From 37a55d689b9c6c06837c4e18362296b635dca051 Mon Sep 17 00:00:00 2001
From: Tao HE <1579288+elfinhe@users.noreply.github.com>
Date: Wed, 13 Nov 2019 11:38:45 -0800
Subject: [PATCH] Update multicluster shared-vpn doc (#5645)

* Update multicluster shared-vpn doc

Update docs for the multicluster installation for Shared control plane (single-network) to make it work with `istioctl manifest`.

* Update index.md

* Apply suggestions from code review

Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
---
 .../install/multicluster/shared-vpn/index.md  | 45 ++++++++++---------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/content/en/docs/setup/install/multicluster/shared-vpn/index.md b/content/en/docs/setup/install/multicluster/shared-vpn/index.md
index ecf0186ac8..3583f5e63a 100644
--- a/content/en/docs/setup/install/multicluster/shared-vpn/index.md
+++ b/content/en/docs/setup/install/multicluster/shared-vpn/index.md
@@ -39,10 +39,8 @@ across the multicluster environment and may not overlap.
 
     * All Kubernetes control plane API servers must be routable to each other.
 
-* Helm **2.10 or newer**.  The use of Tiller is optional.
-
 This guide describes how to install a multicluster Istio topology using the
-manifests and Helm charts provided within the Istio repository.
+remote configuration profile provided by Istio.
 
 ## Deploy the local control plane
 
@@ -74,19 +72,19 @@ perform a manual sidecar injection refer to the [manual sidecar example](#manual
 You must deploy the `istio-remote` component to each remote Kubernetes
 cluster. You can install the component in one of two ways:
 
-{{< tabset cookie-name="install-istio-remote" >}}
-
-{{< tab name="Helm+kubectl" cookie-value="Helm+kubectl" >}}
-
 1.  Use the following command on the remote cluster to install
     the Istio control plane service endpoints:
 
     {{< text bash >}}
     $ istioctl manifest apply \
     --set profile=remote \
+    --set values.global.controlPlaneSecurityEnabled=false \
+    --set values.global.remotePilotCreateSvcEndpoint=true \
     --set values.global.remotePilotAddress=${PILOT_POD_IP} \
     --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
-    --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP}
+    --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP} \
+    --set gateways.enabled=false \
+    --set autoInjection.enabled=true
     {{< /text >}}
 
     {{< tip >}}
@@ -107,10 +105,6 @@ cluster. You can install the component in one of two ways:
     Repeat for all Kubernetes namespaces that need to setup automatic sidecar
     injection.
 
-{{< /tab >}}
-
-{{< /tabset >}}
-
 ### Installation configuration parameters
 
 You must configure the remote cluster's sidecars interaction with the Istio
@@ -240,11 +234,15 @@ filename simply by changing the filename to conform with the format.
 To uninstall the cluster run the following command:
 
 {{< text bash >}}
-    $ istioctl manifest apply \
+    $ istioctl manifest generate \
     --set profile=remote \
+    --set values.global.controlPlaneSecurityEnabled=false \
+    --set values.global.remotePilotCreateSvcEndpoint=true \
     --set values.global.remotePilotAddress=${PILOT_POD_IP} \
     --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
-    --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP} | kubectl delete -f -
+    --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP} \
+    --set gateways.enabled=false \
+    --set autoInjection.enabled=true | kubectl delete -f -
 {{< /text >}}
 
 ## Manual sidecar injection example {#manual-sidecar}
@@ -265,10 +263,13 @@ Before you begin, set the endpoint IP environment variables as described in the
     {{< text bash >}}
     $ istioctl manifest apply \
     --set profile=remote \
+    --set values.global.controlPlaneSecurityEnabled=false \
+    --set values.global.remotePilotCreateSvcEndpoint=true \
     --set values.global.remotePilotAddress=${PILOT_POD_IP} \
     --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
     --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP} \
-    --set values.sidecarInjectorWebhook.enabled=false
+    --set gateways.enabled=false \
+    --set autoInjection.enabled=false
     {{< /text >}}
 
 1. [Generate](#kubeconfig) the `kubeconfig` configuration file for each remote
@@ -303,7 +304,7 @@ all clusters.
 The previous procedures provide a simple and step-by-step guide to deploy a
 multicluster environment. A production environment might require additional
 steps or more complex deployment options. The procedures gather the endpoint
-IPs of the Istio services and use them to invoke Helm. This process creates
+IPs of the Istio services and use them to invoke `istioctl`. This process creates
 Istio services on the remote clusters. As part of creating those services and
 endpoints in the remote cluster, Kubernetes adds DNS entries to the `kube-dns`
 configuration object.
@@ -326,8 +327,8 @@ section provides a high level overview of these options:
 
 Upon any failure or restart of the local Istio control plane, `kube-dns` on the remote clusters must be
 updated with the correct endpoint mappings for the Istio services.  There
-are a number of ways this can be done. The most obvious is to rerun the Helm
-install in the remote cluster after the Istio services on the control plane
+are a number of ways this can be done. The most obvious is to rerun the
+`istioctl` command in the remote cluster after the Istio services on the control plane
 cluster have restarted.
 
 ### Use load balance service type
@@ -347,7 +348,7 @@ balancer IPs for these Istio services:
 
 Currently, the Istio installation doesn't provide an option to specify service
 types for the Istio services. You can manually specify the service types in the
-Istio Helm charts or the Istio manifests.
+Istio manifests.
 
 ### Expose the Istio services via a gateway
 
@@ -361,7 +362,7 @@ the main cluster in the ingress gateway.
 This method provides two alternatives:
 
 * Re-use the default Istio ingress gateway installed with the provided
-  manifests or Helm charts. You only need to add the correct destination rules.
+  manifests. You only need to add the correct destination rules.
 
 * Create another Istio ingress gateway specifically for the multicluster.
 
@@ -485,7 +486,9 @@ and endpoint to allow the remote sidecars to resolve the
       --set values.global.remotePilotCreateSvcEndpoint=true \
       --set values.global.remotePilotAddress=${PILOT_POD_IP} \
       --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
-      --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP}
+      --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP} \
+      --set gateways.enabled=false \
+      --set autoInjection.enabled=true
     {{< /text >}}
 
 1. To generate the `kubeconfig` configuration file for the remote cluster,