Forum Discussion
Altocumulusha cis multi cluster Openshift route creation
I like to verify that when creating a route on an Openshift multicluster HA cis environment, the endpoints of a service on the secondary cluster are added to the poolmembers automatically.
First I had the annotation below add:
virtual-server.f5.com/multiClusterServices: |
[
{
"clusterName": "openshift-engineering-02",
"service": "tea-svc",
"namespace": "cafe",
"servicePort": 8080,
"weight": 100
}
]
Creating routes without this annotation still adds the pods of the service with the same name and in the same namespace on the secondary cluster I saw.
Is this annotation not required for a HA cis multi cluster application?
Does HA CIS always add the pods of the secondary cluster as poolmembers if they belong to the same service and namespace as on the primary cluster? And the same if the secondary CIS becomes the active CIS?
What about services on other external clusters? Is the annotation for virtual-server.f5.com/multiClusterServices only required if the service or namespace do not match with the names in the route manifest?
Hey PaulVogt if you see f5-cis-docs/multicluster_user_guides/CIS HA/Active-Active at main · f5devcentral/f5-cis-docs if the second cluster is external and does not have CIS deployed the annotation is then needed as then the second cluster's api will be used to configure this stuff.
From the route from f5-cis-docs/multicluster_user_guides/CIS HA/routes/route-coffee-edge.yaml at main · f5devcentral/f5-cis-docs you see that there are 3 clusters. Cluster 1 and 2 have CIS deployed while cluster 3 does not, so the annotation is used for it as it is external cluster.
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
virtual-server.f5.com/multiClusterServices: '[{"clusterName": "cluster3", "service":
"coffee-svc", "namespace": "cafeone", "servicePort": 8080 }]'
# you can define either service port or target port in the port value
labels:
f5type: systest
name: cafe-coffee-edge
namespace: cafeone
spec:
host: cafeone.example.com
path: "/coffee"
port:
targetPort: 8080
to:
kind: Service
name: coffee-svc
- Nikoolayy1
MVP
Hey PaulVogt if you see f5-cis-docs/multicluster_user_guides/CIS HA/Active-Active at main · f5devcentral/f5-cis-docs if the second cluster is external and does not have CIS deployed the annotation is then needed as then the second cluster's api will be used to configure this stuff.
From the route from f5-cis-docs/multicluster_user_guides/CIS HA/routes/route-coffee-edge.yaml at main · f5devcentral/f5-cis-docs you see that there are 3 clusters. Cluster 1 and 2 have CIS deployed while cluster 3 does not, so the annotation is used for it as it is external cluster.
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
virtual-server.f5.com/multiClusterServices: '[{"clusterName": "cluster3", "service":
"coffee-svc", "namespace": "cafeone", "servicePort": 8080 }]'
# you can define either service port or target port in the port value
labels:
f5type: systest
name: cafe-coffee-edge
namespace: cafeone
spec:
host: cafeone.example.com
path: "/coffee"
port:
targetPort: 8080
to:
kind: Service
name: coffee-svc 
PaulVogtThe documentation is not very clear about this. What I have observed is:
Route definitions will only be watched and processed on the cluster with the active CIS. So the cluster with the secondary CIS should have exactly the same route definitions in the namespaces watched by CIS. If not the configuration on the F5 big ip will change if the secondary CIS becomes the active instance.
route definitions on external clusters are not watched and processed by CIS.
In a CIS HA setup in active-active or ratio mode the active CIS will look on the cluster of the passive CIS for service definitions and if it finds service definitions with the same name and in the same namespace, it will add the endpoints as poolmembers to the correct pool on the F5 big ip. But CIS will not look for service definitions on the external clusters.
When using the annotation virtual-server.f5.com/multiClusterServices. the service name, port and namespace do not have to be the same as on the cluster with the active CIS running.
If my observations are correct, my question is answered.