...
- If creating one EAA for every tenant (logical cluster): micro-services on different edge clouds which are kubernetes clusters should be able to communicate with each other by registering the services to the EAA and consuming the services from the EAA on different edge clouds. For example, : μs2 is stateful and needs to communicate with other μs2 on different edge clouds to synchronize the states.
- If creating one EAA for every kubernetes cluster: Docker image for EAA is signed by the root CA of the kubernetes cluster where EAA will be deployed as below:
https://github.com/open-ness/edgenode/blob/master/docker-compose.yml#L77
This will cause the certs of EAAs on different edge clouds to be on different certificate chains because different EAAs’ certs are signed by different kubernetes clusters’ root CAs. What’s more, producing application and consuming application will get certs from EAA and those certs are signed by EAA’s cert. And this will cause the producing application and consuming application on different edge cloud can’t communicate with each other because their certs are on different certificate chains. To solve this issue, the certs of EAAs should be signed by the same orchestrator. For example, ICN DCM(Distributed Cloud Manager) can take this role:
https://wiki.onap.org/pages/viewpage.action?pageId=76875956
And EAA should support mounting the certs when it will be deployed and not mount the certs during building docker image.