►
From YouTube: Multi-Cluster Service Mesh Federated Trust and Identity
Description
Service Mesh Hub (SMH) is a control plane for multi-cluster service mesh environments. This video shows how SMH federates trust and identity across multiple clusters grouped together in a single, logical virtual mesh.
Questions? https://slack.solo.io
Learn more https://www.solo.io/products/service-mesh-hub/
DM us on slack to request a workshop or demo.
A
A
So
some
of
the
challenges
that
that
you
need
to
federate
trust
and
identity.
You
need
to
allow
communication
between
the
cluster.
You
need
to
use
different
service
mesh
technology.
In
general,
I
mean
you
can
have
like
ecu
locally
and
app
mesh
in
aws,
for
example,
you
need
also
to
manage
the
access
control
in
a
simpler
way.
A
You
need
to
think
about
like
the
disaster
recovery
strategy
and
all
of
the
above
is
very
very
complex,
so
we
are
going
to
start
this
series
with
the
federated
trust
and
identity
and
we'll
take
the
example
of
istio
and
we'll
start
by
looking
at
the
different
models
you
have
when
you
want
to
use
multiple
clusters,
one.
That's
called
the
shared
control
plane
model
where
you
have
only
one
control
plane
and
you
need
a
flat
network
between
your
two
clusters.
A
A
You
really
have
two
independent
sto
clusters,
but
you
use
some
of
the
style
objects
to
allow
communication
between
them
and
what
you
need
as
well
is
this
federation
of
identity,
trust
and
that's
where
we
are
going
to
focus
in
this
presentation
and
to
simplify
that
we
have
launched
this
project
at
solo.io,
which
is
called
servicemeshhub,
and
the
idea
is
really
to
allow
you
to
simplify
the
way
you
deploy
multiple
meshes
across
multiple
environments.
A
That's
why
I
use
a
different
diagram
here.
You
see
there
is
no
mention
of
istio,
it's
really
about
having
different
meshes
and
using
edge
gateways
to
allow
microservices
from
one
mesh
to
communicate
with
microservices
on
the
other
mesh
and
obviously,
in
the
case
of
sto,
we
have
this
steel,
ingress
gateway,
and
that
is
this
edge
gateway.
A
We
also
have
an
option
to
use
our
own
gateway,
that's
called
glue,
but
the
idea
really
with
the
service
mesh
herb,
is
to
allow
you
to
manage
multiple
meshes
and
unify
the
trust
and
allow
communication
across
the
mesh
with
multiple
mesh
technologies.
So
we
started
with
istio
app
mesh
is
around
the
corner
and
and
others
are
coming,
and
the
idea
is
that
this
service
mesh
up
really
simplify
your
life.
It
just
like
makes
a
discovery
of
the
different
micro
services
and
different
meshes
automatic.
A
It
allows
you
to
simplify
the
way
you
manage
access
controls
and
the
way
you
unify
the
identity
and
all
these
things.
So
we
will
focus
on
on
the
identity
again
in
this
one.
But
in
the
next
talk
we
will
speak
about
the
other
part
of
what
you
need.
A
So
let's
go
and
jump
directly
in
the
in
the
demo
here,
so
I'm
I've
prepared.
So
basically,
what
I'm
going
to
do
is
that
it's
part
of
a
workshop
that
we
are
going
to
deliver
soon.
The
first
first
workshops
will
be
in
september
in
both
u.s
and
europe
times
zone,
so
you'll
be
able
to
register
in
the
one
that
makes
more
sense
for
you,
but
what
I
did
here
is
that
I
use
this
environment
where
you
have
like
three
cubans
clusters,
one
where
we
will
just
deploy
service
mesh
herb.
A
A
So
what
I
did
already
I
deployed
like
cubans
clusters.
I
deployed
the
service
mesh
herb
on
one
cluster
and
I
used
this
mesh
ctl
command
just
to
register
my
two
other
clusters,
so
that
service
meshup
knows
about
them,
and
then
I
deployed
stu
in
the
standard
way
on
both
sides
using
the
estee
operator,
so
nothing
special
in
the
way
I
deployed
it.
A
And
finally,
I
deployed
the
famous
book
info
demo
app
so
now.
What
I'm
going
to
do
is
that
I'm
going
to
look
at
the
current
identity
of
these
two
meshes.
So
if
I
so
remember,
cane
2
is
my
first
cluster
and
kind.
3
is
my
second
cluster.
So
here
I'm
going
to
send
a
request
between
the
from
the
reviews
microservice
on
this
cluster
to
the
rating
microservice
on
the
same
cluster,
and
I'm
going
to
look
at
what
I
get
so
here.
A
A
So
just
going
to
do
that
quickly
and
if
I
call
the
same
command
here,
then
it
will
be
more
interesting
because
I'll
be
able
to
see
that
the
certificates
here
the
certificate
chain
with
this
clustered
local
organization,
which
is
the
default
one.
A
A
So
what
we
do
in
in
our
case
that
we
have
this
crd,
that's
called
virtual
mesh,
where
we
just
simply
say
that
we
want
to
create
a
virtual
mesh
based
on
the
two
mesh
we
have
today
like
kind
two
and
kind
three,
and
we
want
also
like
this
auto
restart
pods
makes
your
life
easier,
because,
basically,
when
you
have
this
new
identity,
you
need
to
restart
multiple
hto
components
so
that
they
will
start
to
use
the
new
certificates.
A
A
You
know
there
is
like
a
certificate
that
will
be
spread
it
across
the
two
clusters,
so
you'll
be
able
to
to
get
it
on
on
the
two
clusters,
and
at
that
time
you
know
that
most
of
the
the
things
have
already
happened,
but
we'll
also
be
able
to
take
a
look
at
the
service
that
will
restart
and,
and
things
like
that,
so
let
me
check
that
here
so
for
them
and
nothing
is
restarting
because
the
certificates
are
not
delivered
yet
you
see
it's
there
on
kind.
Two
should
probably
be
there
on
kind
three
as
well.
A
Yes,
and
now,
if
I
look
at
the
services
on
kind
two,
you
start
to
see
that
the
different
pods
are
restarted,
so
that
the.
A
A
But
we
can
already
try
between
like
the
communication
between
the
review
and
the
rating
because
they
already
restarted
now.
If
I
try
to
look
at
the
kind
to
here,
I
see
there's
like
this
service
mesh
organization,
and
I
see
it
finished
by
b
q
a
w
and
if
I
do
the
same
with
your
site
yeah,
I
see
the
same
here
so
you
see
that
now
we
have
like
a
unified
identity.
A
So,
as
I
said,
we
just
covered
that
part
and
we
will
cover
many
other
topics
in
the
next
videos
and
also
just
wanted
to
highlight
a
little
bit
of
our
portfolio
at
solo.io.
A
We
have
this
webassembly
project
that
we
are
working
on
to
be
able
to
use
to
create
easily
assembly
filters
for
envoy
when
this
will
become
stable
in
envoy
and
you'll,
be
able
to
apply
these
filters
on
glue
because
it's
android-based,
but
also
on
stu
itself,
and
we
also
have
this
developer
portal
that
you
can
use
in
both
cases
both
for
glue
or
for
istio.
That
allows
you
to
simplify
the
way
your
user
can
interact
with
your
apis.