Update for simplified istiod-remote charts (#9983)

* Update for simplied istiod-remote charts * regen snips * correction * remove arg * regen * add service-account arg * regen
2021-07-13 12:29:20 -04:00 · 2021-07-13 12:29:20 -04:00 · c26390c6ff
parent 1a2f00d00d
commit c26390c6ff
2 changed files with 48 additions and 44 deletions
--- a/content/en/docs/setup/install/external-controlplane/index.md
+++ b/content/en/docs/setup/install/external-controlplane/index.md
@ -147,10 +147,10 @@ and installing the sidecar injector webhook configuration on the remote cluster

 #### Set up the remote config cluster

-1. Create the remote cluster's Istio install configuration, which installs the injection webhook that uses the
-    external control plane's injector, instead of a locally deployed one. Because this cluster
-    also serves as the config cluster, the Istio CRDs and `istio` configmap (i.e., global mesh config)
-    are also installed by setting `base.enabled` and `pilot.configMap` to `true`:
+1. Use the `external` profile to configure the remote cluster's Istio installation. This installs an injection
+    webhook that uses the external control plane's injector, instead of a locally deployed one. Because this cluster
+    will also serve as the config cluster, the Istio CRDs and other resources that will be needed on the remote cluster
+    are also installed by setting `global.configCluster` and `pilot.configMap` to `true`:

    {{< text syntax=bash snip_id=get_remote_config_cluster_iop >}}
    $ cat <<EOF > remote-config-cluster.yaml
@ -160,12 +160,10 @@ and installing the sidecar injector webhook configuration on the remote cluster
      namespace: external-istiod
    spec:
      profile: external
-      components:
-        base:
-          enabled: true
      values:
        global:
          istioNamespace: external-istiod
+          configCluster: true
        pilot:
          configMap: true
        istiodRemote:
@ -207,7 +205,9 @@ and installing the sidecar injector webhook configuration on the remote cluster
    $ istioctl x create-remote-secret \
      --context="${CTX_REMOTE_CLUSTER}" \
      --type=config \
-      --namespace=external-istiod | \
+      --namespace=external-istiod \
+      --service-account=istiod \
+      --create-service-account=false | \
      kubectl apply -f - --context="${CTX_EXTERNAL_CLUSTER}"
    {{< /text >}}

@ -520,26 +520,6 @@ $ export SECOND_CLUSTER_NAME=<your second remote cluster name>

 ### Register the new cluster

-1. Create a secret with credentials to allow the control plane to access the endpoints on the second remote cluster
-    and install it:
-
-    {{< text bash >}}
-    $ istioctl x create-remote-secret \
-      --context="${CTX_SECOND_CLUSTER}" \
-      --name="${SECOND_CLUSTER_NAME}" \
-      --type=remote \
-      --namespace=external-istiod | \
-      kubectl apply -f - --context="${CTX_REMOTE_CLUSTER}" #TODO use --context="{CTX_EXTERNAL_CLUSTER}" when #31946 is fixed.
-    {{< /text >}}
-
-    Note that unlike the first remote cluster of the mesh, which also serves as the config cluster, the `--type` argument
-    is set to `remote` this time, instead of `config`.
-
-    {{< tip >}}
-    Note that the new secret can be applied in either the remote (config) cluster or in the external cluster,
-    because the external istiod is watching for additions in both clusters.
-    {{< /tip >}}
-
 1. Create the remote Istio install configuration, which installs the injection webhook that uses the
    external control plane's injector, instead of a locally deployed one:

@ -562,6 +542,7 @@ $ export SECOND_CLUSTER_NAME=<your second remote cluster name>
    Then, install the configuration on the remote cluster:

    {{< text bash >}}
+    $ kubectl create namespace external-istiod --context="${CTX_SECOND_CLUSTER}"
    $ istioctl manifest generate -f second-config-cluster.yaml | kubectl apply --context="${CTX_SECOND_CLUSTER}" -f -
    {{< /text >}}

@ -573,6 +554,27 @@ $ export SECOND_CLUSTER_NAME=<your second remote cluster name>
    istio-sidecar-injector-external-istiod   4          4m13s
    {{< /text >}}

+1. Create a secret with credentials to allow the control plane to access the endpoints on the second remote cluster
+    and install it:
+
+    {{< text bash >}}
+    $ istioctl x create-remote-secret \
+      --context="${CTX_SECOND_CLUSTER}" \
+      --name="${SECOND_CLUSTER_NAME}" \
+      --type=remote \
+      --namespace=external-istiod \
+      --create-service-account=false | \
+      kubectl apply -f - --context="${CTX_REMOTE_CLUSTER}" #TODO use --context="{CTX_EXTERNAL_CLUSTER}" when #31946 is fixed.
+    {{< /text >}}
+
+    Note that unlike the first remote cluster of the mesh, which also serves as the config cluster, the `--type` argument
+    is set to `remote` this time, instead of `config`.
+
+    {{< tip >}}
+    Note that the new secret can be applied in either the remote (config) cluster or in the external cluster,
+    because the external istiod is watching for additions in both clusters.
+    {{< /tip >}}
+
 ### Setup east-west gateways

 1. Deploy east-west gateways on both remote clusters:
--- a/content/en/docs/setup/install/external-controlplane/snips.sh
+++ b/content/en/docs/setup/install/external-controlplane/snips.sh
@ -68,12 +68,10 @@ metadata:
  namespace: external-istiod
 spec:
  profile: external
-  components:
-    base:
-      enabled: true
  values:
    global:
      istioNamespace: external-istiod
+      configCluster: true
    pilot:
      configMap: true
    istiodRemote:
@ -106,7 +104,9 @@ kubectl create sa istiod-service-account -n external-istiod --context="${CTX_EXT
 istioctl x create-remote-secret \
  --context="${CTX_REMOTE_CLUSTER}" \
  --type=config \
-  --namespace=external-istiod | \
+  --namespace=external-istiod \
+  --service-account=istiod \
+  --create-service-account=false | \
  kubectl apply -f - --context="${CTX_EXTERNAL_CLUSTER}"
 }

@ -363,15 +363,6 @@ curl -s "http://${GATEWAY_URL}/hello"
 Hello version: v1, instance: helloworld-v1-776f57d5f6-s7zfc
 ENDSNIP

-snip_register_the_new_cluster_1() {
-istioctl x create-remote-secret \
-  --context="${CTX_SECOND_CLUSTER}" \
-  --name="${SECOND_CLUSTER_NAME}" \
-  --type=remote \
-  --namespace=external-istiod | \
-  kubectl apply -f - --context="${CTX_REMOTE_CLUSTER}" #TODO use --context="{CTX_EXTERNAL_CLUSTER}" when #31946 is fixed.
-}
-
 snip_get_second_config_cluster_iop() {
 cat <<EOF > second-config-cluster.yaml
 apiVersion: install.istio.io/v1alpha1
@ -388,19 +379,30 @@ spec:
 EOF
 }

-snip_register_the_new_cluster_3() {
+snip_register_the_new_cluster_2() {
+kubectl create namespace external-istiod --context="${CTX_SECOND_CLUSTER}"
 istioctl manifest generate -f second-config-cluster.yaml | kubectl apply --context="${CTX_SECOND_CLUSTER}" -f -
 }

-snip_register_the_new_cluster_4() {
+snip_register_the_new_cluster_3() {
 kubectl get mutatingwebhookconfiguration --context="${CTX_SECOND_CLUSTER}"
 }

-! read -r -d '' snip_register_the_new_cluster_4_out <<\ENDSNIP
+! read -r -d '' snip_register_the_new_cluster_3_out <<\ENDSNIP
 NAME                                     WEBHOOKS   AGE
 istio-sidecar-injector-external-istiod   4          4m13s
 ENDSNIP

+snip_register_the_new_cluster_4() {
+istioctl x create-remote-secret \
+  --context="${CTX_SECOND_CLUSTER}" \
+  --name="${SECOND_CLUSTER_NAME}" \
+  --type=remote \
+  --namespace=external-istiod \
+  --create-service-account=false | \
+  kubectl apply -f - --context="${CTX_REMOTE_CLUSTER}" #TODO use --context="{CTX_EXTERNAL_CLUSTER}" when #31946 is fixed.
+}
+
 snip_setup_eastwest_gateways_1() {
 samples/multicluster/gen-eastwest-gateway.sh \
    --mesh mesh1 --cluster "${REMOTE_CLUSTER_NAME}" --network network1 > eastwest-gateway-1.yaml