Update external control plane to use shared global config (#9712)

* Update external control plane to use shared global config

* fix test

* lint

* fix test

content/en/docs/setup/additional-setup/external-controlplane/index.md

@@ -142,6 +142,49 @@ and installing the sidecar injector webhook configuration on the remote cluster
     $ export SSL_SECRET_NAME=<your external istiod secret>
     {{< /text >}}
 
+#### Set up the remote config cluster
+
+1. Create the remote Istio install configuration, which installs the injection webhook that uses the
+    external control plane's injector, instead of a locally deployed one. Because this cluster
+    also serves as the config cluster, the Istio CRDs and `istio` configmap (i.e., global mesh config)
+    are also installed by setting `base.enabled` and `pilot.configMap` to `true`:
+
+    {{< text syntax=bash snip_id=get_remote_config_cluster_iop >}}
+    $ cat <<EOF > remote-config-cluster.yaml
+    apiVersion: install.istio.io/v1alpha1
+    kind: IstioOperator
+    metadata:
+      namespace: external-istiod
+    spec:
+      profile: external
+      components:
+        base:
+          enabled: true
+      values:
+        global:
+          istioNamespace: external-istiod
+        pilot:
+          configMap: true
+        istiodRemote:
+          injectionURL: https://${EXTERNAL_ISTIOD_ADDR}:15017/inject/:ENV:cluster=${REMOTE_CLUSTER_NAME}:ENV:net=network1
+    EOF
+    {{< /text >}}
+
+    Then, install the configuration on the remote cluster:
+
+    {{< text bash >}}
+    $ kubectl create namespace external-istiod --context="${CTX_REMOTE_CLUSTER}"
+    $ istioctl manifest generate -f remote-config-cluster.yaml | kubectl apply --context="${CTX_REMOTE_CLUSTER}" -f -
+    {{< /text >}}
+
+1. Confirm that the remote cluster's webhook configuration has been installed:
+
+    {{< text bash >}}
+    $ kubectl get mutatingwebhookconfiguration -n external-istiod --context="${CTX_REMOTE_CLUSTER}"
+    NAME                                     WEBHOOKS   AGE
+    istio-sidecar-injector-external-istiod   4          6m24s
+    {{< /text >}}
+
 #### Set up the control plane in the external cluster
 
 1. Create the `external-istiod` namespace, which will be used to host the external control plane:
@@ -163,7 +206,11 @@ and installing the sidecar injector webhook configuration on the remote cluster
       kubectl apply -f - --context="${CTX_EXTERNAL_CLUSTER}"
     {{< /text >}}
 
-1. Create the Istio configuration to install the control plane in the `external-istiod` namespace of the external cluster:
+1. Create the Istio configuration to install the control plane in the `external-istiod` namespace of the external cluster.
+   Notice that istiod is configured to use the locally mounted `istio` configmap and the `SHARED_MESH_CONFIG` environment
+   variable is set to `istio`. This instructs istiod to merge the values set by the mesh admin in the config cluster's
+   configmap with the values in the local configmap set by the mesh operator, here, which will take precedence
+   if there are any conflicts:
 
     {{< text syntax=bash snip_id=get_external_istiod_iop >}}
     $ cat <<EOF > external-istiod.yaml
@@ -215,6 +262,8 @@ and installing the sidecar injector webhook configuration on the remote cluster
               value: "true"
             - name: CLUSTER_ID
               value: ${REMOTE_CLUSTER_NAME}
+            - name: SHARED_MESH_CONFIG
+              value: istio
       values:
         global:
           caAddress: $EXTERNAL_ISTIOD_ADDR:15012
@@ -326,46 +375,6 @@ and installing the sidecar injector webhook configuration on the remote cluster
     $ kubectl apply -f external-istiod-gw.yaml --context="${CTX_EXTERNAL_CLUSTER}"
     {{< /text >}}
 
-#### Set up the remote cluster
-
-1. Create the remote Istio install configuration, which installs the injection webhook that uses the
-    external control plane's injector, instead of a locally deployed one. Because this cluster
-    also serves as the config cluster, the Istio CRDs are also installed by setting `base.enabled`
-    to `true`:
-
-    {{< text syntax=bash snip_id=get_remote_config_cluster_iop >}}
-    $ cat <<EOF > remote-config-cluster.yaml
-    apiVersion: install.istio.io/v1alpha1
-    kind: IstioOperator
-    metadata:
-      namespace: external-istiod
-    spec:
-      profile: external
-      components:
-        base:
-          enabled: true
-      values:
-        global:
-          istioNamespace: external-istiod
-        istiodRemote:
-          injectionURL: https://${EXTERNAL_ISTIOD_ADDR}:15017/inject/:ENV:cluster=${REMOTE_CLUSTER_NAME}:ENV:net=network1
-    EOF
-    {{< /text >}}
-
-    Then, install the configuration on the remote cluster:
-
-    {{< text bash >}}
-    $ istioctl manifest generate -f remote-config-cluster.yaml | kubectl apply --context="${CTX_REMOTE_CLUSTER}" -f -
-    {{< /text >}}
-
-1. Confirm that the remote cluster's webhook configuration has been installed:
-
-    {{< text bash >}}
-    $ kubectl get mutatingwebhookconfiguration -n external-istiod --context="${CTX_REMOTE_CLUSTER}"
-    NAME                                     WEBHOOKS   AGE
-    istio-sidecar-injector-external-istiod   4          6m24s
-    {{< /text >}}
-
 ### Mesh admin steps
 
 Now that Istio is up and running, a mesh administrator only needs to deploy and configure services in the mesh,
@@ -522,7 +531,7 @@ $ export SECOND_CLUSTER_NAME=<your second remote cluster name>
     is set to `remote` this time, instead of `config`.
 
     {{< tip >}}
-    Note that the secret can alternatively be applied in the remote (config) cluster, instead of the external cluster,
+    Note that the new secret can be applied in either the remote (config) cluster or in the external cluster,
     because the external istiod is watching for additions in both clusters.
     {{< /tip >}}
 

content/en/docs/setup/additional-setup/external-controlplane/snips.sh

@@ -60,6 +60,41 @@ istio-ingressgateway-9d4c7f5c7-7qpzz   1/1     Running   0          29s
 istiod-68488cd797-mq8dn                1/1     Running   0          38s
 ENDSNIP
 
+snip_get_remote_config_cluster_iop() {
+cat <<EOF > remote-config-cluster.yaml
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  namespace: external-istiod
+spec:
+  profile: external
+  components:
+    base:
+      enabled: true
+  values:
+    global:
+      istioNamespace: external-istiod
+    pilot:
+      configMap: true
+    istiodRemote:
+      injectionURL: https://${EXTERNAL_ISTIOD_ADDR}:15017/inject/:ENV:cluster=${REMOTE_CLUSTER_NAME}:ENV:net=network1
+EOF
+}
+
+snip_set_up_the_remote_config_cluster_2() {
+kubectl create namespace external-istiod --context="${CTX_REMOTE_CLUSTER}"
+istioctl manifest generate -f remote-config-cluster.yaml | kubectl apply --context="${CTX_REMOTE_CLUSTER}" -f -
+}
+
+snip_set_up_the_remote_config_cluster_3() {
+kubectl get mutatingwebhookconfiguration -n external-istiod --context="${CTX_REMOTE_CLUSTER}"
+}
+
+! read -r -d '' snip_set_up_the_remote_config_cluster_3_out <<\ENDSNIP
+NAME                                     WEBHOOKS   AGE
+istio-sidecar-injector-external-istiod   4          6m24s
+ENDSNIP
+
 snip_set_up_the_control_plane_in_the_external_cluster_1() {
 kubectl create namespace external-istiod --context="${CTX_EXTERNAL_CLUSTER}"
 }
@@ -123,6 +158,8 @@ spec:
           value: "true"
         - name: CLUSTER_ID
           value: ${REMOTE_CLUSTER_NAME}
+        - name: SHARED_MESH_CONFIG
+          value: istio
   values:
     global:
       caAddress: $EXTERNAL_ISTIOD_ADDR:15012
@@ -228,38 +265,6 @@ snip_set_up_the_control_plane_in_the_external_cluster_7() {
 kubectl apply -f external-istiod-gw.yaml --context="${CTX_EXTERNAL_CLUSTER}"
 }
 
-snip_get_remote_config_cluster_iop() {
-cat <<EOF > remote-config-cluster.yaml
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-metadata:
-  namespace: external-istiod
-spec:
-  profile: external
-  components:
-    base:
-      enabled: true
-  values:
-    global:
-      istioNamespace: external-istiod
-    istiodRemote:
-      injectionURL: https://${EXTERNAL_ISTIOD_ADDR}:15017/inject/:ENV:cluster=${REMOTE_CLUSTER_NAME}:ENV:net=network1
-EOF
-}
-
-snip_set_up_the_remote_cluster_2() {
-istioctl manifest generate -f remote-config-cluster.yaml | kubectl apply --context="${CTX_REMOTE_CLUSTER}" -f -
-}
-
-snip_set_up_the_remote_cluster_3() {
-kubectl get mutatingwebhookconfiguration -n external-istiod --context="${CTX_REMOTE_CLUSTER}"
-}
-
-! read -r -d '' snip_set_up_the_remote_cluster_3_out <<\ENDSNIP
-NAME                                     WEBHOOKS   AGE
-istio-sidecar-injector-external-istiod   4          6m24s
-ENDSNIP
-
 snip_deploy_a_sample_application_1() {
 kubectl create --context="${CTX_REMOTE_CLUSTER}" namespace sample
 kubectl label --context="${CTX_REMOTE_CLUSTER}" namespace sample istio-injection=enabled

content/en/docs/setup/additional-setup/external-controlplane/test.sh

@@ -69,6 +69,16 @@ export EXTERNAL_ISTIOD_ADDR=$(kubectl \
     -n istio-system get svc istio-ingressgateway \
     -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 
+# Set up the remote cluster.
+
+snip_get_remote_config_cluster_iop
+
+#set +e #ignore failures here
+echo y | snip_set_up_the_remote_config_cluster_2
+#set -e
+
+_verify_like snip_set_up_the_remote_config_cluster_3 "$snip_set_up_the_remote_config_cluster_3_out"
+
 # Install istiod on the external cluster.
 
 snip_set_up_the_control_plane_in_the_external_cluster_1
@@ -82,16 +92,6 @@ _verify_like snip_set_up_the_control_plane_in_the_external_cluster_5 "$snip_set_
 snip_get_external_istiod_gateway_config_modified
 snip_set_up_the_control_plane_in_the_external_cluster_7
 
-# Set up the remote cluster.
-
-snip_get_remote_config_cluster_iop
-
-#set +e #ignore failures here
-echo y | snip_set_up_the_remote_cluster_2
-#set -e
-
-_verify_like snip_set_up_the_remote_cluster_3 "$snip_set_up_the_remote_cluster_3_out"
-
 # Validate the installation.
 
 snip_deploy_a_sample_application_1