From c26390c6ff088c2b2408ae5471ae86a0c7a4deb9 Mon Sep 17 00:00:00 2001 From: Frank Budinsky Date: Tue, 13 Jul 2021 12:29:20 -0400 Subject: [PATCH] Update for simplified istiod-remote charts (#9983) * Update for simplied istiod-remote charts * regen snips * correction * remove arg * regen * add service-account arg * regen --- .../install/external-controlplane/index.md | 58 ++++++++++--------- .../install/external-controlplane/snips.sh | 34 ++++++----- 2 files changed, 48 insertions(+), 44 deletions(-) diff --git a/content/en/docs/setup/install/external-controlplane/index.md b/content/en/docs/setup/install/external-controlplane/index.md index d291603d8d..d98efbbe26 100644 --- a/content/en/docs/setup/install/external-controlplane/index.md +++ b/content/en/docs/setup/install/external-controlplane/index.md @@ -147,10 +147,10 @@ and installing the sidecar injector webhook configuration on the remote cluster #### Set up the remote config cluster -1. Create the remote cluster's Istio install configuration, which installs the injection webhook that uses the - external control plane's injector, instead of a locally deployed one. Because this cluster - also serves as the config cluster, the Istio CRDs and `istio` configmap (i.e., global mesh config) - are also installed by setting `base.enabled` and `pilot.configMap` to `true`: +1. Use the `external` profile to configure the remote cluster's Istio installation. This installs an injection + webhook that uses the external control plane's injector, instead of a locally deployed one. Because this cluster + will also serve as the config cluster, the Istio CRDs and other resources that will be needed on the remote cluster + are also installed by setting `global.configCluster` and `pilot.configMap` to `true`: {{< text syntax=bash snip_id=get_remote_config_cluster_iop >}} $ cat < remote-config-cluster.yaml @@ -160,12 +160,10 @@ and installing the sidecar injector webhook configuration on the remote cluster namespace: external-istiod spec: profile: external - components: - base: - enabled: true values: global: istioNamespace: external-istiod + configCluster: true pilot: configMap: true istiodRemote: @@ -207,7 +205,9 @@ and installing the sidecar injector webhook configuration on the remote cluster $ istioctl x create-remote-secret \ --context="${CTX_REMOTE_CLUSTER}" \ --type=config \ - --namespace=external-istiod | \ + --namespace=external-istiod \ + --service-account=istiod \ + --create-service-account=false | \ kubectl apply -f - --context="${CTX_EXTERNAL_CLUSTER}" {{< /text >}} @@ -520,26 +520,6 @@ $ export SECOND_CLUSTER_NAME= ### Register the new cluster -1. Create a secret with credentials to allow the control plane to access the endpoints on the second remote cluster - and install it: - - {{< text bash >}} - $ istioctl x create-remote-secret \ - --context="${CTX_SECOND_CLUSTER}" \ - --name="${SECOND_CLUSTER_NAME}" \ - --type=remote \ - --namespace=external-istiod | \ - kubectl apply -f - --context="${CTX_REMOTE_CLUSTER}" #TODO use --context="{CTX_EXTERNAL_CLUSTER}" when #31946 is fixed. - {{< /text >}} - - Note that unlike the first remote cluster of the mesh, which also serves as the config cluster, the `--type` argument - is set to `remote` this time, instead of `config`. - - {{< tip >}} - Note that the new secret can be applied in either the remote (config) cluster or in the external cluster, - because the external istiod is watching for additions in both clusters. - {{< /tip >}} - 1. Create the remote Istio install configuration, which installs the injection webhook that uses the external control plane's injector, instead of a locally deployed one: @@ -562,6 +542,7 @@ $ export SECOND_CLUSTER_NAME= Then, install the configuration on the remote cluster: {{< text bash >}} + $ kubectl create namespace external-istiod --context="${CTX_SECOND_CLUSTER}" $ istioctl manifest generate -f second-config-cluster.yaml | kubectl apply --context="${CTX_SECOND_CLUSTER}" -f - {{< /text >}} @@ -573,6 +554,27 @@ $ export SECOND_CLUSTER_NAME= istio-sidecar-injector-external-istiod 4 4m13s {{< /text >}} +1. Create a secret with credentials to allow the control plane to access the endpoints on the second remote cluster + and install it: + + {{< text bash >}} + $ istioctl x create-remote-secret \ + --context="${CTX_SECOND_CLUSTER}" \ + --name="${SECOND_CLUSTER_NAME}" \ + --type=remote \ + --namespace=external-istiod \ + --create-service-account=false | \ + kubectl apply -f - --context="${CTX_REMOTE_CLUSTER}" #TODO use --context="{CTX_EXTERNAL_CLUSTER}" when #31946 is fixed. + {{< /text >}} + + Note that unlike the first remote cluster of the mesh, which also serves as the config cluster, the `--type` argument + is set to `remote` this time, instead of `config`. + + {{< tip >}} + Note that the new secret can be applied in either the remote (config) cluster or in the external cluster, + because the external istiod is watching for additions in both clusters. + {{< /tip >}} + ### Setup east-west gateways 1. Deploy east-west gateways on both remote clusters: diff --git a/content/en/docs/setup/install/external-controlplane/snips.sh b/content/en/docs/setup/install/external-controlplane/snips.sh index 6bfdd42735..c7ee6dd430 100644 --- a/content/en/docs/setup/install/external-controlplane/snips.sh +++ b/content/en/docs/setup/install/external-controlplane/snips.sh @@ -68,12 +68,10 @@ metadata: namespace: external-istiod spec: profile: external - components: - base: - enabled: true values: global: istioNamespace: external-istiod + configCluster: true pilot: configMap: true istiodRemote: @@ -106,7 +104,9 @@ kubectl create sa istiod-service-account -n external-istiod --context="${CTX_EXT istioctl x create-remote-secret \ --context="${CTX_REMOTE_CLUSTER}" \ --type=config \ - --namespace=external-istiod | \ + --namespace=external-istiod \ + --service-account=istiod \ + --create-service-account=false | \ kubectl apply -f - --context="${CTX_EXTERNAL_CLUSTER}" } @@ -363,15 +363,6 @@ curl -s "http://${GATEWAY_URL}/hello" Hello version: v1, instance: helloworld-v1-776f57d5f6-s7zfc ENDSNIP -snip_register_the_new_cluster_1() { -istioctl x create-remote-secret \ - --context="${CTX_SECOND_CLUSTER}" \ - --name="${SECOND_CLUSTER_NAME}" \ - --type=remote \ - --namespace=external-istiod | \ - kubectl apply -f - --context="${CTX_REMOTE_CLUSTER}" #TODO use --context="{CTX_EXTERNAL_CLUSTER}" when #31946 is fixed. -} - snip_get_second_config_cluster_iop() { cat < second-config-cluster.yaml apiVersion: install.istio.io/v1alpha1 @@ -388,19 +379,30 @@ spec: EOF } -snip_register_the_new_cluster_3() { +snip_register_the_new_cluster_2() { +kubectl create namespace external-istiod --context="${CTX_SECOND_CLUSTER}" istioctl manifest generate -f second-config-cluster.yaml | kubectl apply --context="${CTX_SECOND_CLUSTER}" -f - } -snip_register_the_new_cluster_4() { +snip_register_the_new_cluster_3() { kubectl get mutatingwebhookconfiguration --context="${CTX_SECOND_CLUSTER}" } -! read -r -d '' snip_register_the_new_cluster_4_out <<\ENDSNIP +! read -r -d '' snip_register_the_new_cluster_3_out <<\ENDSNIP NAME WEBHOOKS AGE istio-sidecar-injector-external-istiod 4 4m13s ENDSNIP +snip_register_the_new_cluster_4() { +istioctl x create-remote-secret \ + --context="${CTX_SECOND_CLUSTER}" \ + --name="${SECOND_CLUSTER_NAME}" \ + --type=remote \ + --namespace=external-istiod \ + --create-service-account=false | \ + kubectl apply -f - --context="${CTX_REMOTE_CLUSTER}" #TODO use --context="{CTX_EXTERNAL_CLUSTER}" when #31946 is fixed. +} + snip_setup_eastwest_gateways_1() { samples/multicluster/gen-eastwest-gateway.sh \ --mesh mesh1 --cluster "${REMOTE_CLUSTER_NAME}" --network network1 > eastwest-gateway-1.yaml