Create a link between the two namespaces
1. Use token to link namespaces
To create a link between the two namespace, you create a token on one of the namespaces, and then use the token to create the link on the other namespace.
-
Navigate to the browser tab pointing to the OpenShift Web terminal.
Issue the following command:skupper -n globex-skupper-{user_name} token create /tmp/skupper.tokenOutputToken written to /tmp/skupper.token -
If you want to have a look at the token that was created:
cat /tmp/skupper.tokenOutputapiVersion: v1 data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMVENDQWhXZ0F3SUJBZ0lSQUxuRSsrMmNiYmlUMFZESWdyb2dXdm93RFFZSktvWklodmNOQVFFTEJRQXcKR2pFWU1CWUdBMVVFQXhNUGMydDFjSEJsY2kxemFYUmxMV05oTUI0WERUSXpNRFF5TlRFME1ETTFObG9YRFRJNApNRFF5TXpFME1ETTFObG93R2pFWU1CWUdBMVVFQXhNUGMydDFjSEJsY2kxemFYUmxMV05oTUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBclRjOVNBOEtPRlh2RWpWN2JYWWVRUytKRXFZRU52ZmgKblA5NHV0SGxVZWwvWEpyeW1lK3V2YzhjK21yRjBhVEdLZ2licGVab1JFcXdVWW9CR3ZMTXhOMEJXenlVNWlseQovcFRYMmthSGtJbDlVUzdYbDRaQ09hNHB4bDE2WnhVNDYxbU9uMDJQUDEwVVdUVFg2Vk9NQ2VEZEdOYlRTZ3BuCkdTMlEzS0JMMXRBa201cDdRRGYrMTRIdEl1ZGUvdzBySnFJc1RPbkJnSHlGVy9ZTlZKdlUyZ2I5WjRzRWEyUWsKY2E3MEF6Mkw2bnJkV1BiMVFnem1QQXBrSWc5K0hQSDVqYkZSNzNVYUpNbDR3ZVhzdTdNQmFUNDRJeG1FVCtBTApxS3BkTjlMaFFSb21wQ3ZETWFsQTdQamU4cWcvNWlkSFd4cEtFdi84VS9yTC9mbEpyNlZycndJREFRQUJvMjR3CmJEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUMKTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkhITTdoS0JwSVFKK3FtZ2lmNUVld2NLZVE3dgpNQXNHQTFVZEVRUUVNQUtDQURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVdhaEtnVER0N3h3WnJjYTJaQXFYCk1ZZFV4RFk2NzI1anNLZTh0Ym1RbmVnZ21vcURDKzBXM2pGc0tYUnVEMXJJMmZTNFhRZHYxYUhzZnhuenkyOFMKVXdZQVFaRi9oTFFZRTNqYXhybkV0TmlJaE1KWGkyQ3BDN3ZvL2V6MDBWYzVxNmlKbms4eHBOelEyNlZzVk9ELwpBY2x4MG1sMDgyajRUc0tWZzVxemt0Z2xEK1FQRTNRcDViNzl5ZVg3UG80dW13Vm9jK3RlaHduNDY1Qy8remZqCks3ckZqZW1XZE9McFhIZHpPc3E4LzZWR1IzTUJCcnZBTjZ6MC95STdxZ3VJNGdCSDFxUzZ4Sm1rbW9PQXAxWU4Ka21HZXQvbk9ZVldzQW1nQTd4UGlVWTNxRUkrQWdCUGloeS9NR3FOaGpvYkRCS1J0OGVSdU9ESmJDdVNvRjhpcAo0UT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K password: Sko2akMzaDdIZDFyUDlCY0dzSlNSbkUx kind: Secret metadata: annotations: skupper.io/generated-by: eecb731d-3457-4a05-b5dc-7982bbf91a6b skupper.io/site-version: 1.5.2 skupper.io/url: https://claims-globex-skupper-{user_name}.{openshift_subdomain}:443/9698eead-1a96-11ee-9dad-0a580a83003b creationTimestamp: null labels: skupper.io/type: token-claim name: 9698eead-1a96-11ee-9dad-0a580a83003bThis is actually an OpenShift secret which contains a certificate. This certificate will be used to setup a mTLS (mutual TLS) secured link between the two namespaces.
-
The next step is creating the link on the other namespace with the token. In a real life situation that probably requires to physically transfer the token to the other site. In this lab, you will create the link from the same terminal, but specifying the isolated namespace.
-
On the same terminal, create a link using the token:
skupper -n globex-skupper-db-{user_name} link create /tmp/skupper.tokenOutputSite configured to link to https://claims-globex-skupper-{user_name}.{openshift_subdomain}:443/9698eead-1a96-11ee-9dad-0a580a83003b (name=link1) Check the status of the link using 'skupper link status'. -
To check the status of the link:
skupper -n globex-skupper-db-{user_name} link statusOutputLinks created from this site: Link link1 is connected Current links from other sites that are connected: There are no connected links -
Finally, you need to expose the database service over the link. This will allow the Globex application to connect to the database as if it was a local service, while in reality the service is a proxy for the real service running in the isolated namespace.
skupper -n globex-skupper-db-{user_name} expose deployment/globex-db --port 5432Outputdeployment globex-db exposed as globex-db
You have established a secure link between the two namespaces, and exposed the globex-db service in the isolated namespace as a proxy service in the globex-skupper-{user_name} namespace.
There a couple of ways to verify this:
-
In the OpenShift terminal, use
octo get the services deployed in theglobex-skupper-{user_name}namespace:oc get service -n globex-skupper-{user_name}OutputNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE globex-db ClusterIP 172.30.187.885432/TCP 114s globex-store-app ClusterIP 172.30.94.78 8080/TCP 6h37m globex-web ClusterIP 172.30.172.136 8080/TCP 6h37m skupper ClusterIP 172.30.250.157 8010/TCP,8080/TCP,8081/TCP 81m skupper-router ClusterIP 172.30.252.101 55671/TCP,45671/TCP 81m skupper-router-local ClusterIP 172.30.49.91 5671/TCP 81m workspace207858d3e7d2450b-service ClusterIP 172.30.2.112 4444/TCP 93m The
globex-dbservice is the proxy service created by exposing theglobex-dbdeployment in the isolated namespace over the service network. -
You can also check out the
globex-dbservice through the OpenShift console. Navigate to the browser tab pointing to the Developer perspective of the OpenShift console. Make sure to select the globex-skupper-{user_name} namespace from the drop-down box at the top.
On the left menu, select Project, and in the Inventory list click on Services.
-
This opens the list of Service resources in the namespace. Notice the globex-db service.
The Pod Selector indicates that this service is pointing to the Skupper router pod, which forwards the communication over the secure link to the real database service on the isolated namespace.
-
Finally, you can check the {skupper_console_aws}[Service Interconnect console^]. In the Topology section you’ll see a graphical representation of the Service InterConnect network.
The Sites tab shows the connected namespaces,globex-skupper-db-{user_name}andglobex-skupper-{user_name}.