Once Liqo is installed in your cluster, you can start discovering new peers. Specifically, you can rely on three different methods to discover other clusters:
Depending of your environment, you only have to decide the proper discovery method. They are detailed below:
Automatic discovery of neighboring clusters available in the same LAN. It looks similar to the automatic discovery of Wi-Fi hotspots, and it is particularly suitable when your cluster has a single node (e.g., in a combination with K3s). Liqo can automatically discover any available clusters running on the same L2 Broadcast Domain. Besides, mDNS discovery implies also that your cluster is discoverable by others.
The discovery on LAN can be enabled and disabled by updating the flags in the ClusterConfig CR. Lan Discovery can be disabled to avoid unwanted peering with neighbors.
You can enable discovery, by typing:
kubectl patch clusterconfigs liqo-configuration \
--patch '{"spec":{"discoveryConfig":{"enableDiscovery": true, "enableAdvertisement": true}}}' \
--type 'merge'
Or disabling it with:
kubectl patch clusterconfigs liqo-configuration \
--patch '{"spec":{"discoveryConfig":{"enableDiscovery": false, "enableAdvertisement": false}}}' \
--type 'merge'
The automatic LAN discovery is enabled by default.
In Liqo, remote clusters are defined as ForeignClusters
: each time a new ForeignCluster
resource is added in a Liqo
cluster, it is possible to peer with it.
A ForeignCluster
resource needs the authentication service URL and the port to be set: it is the backend of the
authentication server (mandatory to peer with another cluster).
The address is or the hostname or the IP address where it is reachable.
If you specified a name during the installation, it is reachable through an Ingress (you can get it with kubectl get ingress -n liqo
), if an ingress is not configured, the other cluster is exposed with a NodePort Service, you can get
one if the IPs of your cluster’s nodes (kubectl get nodes -o wide
).
The port where the remote cluster’s auth service is reachable, if you are
using an Ingress, it should be 443
by default. Otherwise, if you are using a NodePort Service you
can get the port executing kubectl get service -n liqo liqo-auth
, an output example could be:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
liqo-auth NodePort 10.81.20.99 <none> 443:30740/TCP 2m7s
An example of ForeignCluster
resource can be:
apiVersion: discovery.liqo.io/v1alpha1
kind: ForeignCluster
metadata:
name: my-cluster
spec:
join: true # optional (defaults to false)
authUrl: "https://<ADDRESS>:<PORT>"
When you create the ForeignCluster, the Liqo control plane will contact the authURL
(i.e. the public URL of a cluster
authentication server) to retrieve all the required cluster information.
You can get the cluster configurations exposed by the Auth Service endpoint of the other cluster. This allows retrieving the information necessary to peer with the remote cluster.
curl --insecure https://<ADDRESS>:<PORT>/ids
{"clusterId":"0558de48-097b-4b7d-ba04-6bd2a0f9d24f","clusterName":"LiqoCluster0692","guestNamespace":"liqo"}
In addition to LAN discovery and manual configuration, Liqo supports DNS-based discovery: such a mechanism is useful, for instance, when dealing with multiple clusters, which are dynamically spawned and decommissioned. The DNS discovery procedure requires two orthogonal actions to be enabled:
To allow the other clusters to peer with your cluster(s), you need to register a set of DNS records that specify the cluster(s) available in your domain, with the different parameters required to establish the connection.
In a scenario where we have to manage multiple clusters’ discovery, it can be useful to manage the entire set updating it in a unique place. We only have to know how the Authentication Service is reachable from the external world.
In the following example, we present a bind9
-like configuration for a hypothetical domain example.com
. It exposes
two Liqo-enabled cluster named liqo-cluster
and liqo-cluster-2
. The first one exposes the Auth Service at
1.2.3.4:443
, while the second at 2.3.4.1:8443
.
example.com. PTR liqo-cluster.example.com.
liqo-cluster-2.example.com.
liqo-cluster.example.com. SRV 0 0 443 auth.server.example.com.
liqo-cluster-2.example.com. SRV 0 0 8443 auth.server-2.example.com.
auth.server.example.com. A 1.2.3.4
auth.server-2.example.com. A 2.3.4.1
Remember to adapt the configuration according to your setup, modifying the urls, ips and ports accordingly.
To leverage the DNS discovery to peer to a remote cluster, it is necessary to specify the remote domain called
SearchDomain
. When a SearchDomain
is configured, Liqo performs periodical queries on specific search domains looking
for new clusters to peer with.
For any SearchDomain
, you need to configure the following parameters:
Using kubectl, it is also possible to perform the following configuration. A SearchDomain
for the example.com
domain, may be look like:
cat << "EOF" | kubectl apply -f
apiVersion: discovery.liqo.io/v1alpha1
kind: SearchDomain
metadata:
name: example.com
spec:
domain: example.com
autojoin: true
EOF
Using kubectl, you can manually obtain the list of discovered foreign clusters by typing:
kubectl get foreignclusters
NAME AGE
ff5aa14a-dd6e-4fd2-80fe-eaecb827cf55 101m