnect edge gateway automatically appears on Mesh and moves to the Unmanaged gateways tab on the Gateways page.
- Create a Mesh network segment to support the interconnections
between the Service Interconnect edge gateways. Complete these steps:
- On the Network segments page, click Create network segment.
- Enter the network segment name and select an infrastructure group from the list. The Labels and Description fields are optional.
- Click Create.
A success notification is displayed when the network segment is created.
Create a Service Interconnect edge gateway
Complete the following steps in the Mesh console:
- On the Gateways page, click Register gateway.
- Click Service Interconnect edge gateway. Then click Next.
- Click Select network segment. Then choose a network segment or click Create a network segment.
- Click Select a linked agent. Then choose an Open Horizon agent. A default gateway name is provided but you can edit the name.
- Click Select a cluster. Then choose the cluster where you want to deploy the gateway. Click Select.
- Select the infrastructure group. Then click Next.
- In the Gateway configuration section, click Select gateway
size. Then choose a compute profile for the gateway. The profile determines the
following CPU and memory settings for the gateway:
- The initial CPU and memory resources that are requested for the gateway.
- The maximum CPU and memory resources that the gateway can use.
For more information about the settings, see the Initialise Skupper help document. View the information about the
router-cpu
,router-memory
,router-cpu-limit
, androuter-memory-limit
options. - Specify the ingress configuration settings.
When the gateway is deployed, these settings are provided as parameters to the Red Hat Service Interconnect site controller on the edge cluster. If you don't specify the ingress settings, the Skupper router selects the appropriate ingress type and other settings that are used.
For more information about the configuration settings, see the Initialise Skupper help document. View the information about the
ingress
,ingress-host
,router-ingress-host
,controller-ingress-host
, andingress-annotations
options.- (Optional for gateways on the inbound side of a remote connection) Click Select
ingress type. Then choose an ingress type from the list.
This value determines the ingress controller that is used when the gateway is deployed.
If you don't select an ingress type or select Not specified, a default type is assigned automatically when the gateway is deployed. For Red Hat OpenShift® clusters, the OpenShift Route type is assigned. For other Kubernetes clusters, the Load balancer type is assigned.
For gateways that are on the inbound side of a remote connection, an ingress type is required. These gateways receive a connection request and must have permission to allow incoming traffic. If you don't choose an ingress type, a default type is assigned.
For gateways that are on the outbound side, no ingress type is required. You can choose None so that a default ingress type is not assigned when the gateway is deployed.
- In the Ingress host name field, you can specify the host name for the
general ingress controller in the Red Hat Service Interconnect installation.
The host name must be a valid domain name, for example,
router1.example.com
. The host name points to the location where the ingress controller is deployed, such as a load balancer or a specific node on the cluster. The value must be a publicly accessible host name or IP address that can be reached over the network by external clients. - In the Router ingress host name and Controller ingress host
name fields, you can specify the host names for the Red Hat Service Interconnect router and controller.
These fields enable more granular control over how external traffic is routed to services within the Kubernetes cluster. If you don't specify values, these fields default to the Ingress host name value.
- In the Ingress annotations field, you can specify annotations that
provide additional information about the ingress resources that are created during the gateway
deployment.
Enter a comma-separated list of key-value pairs in this format:
<name1>=<value1>,<name2>=<value2>
For example:
kubernetes.io/ingress.class=traefik,nginx.ingress.kubernetes.io/ssl-passthrough=true
For more information about the format rules, see Syntax and character set in Kubernetes annotations.
- (Optional for gateways on the inbound side of a remote connection) Click Select
ingress type. Then choose an ingress type from the list.
- (Optional) Enter a label and a description.
- Click Submit. The deployment of a gateway can take several minutes. You can view the status of the deployment on the Gateways page.
Connect two Red Hat Service Interconnect gateways with a remote connection
To connect two Service Interconnect edge gateways, you must create a Mesh remote connection. The remote connection establishes a communication channel between the two gateways. The gateways must be associated with the same network segment.
When you create the remote connection, you must choose the gateway that initiates the connection. When the connection is established, data can flow in either direction between the two gateways.
- Outbound side
- This Service Interconnect edge gateway initiates the connection and must have permission to initiate outbound connections through the firewall. No specific firewall rules are needed to allow incoming traffic (ingress) into the cluster or namespace.
- Inbound side
- This Service Interconnect edge gateway receives the connection request and must have permission to allow incoming traffic. Allowing incoming traffic normally involves setting up firewall and ingress rules within the Red Hat Service Interconnect cluster. The gateway on the inbound side does not initiate the connection with the other gateway.
For example, you might have an application in a cloud environment and an application in an on-prem VMware vSphere environment and you need to connect the two environments. Service Interconnect edge gateways are deployed in both environments. The cloud environment allows inbound and outbound connections. The firewall rules in the on-prem environment allow outbound connections but prevent inbound connections.
When you create the remote connection, you must specify that the on-prem gateway is on the outbound side of the connection. Therefore, the on-prem gateway initiates the connection, which satisfies the firewall rules.
Create the remote connection by completing the following steps:- On the Gateways page, click one of the Red Hat Service Interconnect gateways that you want to connect.
- In the Remote connections section, click Create connection.
- Choose a direction from the Creation direction list and click Select gateway.
- On the Select connecting gateway page, click the gateway that you want to connect and click Select gateway.
- Choose a link metric value and click Create.
Register a service and a service endpoint
To create the connection policy, you need a service and a service endpoint. If the application is not exposed by a service, complete the following steps to register a service and a service endpoint.- On the Applications page, click the application for which you want to add a service.
- Click Register service in the Services section.
- Add the service name.
- Click
TCP
in theProtocol
list and enter the port number for the application, for example8080
. Then, click Add to add the port to the service. - Click Register.
A message is displayed when the service is registered successfully.
- On the Applications page, click the application for which you want to add a service endpoint.
- In the Application deployments section, click the deployment that you want to update.
- Click Register service endpoint in the Service endpoints section.
- In the
Select a service
list, click the service that you registered in the previous step. If you do not have a specific local IP address, you can enter any valid value in theLocal IP
field, for example,127.0.0.1
. - Click Register.
A message is displayed when the service endpoint is registered successfully for the deployment.
Creating a policy from a service to the network segment
Complete these steps to create a policy from a service to the network segment:
- On the Create access policies page, click Create policy.
- Enter the policy name. Select a network segment from the Network Segment list.
- (Optional) Enter a label and a description.
- In the To section, click View all options.
- Select the service to be connected and click Save.
- Click Create.
A success notification is displayed when the policy is created.