Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

shared control plane multicluster fixes #22173

Conversation

@ayj
Copy link
Contributor

ayj commented Mar 13, 2020

  • Rename the remote istiod service and endpoint to istiod-remote to
    avoid conflicts with the real local istiod service.

  • Use the istiod-remote.<namespace>.svc hostname for the sidecar and
    ingress proxies discoveryAddress. This address needs to match the
    SAN in istiod's cert. The istiod-remote headless service will
    resolve the hostname to the remote IP address.

  • Add the istiod-remote hostname to istiod's SANs. Also use istiod's
    namespace to construct the legacy service names instead of
    hardcoding them to istio-system.

  • Simplify the remote profile by removing redundant and unused values.

Manually backport #21912 from master.

@ayj ayj requested a review from istio/release-managers-1-5 as a code owner Mar 13, 2020
@googlebot

This comment has been minimized.

Copy link
Collaborator

googlebot commented Mar 13, 2020

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

@ayj

This comment has been minimized.

Copy link
Contributor Author

ayj commented Mar 13, 2020

cc @linsun

@ayj ayj force-pushed the ayj:ws1-release-1.5-backport-multicluster-fixes branch from 07e13ca to 18771db Mar 13, 2020
@googlebot

This comment has been minimized.

Copy link
Collaborator

googlebot commented Mar 13, 2020

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

@googlebot googlebot added cla: yes and removed cla: no labels Mar 13, 2020
@istio-testing istio-testing added size/L and removed size/XL labels Mar 13, 2020
* Rename the remote istiod service and endpoint to `istiod-remote` to
  avoid conflicts with the real local istiod service.

* Use the `istiod-remote.<namespace>.svc` hostname for the sidecar and
  ingress proxies discoveryAddress. This address needs to match the
  SAN in istiod's cert. The `istiod-remote` headless service will
  resolve the hostname to the remote IP address.

* Add the `istiod-remote` hostname to istiod's SANs. Also use istiod's
  namespace to construct the legacy service names instead of
  hardcoding them to `istio-system`.

* Simplify the remote profile by removing redundant and unused values.

* clone LbEndpoint to prevent data race (#22023)

* fix meshexpansion ports for non-istiod deployments
@ayj ayj force-pushed the ayj:ws1-release-1.5-backport-multicluster-fixes branch from 18771db to 036fc76 Mar 13, 2020
ayj added 3 commits Mar 14, 2020
…-release-1.5-backport-multicluster-fixes
@ayj

This comment has been minimized.

Copy link
Contributor Author

ayj commented Mar 15, 2020

/retest

@ayj ayj removed the do-not-merge/hold label Mar 15, 2020
@ayj

This comment has been minimized.

Copy link
Contributor Author

ayj commented Mar 15, 2020

/retest

# Create a secret access a remote cluster with an auth plugin
istioctl --Kubeconfig=c0.yaml x create-remote-secret --name c0 --auth-type=plugin --auth-plugin-name=gcp \
| kubectl -n istio-system --Kubeconfig=c1.yaml apply -f -
| kubectl --Kubeconfig=c1.yaml apply -f -

This comment has been minimized.

Copy link
@linsun

linsun Mar 16, 2020

Member

@ayj what would be the cmd if users don't install istio to istio-system ns? use -n {namespace}?

This comment has been minimized.

Copy link
@linsun

linsun Mar 16, 2020

Member

Also, where can I find docs for this auth-plugin, auth-type?

This comment has been minimized.

Copy link
@ayj

ayj Mar 16, 2020

Author Contributor

Yes, user's can use -n <namespace> if they install in a different namespace.

There aren't any additional docs yet for auth->{plugin,type}.

pilot/pkg/features/pilot.go Outdated Show resolved Hide resolved
@ayj

This comment has been minimized.

Copy link
Contributor Author

ayj commented Mar 16, 2020

This should be ready for review. This is mostly a backport of #21912. Charts between 1.5 and master have diverged so its worth taking a second look at the legacy helm charts in particular.

@linsun
linsun approved these changes Mar 17, 2020
Copy link
Member

linsun left a comment

@fpesce @dgn pls review/approve

@fpesce
fpesce approved these changes Mar 17, 2020
@istio-testing istio-testing merged commit 3218efd into istio:release-1.5 Mar 17, 2020
23 checks passed
23 checks passed
cla/google All necessary CLAs are signed
e2e-bookInfoTests-envoyv2-v1alpha3_istio_release-1.5 Job succeeded.
Details
e2e-dashboard_istio_release-1.5 Job succeeded.
Details
e2e-mixer-no_auth_istio_release-1.5 Job succeeded.
Details
gencheck_istio_release-1.5 Job succeeded.
Details
integ-conformance-k8s-tests_istio_release-1.5 Job succeeded.
Details
integ-conformance-local-tests_istio_release-1.5 Job succeeded.
Details
integ-distroless-k8s-tests_istio_release-1.5 Job succeeded.
Details
integ-galley-k8s-tests_istio_release-1.5 Job succeeded.
Details
integ-galley-local-tests_istio_release-1.5 Job succeeded.
Details
integ-istioio-k8s-tests_istio_release-1.5 Job succeeded.
Details
integ-mixer-k8s-tests_istio_release-1.5 Job succeeded.
Details
integ-pilot-k8s-tests_istio_release-1.5 Job succeeded.
Details
integ-pilot-local-tests_istio_release-1.5 Job succeeded.
Details
integ-security-k8s-tests_istio_release-1.5 Job succeeded.
Details
integ-security-local-tests_istio_release-1.5 Job succeeded.
Details
integ-telemetry-k8s-tests_istio_release-1.5 Job succeeded.
Details
lint_istio_release-1.5 Job succeeded.
Details
pilot-e2e-envoyv2-v1alpha3_istio_release-1.5 Job succeeded.
Details
pilot-multicluster-e2e_istio_release-1.5 Job succeeded.
Details
release-test_istio_release-1.5 Job succeeded.
Details
tide In merge pool.
Details
unit-tests_istio_release-1.5 Job succeeded.
Details
@ayj ayj deleted the ayj:ws1-release-1.5-backport-multicluster-fixes branch Mar 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.