From 036fc7618563fea02e9956da36ba26953cdd3dbe Mon Sep 17 00:00:00 2001 From: Jason Young Date: Wed, 11 Mar 2020 16:24:51 -0700 Subject: [PATCH 1/5] shared control plane multicluster fixes * Rename the remote istiod service and endpoint to `istiod-remote` to avoid conflicts with the real local istiod service. * Use the `istiod-remote..svc` hostname for the sidecar and ingress proxies discoveryAddress. This address needs to match the SAN in istiod's cert. The `istiod-remote` headless service will resolve the hostname to the remote IP address. * Add the `istiod-remote` hostname to istiod's SANs. Also use istiod's namespace to construct the legacy service names instead of hardcoding them to `istio-system`. * Simplify the remote profile by removing redundant and unused values. * clone LbEndpoint to prevent data race (#22023) * fix meshexpansion ports for non-istiod deployments --- .../helm/istio/templates/configmap.yaml | 4 +- .../helm/istio/templates/endpoints.yaml | 2 +- .../helm/istio/templates/service.yaml | 2 +- istioctl/pkg/multicluster/remote_secret.go | 8 +- .../pkg/multicluster/remote_secret_test.go | 1 + manifests/base/templates/endpoints.yaml | 15 +- manifests/base/templates/services.yaml | 13 +- .../templates/meshexpansion.yaml | 69 +++++++- manifests/global.yaml | 2 - .../istio-autoinject/templates/configmap.yaml | 4 +- .../istio-discovery/templates/configmap.yaml | 11 +- .../istio-discovery/templates/deployment.yaml | 2 + .../prometheus/templates/deployment.yaml | 2 + .../manifest-generate/output/all_on.yaml | 7 +- .../output/component_hub_tag.yaml | 5 + .../manifest-generate/output/flag_force.yaml | 2 + .../manifest-generate/output/flag_output.yaml | 2 + .../output/flag_output_set_profile.yaml | 2 + .../output/flag_output_set_values.yaml | 5 + .../output/flag_override_values.yaml | 2 + .../output/flag_set_values.yaml | 5 + .../manifest-generate/output/gateways.yaml | 2 + .../output/gateways_override_default.yaml | 3 + .../output/ingressgateway_k8s_settings.yaml | 1 + .../output/pilot_default.yaml | 2 + .../output/pilot_k8s_settings.yaml | 2 + .../output/pilot_override_kubernetes.yaml | 2 + .../output/pilot_override_values.yaml | 2 + .../manifest-generate/output/prometheus.yaml | 2 + .../testdata/profile-dump/output/all_off.yaml | 3 + operator/data/profiles/default.yaml | 3 + operator/data/profiles/remote.yaml | 31 +--- operator/pkg/vfs/assets.gen.go | 151 +++++++++++------- pilot/cmd/pilot-discovery/main.go | 4 +- pilot/pkg/bootstrap/certcontroller.go | 11 +- pilot/pkg/bootstrap/multicluster.go | 4 +- pilot/pkg/bootstrap/server.go | 2 +- pilot/pkg/features/pilot.go | 3 + pilot/pkg/model/push_context.go | 28 ++-- pilot/pkg/model/service.go | 1 - pilot/pkg/networking/util/util.go | 15 ++ pilot/pkg/networking/util/util_test.go | 11 ++ pilot/pkg/proxy/envoy/v2/ep_filters.go | 7 +- .../serviceregistry/aggregate/controller.go | 35 ++++ .../aggregate/controller_test.go | 30 ++++ .../kube/controller/multicluster.go | 16 +- .../kube/controller/multicluster_test.go | 9 +- pkg/config/mesh/mesh.go | 10 +- 48 files changed, 401 insertions(+), 154 deletions(-) diff --git a/install/kubernetes/helm/istio/templates/configmap.yaml b/install/kubernetes/helm/istio/templates/configmap.yaml index 9043849762e..6bac37a7c6a 100644 --- a/install/kubernetes/helm/istio/templates/configmap.yaml +++ b/install/kubernetes/helm/istio/templates/configmap.yaml @@ -316,7 +316,7 @@ data: controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: {{ $defPilotHostname }}:15011 {{- else }} discoveryAddress: {{ $pilotAddress }}:15011 @@ -327,7 +327,7 @@ data: controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: {{ $defPilotHostname }}:15010 {{- else }} discoveryAddress: {{ $pilotAddress }}:15010 diff --git a/install/kubernetes/helm/istio/templates/endpoints.yaml b/install/kubernetes/helm/istio/templates/endpoints.yaml index 81b82185362..2acb9562018 100644 --- a/install/kubernetes/helm/istio/templates/endpoints.yaml +++ b/install/kubernetes/helm/istio/templates/endpoints.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +{{- if .Values.global.remotePilotAddress }} apiVersion: v1 kind: Endpoints metadata: diff --git a/install/kubernetes/helm/istio/templates/service.yaml b/install/kubernetes/helm/istio/templates/service.yaml index 732cdefd200..00946ddba49 100644 --- a/install/kubernetes/helm/istio/templates/service.yaml +++ b/install/kubernetes/helm/istio/templates/service.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +{{- if .Values.global.remotePilotAddress }} apiVersion: v1 kind: Service metadata: diff --git a/istioctl/pkg/multicluster/remote_secret.go b/istioctl/pkg/multicluster/remote_secret.go index ac4af637824..67fbd61ca90 100644 --- a/istioctl/pkg/multicluster/remote_secret.go +++ b/istioctl/pkg/multicluster/remote_secret.go @@ -86,15 +86,15 @@ func NewCreateRemoteSecretCommand() *cobra.Command { Example: ` # Create a secret to access cluster c0's apiserver and install it in cluster c1. istioctl --Kubeconfig=c0.yaml x create-remote-secret --name c0 \ - | kubectl -n istio-system --Kubeconfig=c1.yaml apply -f - + | kubectl --Kubeconfig=c1.yaml apply -f - # Delete a secret that was previously installed in c1 istioctl --Kubeconfig=c0.yaml x create-remote-secret --name c0 \ - | kubectl -n istio-system --Kubeconfig=c1.yaml delete -f - + | kubectl --Kubeconfig=c1.yaml delete -f - # Create a secret access a remote cluster with an auth plugin istioctl --Kubeconfig=c0.yaml x create-remote-secret --name c0 --auth-type=plugin --auth-plugin-name=gcp \ - | kubectl -n istio-system --Kubeconfig=c1.yaml apply -f - + | kubectl --Kubeconfig=c1.yaml apply -f - `, Args: cobra.NoArgs, RunE: func(c *cobra.Command, args []string) error { @@ -383,6 +383,8 @@ func createRemoteSecret(opt RemoteSecretOptions, client kubernetes.Interface, en if err != nil { return nil, err } + + remoteSecret.Namespace = opt.Namespace return remoteSecret, nil } diff --git a/istioctl/pkg/multicluster/remote_secret_test.go b/istioctl/pkg/multicluster/remote_secret_test.go index 29a8f7f5446..c637d09b628 100644 --- a/istioctl/pkg/multicluster/remote_secret_test.go +++ b/istioctl/pkg/multicluster/remote_secret_test.go @@ -110,6 +110,7 @@ metadata: labels: istio/multiCluster: "true" name: istio-remote-secret-54643f96-eca0-11e9-bb97-42010a80000a + namespace: istio-system-test stringData: 54643f96-eca0-11e9-bb97-42010a80000a: | apiVersion: v1 diff --git a/manifests/base/templates/endpoints.yaml b/manifests/base/templates/endpoints.yaml index c9495fdc45c..56e384b8afb 100644 --- a/manifests/base/templates/endpoints.yaml +++ b/manifests/base/templates/endpoints.yaml @@ -1,4 +1,5 @@ -{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +{{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.istiod.enabled }} apiVersion: v1 kind: Endpoints metadata: @@ -15,25 +16,25 @@ subsets: - port: 8080 name: http-legacy-discovery # direct - port: 15012 - name: http-istiod + name: tcp-istiod - port: 15014 name: http-monitoring ---- + {{- else }} apiVersion: v1 kind: Endpoints metadata: - name: istiod + name: istiod-remote namespace: {{ .Release.Namespace }} subsets: - addresses: - ip: {{ .Values.global.remotePilotAddress }} ports: - port: 15012 - name: http-istiod + name: tcp-istiod + {{- end }} +--- {{- end }} - {{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} ---- apiVersion: v1 kind: Endpoints metadata: diff --git a/manifests/base/templates/services.yaml b/manifests/base/templates/services.yaml index 93ce2c909fa..012c81004ad 100644 --- a/manifests/base/templates/services.yaml +++ b/manifests/base/templates/services.yaml @@ -1,4 +1,5 @@ -{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +{{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.istiod.enabled }} apiVersion: v1 kind: Service metadata: @@ -13,20 +14,22 @@ spec: - port: 8080 name: http-legacy-discovery # direct - port: 15012 - name: http-istiod + name: tcp-istiod - port: 15014 name: http-monitoring clusterIP: None ---- + {{- else }} apiVersion: v1 kind: Service metadata: - name: istiod + name: istiod-remote namespace: {{ .Release.Namespace }} spec: ports: - port: 15012 - name: http-istiod + name: tcp-istiod + clusterIP: None + {{- end }} --- {{- end }} {{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} diff --git a/manifests/gateways/istio-ingress/templates/meshexpansion.yaml b/manifests/gateways/istio-ingress/templates/meshexpansion.yaml index b8ae63164a1..31cdb4c2bd4 100644 --- a/manifests/gateways/istio-ingress/templates/meshexpansion.yaml +++ b/manifests/gateways/istio-ingress/templates/meshexpansion.yaml @@ -1,4 +1,5 @@ {{- if .Values.global.meshExpansion.enabled }} + {{- if .Values.global.istiod.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: @@ -17,7 +18,6 @@ spec: hosts: - "*" --- - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -39,7 +39,6 @@ spec: port: number: 15012 --- - apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: @@ -55,6 +54,70 @@ spec: number: 15012 tls: mode: DISABLE - +--- + {{- else }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 15004 + name: tls-mixer + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-vs-pilot + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + hosts: + - istio-pilot.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 15011 + route: + - destination: + host: istio-pilot.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15011 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: meshexpansion-dr-pilot + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + host: pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + trafficPolicy: + portLevelSettings: + - port: + number: 15011 + tls: + mode: DISABLE + {{- end }} {{- end }} diff --git a/manifests/global.yaml b/manifests/global.yaml index 8b40114ef7a..965b55da7fd 100644 --- a/manifests/global.yaml +++ b/manifests/global.yaml @@ -560,13 +560,11 @@ global: # webhook configurations. When this option is set as false, webhooks manage their # own webhook configurations. operatorManageWebhooks: false - istioRemote: false # Settings for remote cluster. createRemoteSvcEndpoints: false # configure remote pilot and istiod service and endpoint - remotePilotCreateSvcEndpoint: false remotePolicyAddress: "" remotePilotAddress: "" remoteTelemetryAddress: "" diff --git a/manifests/istio-control/istio-autoinject/templates/configmap.yaml b/manifests/istio-control/istio-autoinject/templates/configmap.yaml index 55f28fabd0a..172ff090761 100644 --- a/manifests/istio-control/istio-autoinject/templates/configmap.yaml +++ b/manifests/istio-control/istio-autoinject/templates/configmap.yaml @@ -99,7 +99,7 @@ data: controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: {{ $defPilotHostname }}:15011 {{- else }} discoveryAddress: {{ $pilotAddress }}:15011 @@ -110,7 +110,7 @@ data: controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: {{ $defPilotHostname }}:15010 {{- else }} discoveryAddress: {{ $pilotAddress }}:15010 diff --git a/manifests/istio-control/istio-discovery/templates/configmap.yaml b/manifests/istio-control/istio-discovery/templates/configmap.yaml index f25ea8402c9..c03de8bb170 100644 --- a/manifests/istio-control/istio-discovery/templates/configmap.yaml +++ b/manifests/istio-control/istio-discovery/templates/configmap.yaml @@ -36,8 +36,6 @@ data: enableEnvoyAccessLogService: {{ .Values.global.proxy.envoyAccessLogService.enabled }} - {{- if .Values.global.istioRemote }} - {{- if .Values.global.remotePolicyAddress }} {{- if .Values.global.createRemoteSvcEndpoints }} mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004 @@ -51,7 +49,6 @@ data: {{- else }} mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 {{- end }} - {{- end }} {{- else }} @@ -73,7 +70,7 @@ data: {{- end }} - {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }} + {{- if or .Values.mixer.policy.enabled .Values.global.remotePolicyAddress }} # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. # Default is false which means the traffic is denied when the client is unable to connect to Mixer. policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} @@ -284,7 +281,7 @@ data: # controlPlaneAuthPolicy is for mounted secrets, will wait for the files. controlPlaneAuthPolicy: NONE {{- if .Values.global.remotePilotAddress }} - discoveryAddress: {{ .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 {{- else }} discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 {{- end }} @@ -295,7 +292,7 @@ data: controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15011 {{- else }} discoveryAddress: {{ $pilotAddress }}:15011 @@ -306,7 +303,7 @@ data: controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15010 {{- else }} discoveryAddress: {{ $pilotAddress }}:15010 diff --git a/manifests/istio-control/istio-discovery/templates/deployment.yaml b/manifests/istio-control/istio-discovery/templates/deployment.yaml index e9ef5550e39..eb692e7637e 100644 --- a/manifests/istio-control/istio-discovery/templates/deployment.yaml +++ b/manifests/istio-control/istio-discovery/templates/deployment.yaml @@ -156,6 +156,8 @@ spec: - name: PILOT_EXTERNAL_GALLEY value: "false" {{- end }} + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" resources: {{- if .Values.pilot.resources }} {{ toYaml .Values.pilot.resources | trim | indent 12 }} diff --git a/manifests/istio-telemetry/prometheus/templates/deployment.yaml b/manifests/istio-telemetry/prometheus/templates/deployment.yaml index 8cfa4299126..98b7107959d 100644 --- a/manifests/istio-telemetry/prometheus/templates/deployment.yaml +++ b/manifests/istio-telemetry/prometheus/templates/deployment.yaml @@ -186,6 +186,8 @@ spec: - name: ISTIO_META_MESH_ID value: "{{ .Values.global.trustDomain }}" {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ .Values.global.multiCluster.clusterName | default `Kubernetes` }}" imagePullPolicy: {{ .Values.global.imagePullPolicy | default "Always" }} readinessProbe: failureThreshold: 30 diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/all_on.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/all_on.yaml index 64c8db15287..9ad39e49a6e 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/all_on.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/all_on.yaml @@ -674,6 +674,8 @@ spec: fieldPath: metadata.namespace - name: ISTIO_META_MESH_ID value: "cluster.local" + - name: ISTIO_META_CLUSTER_ID + value: "Kubernetes" imagePullPolicy: IfNotPresent readinessProbe: failureThreshold: 30 @@ -7569,6 +7571,7 @@ spec: - containerPort: 15032 - containerPort: 15443 - containerPort: 15011 + - containerPort: 15012 - containerPort: 8060 - containerPort: 853 - containerPort: 15090 @@ -8549,6 +8552,8 @@ spec: value: istiod.istio-system.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod @@ -10552,7 +10557,7 @@ metadata: istio: sidecar-injector data: values: |- - {"certmanager":{"enabled":false,"namespace":"istio-system"},"clusterResources":true,"cni":{"namespace":"istio-system"},"galley":{"enableAnalysis":false,"enabled":true,"image":"galley","namespace":"istio-system"},"gateways":{"istio-egressgateway":{"autoscaleEnabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"name":"istio-egressgateway","ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"type":"ClusterIP"},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"debug":"info","domain":"","env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"name":"istio-ingressgateway","ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"type":"LoadBalancer","zvpn":{"enabled":false,"suffix":"global"}}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configNamespace":"istio-system","configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"enabled":true,"hub":"gcr.io/istio-testing","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"istioNamespace":"istio-system","istiod":{"enabled":true},"jwtPolicy":"third-party-jwt","k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logAsJson":false,"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshNetworks":{},"mountMtlsCerts":false,"mtls":{"auto":true,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"namespace":"istio-system","network":"","omitSidecarInjectorConfigMap":false,"oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"pilotCertProvider":"istiod","policyCheckFailOpen":false,"policyNamespace":"istio-system","priorityClassName":"","prometheusNamespace":"istio-system","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"misc:error","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"envoyAccessLogService":{"enabled":false},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","kubevirtInterfaces":"","logLevel":"warning","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2","resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"securityNamespace":"istio-system","sts":{"servicePort":0},"tag":"latest","telemetryNamespace":"istio-system","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"cluster.local","useMCP":false},"grafana":{"accessMode":"ReadWriteMany","contextPath":"/grafana","dashboardProviders":{"dashboardproviders.yaml":{"apiVersion":1,"providers":[{"disableDeletion":false,"folder":"istio","name":"istio","options":{"path":"/var/lib/grafana/dashboards/istio"},"orgId":1,"type":"file"}]}},"datasources":{"datasources.yaml":{"apiVersion":1}},"enabled":false,"env":{},"envSecrets":{},"image":{"repository":"grafana/grafana","tag":"6.5.2"},"ingress":{"enabled":false,"hosts":["grafana.local"]},"namespace":"istio-system","nodeSelector":{},"persist":false,"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"security":{"enabled":false,"passphraseKey":"passphrase","secretName":"grafana","usernameKey":"username"},"service":{"annotations":{},"externalPort":3000,"name":"http","type":"ClusterIP"},"storageClassName":"","tolerations":[]},"istio_cni":{"enabled":false},"istiocoredns":{"coreDNSImage":"coredns/coredns","coreDNSPluginImage":"istio/coredns-plugin:0.2-istio-1.1","coreDNSTag":"1.6.2","enabled":false,"namespace":"istio-system"},"kiali":{"contextPath":"/kiali","createDemoSecret":false,"dashboard":{"grafanaInClusterURL":"http://grafana:3000","jaegerInClusterURL":"http://tracing/jaeger","passphraseKey":"passphrase","secretName":"kiali","usernameKey":"username","viewOnlyMode":false},"enabled":false,"hub":"quay.io/kiali","ingress":{"enabled":false,"hosts":["kiali.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"security":{"cert_file":"/kiali-cert/cert-chain.pem","enabled":false,"private_key_file":"/kiali-cert/key.pem"},"tag":"v1.14"},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stackdriver":{"auth":{"apiKey":"","appCredentials":false,"serviceAccountPath":""},"enabled":false,"tracer":{"enabled":false,"sampleProbability":1}},"stdio":{"enabled":false,"outputAsJson":false},"useAdapterCRDs":false},"policy":{"adapters":{"kubernetesenv":{"enabled":true},"useAdapterCRDs":false},"autoscaleEnabled":true,"enabled":true,"image":"mixer","namespace":"istio-system","sessionAffinityEnabled":false},"telemetry":{"autoscaleEnabled":true,"enabled":true,"env":{"GOMAXPROCS":"6"},"image":"mixer","loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","sessionAffinityEnabled":false,"tolerations":[]}},"nodeagent":{"enabled":false,"image":"node-agent-k8s","namespace":"istio-system"},"pilot":{"appNamespaces":[],"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configMap":true,"configNamespace":"istio-config","cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{},"image":"pilot","ingress":{"ingressClass":"istio","ingressControllerMode":"STRICT","ingressService":"istio-ingressgateway"},"keepaliveMaxServerConnectionAge":"30m","meshNetworks":{"networks":{}},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"enabled":false},"replicaCount":1,"tolerations":[],"traceSampling":1},"prometheus":{"contextPath":"/prometheus","enabled":false,"hub":"docker.io/prom","ingress":{"enabled":false,"hosts":["prometheus.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provisionPrometheusCert":true,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"tag":"v2.15.1","tolerations":[]},"security":{"dnsCerts":{"istio-pilot-service-account.istio-control":"istio-pilot.istio-control"},"enableNamespacesByDefault":true,"enabled":true,"image":"citadel","namespace":"istio-system","selfSigned":true},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"hub":"","image":"sidecar_injector","injectLabel":"istio-injection","injectedAnnotations":{},"lifecycle":{},"namespace":"istio-system","neverInjectSelector":[],"nodeSelector":{},"objectSelector":{"autoInject":true,"enabled":false},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"resources":{},"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":false,"tag":"","tolerations":[]},"telemetry":{"enabled":true,"v1":{"enabled":false},"v2":{"enabled":true,"prometheus":{"enabled":true},"stackdriver":{"configOverride":{},"enabled":false,"logging":false,"monitoring":false,"topology":false}}},"tracing":{"ingress":{"enabled":false},"jaeger":{"accessMode":"ReadWriteMany","enabled":false,"hub":"docker.io/jaegertracing","memory":{"max_traces":50000},"namespace":"istio-system","persist":false,"spanStorageType":"badger","storageClassName":"","tag":"1.16"},"nodeSelector":{},"opencensus":{"exporters":{"stackdriver":{"enable_tracing":true}},"hub":"docker.io/omnition","resources":{"limits":{"cpu":"1","memory":"2Gi"},"requests":{"cpu":"200m","memory":"400Mi"}},"tag":"0.1.9"},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provider":"jaeger","service":{"annotations":{},"externalPort":9411,"name":"http-query","type":"ClusterIP"},"zipkin":{"hub":"docker.io/openzipkin","javaOptsHeap":700,"maxSpans":500000,"node":{"cpus":2},"probeStartupDelay":200,"queryPort":9411,"resources":{"limits":{"cpu":"300m","memory":"900Mi"},"requests":{"cpu":"150m","memory":"900Mi"}},"tag":"2.14.2"}},"version":""} + {"certmanager":{"enabled":false,"namespace":"istio-system"},"clusterResources":true,"cni":{"namespace":"istio-system"},"galley":{"enableAnalysis":false,"enabled":true,"image":"galley","namespace":"istio-system"},"gateways":{"istio-egressgateway":{"autoscaleEnabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"name":"istio-egressgateway","ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"type":"ClusterIP"},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"debug":"info","domain":"","env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-istiod","port":15012,"targetPort":15012},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"name":"istio-ingressgateway","ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"type":"LoadBalancer","zvpn":{"enabled":false,"suffix":"global"}}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configNamespace":"istio-system","configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"enabled":true,"hub":"gcr.io/istio-testing","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"istioNamespace":"istio-system","istiod":{"enabled":true},"jwtPolicy":"third-party-jwt","k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logAsJson":false,"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshNetworks":{},"mountMtlsCerts":false,"mtls":{"auto":true,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"namespace":"istio-system","network":"","omitSidecarInjectorConfigMap":false,"oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"pilotCertProvider":"istiod","policyCheckFailOpen":false,"policyNamespace":"istio-system","priorityClassName":"","prometheusNamespace":"istio-system","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"misc:error","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"envoyAccessLogService":{"enabled":false},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","kubevirtInterfaces":"","logLevel":"warning","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2","resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"securityNamespace":"istio-system","sts":{"servicePort":0},"tag":"latest","telemetryNamespace":"istio-system","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"cluster.local","useMCP":false},"grafana":{"accessMode":"ReadWriteMany","contextPath":"/grafana","dashboardProviders":{"dashboardproviders.yaml":{"apiVersion":1,"providers":[{"disableDeletion":false,"folder":"istio","name":"istio","options":{"path":"/var/lib/grafana/dashboards/istio"},"orgId":1,"type":"file"}]}},"datasources":{"datasources.yaml":{"apiVersion":1}},"enabled":false,"env":{},"envSecrets":{},"image":{"repository":"grafana/grafana","tag":"6.5.2"},"ingress":{"enabled":false,"hosts":["grafana.local"]},"namespace":"istio-system","nodeSelector":{},"persist":false,"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"security":{"enabled":false,"passphraseKey":"passphrase","secretName":"grafana","usernameKey":"username"},"service":{"annotations":{},"externalPort":3000,"name":"http","type":"ClusterIP"},"storageClassName":"","tolerations":[]},"istio_cni":{"enabled":false},"istiocoredns":{"coreDNSImage":"coredns/coredns","coreDNSPluginImage":"istio/coredns-plugin:0.2-istio-1.1","coreDNSTag":"1.6.2","enabled":false,"namespace":"istio-system"},"kiali":{"contextPath":"/kiali","createDemoSecret":false,"dashboard":{"grafanaInClusterURL":"http://grafana:3000","jaegerInClusterURL":"http://tracing/jaeger","passphraseKey":"passphrase","secretName":"kiali","usernameKey":"username","viewOnlyMode":false},"enabled":false,"hub":"quay.io/kiali","ingress":{"enabled":false,"hosts":["kiali.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"security":{"cert_file":"/kiali-cert/cert-chain.pem","enabled":false,"private_key_file":"/kiali-cert/key.pem"},"tag":"v1.14"},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stackdriver":{"auth":{"apiKey":"","appCredentials":false,"serviceAccountPath":""},"enabled":false,"tracer":{"enabled":false,"sampleProbability":1}},"stdio":{"enabled":false,"outputAsJson":false},"useAdapterCRDs":false},"policy":{"adapters":{"kubernetesenv":{"enabled":true},"useAdapterCRDs":false},"autoscaleEnabled":true,"enabled":true,"image":"mixer","namespace":"istio-system","sessionAffinityEnabled":false},"telemetry":{"autoscaleEnabled":true,"enabled":true,"env":{"GOMAXPROCS":"6"},"image":"mixer","loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","sessionAffinityEnabled":false,"tolerations":[]}},"nodeagent":{"enabled":false,"image":"node-agent-k8s","namespace":"istio-system"},"pilot":{"appNamespaces":[],"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configMap":true,"configNamespace":"istio-config","cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{},"image":"pilot","ingress":{"ingressClass":"istio","ingressControllerMode":"STRICT","ingressService":"istio-ingressgateway"},"keepaliveMaxServerConnectionAge":"30m","meshNetworks":{"networks":{}},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"enabled":false},"replicaCount":1,"tolerations":[],"traceSampling":1},"prometheus":{"contextPath":"/prometheus","enabled":false,"hub":"docker.io/prom","ingress":{"enabled":false,"hosts":["prometheus.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provisionPrometheusCert":true,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"tag":"v2.15.1","tolerations":[]},"security":{"dnsCerts":{"istio-pilot-service-account.istio-control":"istio-pilot.istio-control"},"enableNamespacesByDefault":true,"enabled":true,"image":"citadel","namespace":"istio-system","selfSigned":true},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"hub":"","image":"sidecar_injector","injectLabel":"istio-injection","injectedAnnotations":{},"lifecycle":{},"namespace":"istio-system","neverInjectSelector":[],"nodeSelector":{},"objectSelector":{"autoInject":true,"enabled":false},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"resources":{},"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":false,"tag":"","tolerations":[]},"telemetry":{"enabled":true,"v1":{"enabled":false},"v2":{"enabled":true,"prometheus":{"enabled":true},"stackdriver":{"configOverride":{},"enabled":false,"logging":false,"monitoring":false,"topology":false}}},"tracing":{"ingress":{"enabled":false},"jaeger":{"accessMode":"ReadWriteMany","enabled":false,"hub":"docker.io/jaegertracing","memory":{"max_traces":50000},"namespace":"istio-system","persist":false,"spanStorageType":"badger","storageClassName":"","tag":"1.16"},"nodeSelector":{},"opencensus":{"exporters":{"stackdriver":{"enable_tracing":true}},"hub":"docker.io/omnition","resources":{"limits":{"cpu":"1","memory":"2Gi"},"requests":{"cpu":"200m","memory":"400Mi"}},"tag":"0.1.9"},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provider":"jaeger","service":{"annotations":{},"externalPort":9411,"name":"http-query","type":"ClusterIP"},"zipkin":{"hub":"docker.io/openzipkin","javaOptsHeap":700,"maxSpans":500000,"node":{"cpus":2},"probeStartupDelay":200,"queryPort":9411,"resources":{"limits":{"cpu":"300m","memory":"900Mi"},"requests":{"cpu":"150m","memory":"900Mi"}},"tag":"2.14.2"}},"version":""} config: |- policy: enabled diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/component_hub_tag.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/component_hub_tag.yaml index 41ec0ee70f8..a10f75976ee 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/component_hub_tag.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/component_hub_tag.yaml @@ -431,6 +431,8 @@ spec: fieldPath: metadata.namespace - name: ISTIO_META_MESH_ID value: "cluster.local" + - name: ISTIO_META_CLUSTER_ID + value: "Kubernetes" imagePullPolicy: IfNotPresent readinessProbe: failureThreshold: 30 @@ -6707,6 +6709,7 @@ spec: - containerPort: 15032 - containerPort: 15443 - containerPort: 15011 + - containerPort: 15012 - containerPort: 8060 - containerPort: 853 - containerPort: 15090 @@ -7615,6 +7618,8 @@ spec: value: istiod.istio-system.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/flag_force.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/flag_force.yaml index 960c1a73e7f..f8a5c34176e 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/flag_force.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/flag_force.yaml @@ -635,6 +635,8 @@ spec: value: istiod.istio-system.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/flag_output.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/flag_output.yaml index edec7754056..7cbe2af80cd 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/flag_output.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/flag_output.yaml @@ -633,6 +633,8 @@ spec: value: istiod.istio-system.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.yaml index 23c5b5c2ca3..0f7edd98c67 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_profile.yaml @@ -6462,6 +6462,8 @@ spec: value: istiod.istio-system.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_values.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_values.yaml index 4579c12d4fd..7534abaf455 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_values.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/flag_output_set_values.yaml @@ -6185,6 +6185,8 @@ spec: fieldPath: metadata.namespace - name: ISTIO_META_MESH_ID value: "cluster.local" + - name: ISTIO_META_CLUSTER_ID + value: "Kubernetes" imagePullPolicy: IfNotPresent readinessProbe: failureThreshold: 30 @@ -6497,6 +6499,7 @@ spec: - containerPort: 15032 - containerPort: 15443 - containerPort: 15011 + - containerPort: 15012 - containerPort: 8060 - containerPort: 853 - containerPort: 15090 @@ -7403,6 +7406,8 @@ spec: value: istiod.istio-system.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/flag_override_values.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/flag_override_values.yaml index 067e4a08e0b..44505f3fe74 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/flag_override_values.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/flag_override_values.yaml @@ -633,6 +633,8 @@ spec: value: istiod.istio-system.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.yaml index a559d0a865c..34cd3a858ca 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/flag_set_values.yaml @@ -431,6 +431,8 @@ spec: fieldPath: metadata.namespace - name: ISTIO_META_MESH_ID value: "cluster.local" + - name: ISTIO_META_CLUSTER_ID + value: "Kubernetes" imagePullPolicy: IfNotPresent readinessProbe: failureThreshold: 30 @@ -6497,6 +6499,7 @@ spec: - containerPort: 15032 - containerPort: 15443 - containerPort: 15011 + - containerPort: 15012 - containerPort: 8060 - containerPort: 853 - containerPort: 15090 @@ -7405,6 +7408,8 @@ spec: value: istiod.istio-system.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/gateways.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/gateways.yaml index fe2d38f19f7..991e5ef8f0f 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/gateways.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/gateways.yaml @@ -93,6 +93,7 @@ spec: - containerPort: 15032 - containerPort: 15443 - containerPort: 15011 + - containerPort: 15012 - containerPort: 8060 - containerPort: 853 - containerPort: 15090 @@ -509,6 +510,7 @@ spec: - containerPort: 15032 - containerPort: 15443 - containerPort: 15011 + - containerPort: 15012 - containerPort: 8060 - containerPort: 853 - containerPort: 15090 diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/gateways_override_default.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/gateways_override_default.yaml index 6d2f99c3e33..9cc6d63d70d 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/gateways_override_default.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/gateways_override_default.yaml @@ -431,6 +431,8 @@ spec: fieldPath: metadata.namespace - name: ISTIO_META_MESH_ID value: "cluster.local" + - name: ISTIO_META_CLUSTER_ID + value: "Kubernetes" imagePullPolicy: IfNotPresent readinessProbe: failureThreshold: 30 @@ -630,6 +632,7 @@ spec: - containerPort: 15032 - containerPort: 15443 - containerPort: 15011 + - containerPort: 15012 - containerPort: 8060 - containerPort: 853 - containerPort: 15090 diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/ingressgateway_k8s_settings.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/ingressgateway_k8s_settings.yaml index 6362b737dac..568ebff6c7c 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/ingressgateway_k8s_settings.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/ingressgateway_k8s_settings.yaml @@ -47,6 +47,7 @@ spec: - containerPort: 15032 - containerPort: 15443 - containerPort: 15011 + - containerPort: 15012 - containerPort: 8060 - containerPort: 853 - containerPort: 15090 diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.yaml index eeecf046351..233165c68fc 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/pilot_default.yaml @@ -633,6 +633,8 @@ spec: value: istiod.istio-system.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/pilot_k8s_settings.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/pilot_k8s_settings.yaml index 782accdc8e6..fd1d14d904a 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/pilot_k8s_settings.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/pilot_k8s_settings.yaml @@ -637,6 +637,8 @@ spec: value: istiod.istio-control.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/pilot_override_kubernetes.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/pilot_override_kubernetes.yaml index 15be422c940..70fe888a4dc 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/pilot_override_kubernetes.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/pilot_override_kubernetes.yaml @@ -102,6 +102,8 @@ spec: value: istiod.istio-control.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/pilot_override_values.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/pilot_override_values.yaml index be467e8121e..91617a486d9 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/pilot_override_values.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/pilot_override_values.yaml @@ -102,6 +102,8 @@ spec: value: istiod.istio-control.svc:15012 - name: PILOT_EXTERNAL_GALLEY value: "false" + - name: CLUSTER_ID + value: Kubernetes envFrom: - configMapRef: name: istiod diff --git a/operator/cmd/mesh/testdata/manifest-generate/output/prometheus.yaml b/operator/cmd/mesh/testdata/manifest-generate/output/prometheus.yaml index 422068d574c..8c57ab07725 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/output/prometheus.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/output/prometheus.yaml @@ -431,6 +431,8 @@ spec: fieldPath: metadata.namespace - name: ISTIO_META_MESH_ID value: "cluster.local" + - name: ISTIO_META_CLUSTER_ID + value: "Kubernetes" imagePullPolicy: IfNotPresent readinessProbe: failureThreshold: 30 diff --git a/operator/cmd/mesh/testdata/profile-dump/output/all_off.yaml b/operator/cmd/mesh/testdata/profile-dump/output/all_off.yaml index 0b6a0660756..39aa2f40ede 100644 --- a/operator/cmd/mesh/testdata/profile-dump/output/all_off.yaml +++ b/operator/cmd/mesh/testdata/profile-dump/output/all_off.yaml @@ -237,6 +237,9 @@ spec: - name: tcp-pilot-grpc-tls port: 15011 targetPort: 15011 + - name: tcp-istiod + port: 15012 + targetPort: 15012 - name: tcp-citadel-grpc-tls port: 8060 targetPort: 8060 diff --git a/operator/data/profiles/default.yaml b/operator/data/profiles/default.yaml index 70c51ef32d3..7f35ab47581 100644 --- a/operator/data/profiles/default.yaml +++ b/operator/data/profiles/default.yaml @@ -537,6 +537,9 @@ spec: - port: 15011 targetPort: 15011 name: tcp-pilot-grpc-tls + - port: 15012 + targetPort: 15012 + name: tcp-istiod - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls diff --git a/operator/data/profiles/remote.yaml b/operator/data/profiles/remote.yaml index 0f0107a072e..9c318a2a9c7 100644 --- a/operator/data/profiles/remote.yaml +++ b/operator/data/profiles/remote.yaml @@ -1,35 +1,6 @@ apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: - components: - pilot: - enabled: true - policy: - enabled: false - telemetry: - enabled: false - proxy: - enabled: false - sidecarInjector: - enabled: false - citadel: - enabled: false - nodeAgent: - enabled: false - galley: - enabled: false - cni: - enabled: false - addonComponents: prometheus: - enabled: false - - values: - security: - createMeshPolicy: false - - global: - istioRemote: true - enableTracing: false - network: "" + enabled: false \ No newline at end of file diff --git a/operator/pkg/vfs/assets.gen.go b/operator/pkg/vfs/assets.gen.go index 0475235bd59..fdc731e0c48 100644 --- a/operator/pkg/vfs/assets.gen.go +++ b/operator/pkg/vfs/assets.gen.go @@ -6133,7 +6133,8 @@ func chartsBaseTemplatesCrdsYaml() (*asset, error) { return a, nil } -var _chartsBaseTemplatesEndpointsYaml = []byte(`{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +var _chartsBaseTemplatesEndpointsYaml = []byte(`{{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.istiod.enabled }} apiVersion: v1 kind: Endpoints metadata: @@ -6150,25 +6151,25 @@ subsets: - port: 8080 name: http-legacy-discovery # direct - port: 15012 - name: http-istiod + name: tcp-istiod - port: 15014 name: http-monitoring ---- + {{- else }} apiVersion: v1 kind: Endpoints metadata: - name: istiod + name: istiod-remote namespace: {{ .Release.Namespace }} subsets: - addresses: - ip: {{ .Values.global.remotePilotAddress }} ports: - port: 15012 - name: http-istiod + name: tcp-istiod + {{- end }} +--- {{- end }} - {{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} ---- apiVersion: v1 kind: Endpoints metadata: @@ -6337,7 +6338,8 @@ func chartsBaseTemplatesServiceaccountYaml() (*asset, error) { return a, nil } -var _chartsBaseTemplatesServicesYaml = []byte(`{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +var _chartsBaseTemplatesServicesYaml = []byte(`{{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.istiod.enabled }} apiVersion: v1 kind: Service metadata: @@ -6352,20 +6354,22 @@ spec: - port: 8080 name: http-legacy-discovery # direct - port: 15012 - name: http-istiod + name: tcp-istiod - port: 15014 name: http-monitoring clusterIP: None ---- + {{- else }} apiVersion: v1 kind: Service metadata: - name: istiod + name: istiod-remote namespace: {{ .Release.Namespace }} spec: ports: - port: 15012 - name: http-istiod + name: tcp-istiod + clusterIP: None + {{- end }} --- {{- end }} {{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} @@ -8308,6 +8312,7 @@ func chartsGatewaysIstioIngressTemplatesHostsYaml() (*asset, error) { } var _chartsGatewaysIstioIngressTemplatesMeshexpansionYaml = []byte(`{{- if .Values.global.meshExpansion.enabled }} + {{- if .Values.global.istiod.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: @@ -8326,7 +8331,6 @@ spec: hosts: - "*" --- - apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -8348,7 +8352,6 @@ spec: port: number: 15012 --- - apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: @@ -8364,7 +8367,71 @@ spec: number: 15012 tls: mode: DISABLE - +--- + {{- else }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 15004 + name: tls-mixer + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-vs-pilot + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + hosts: + - istio-pilot.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 15011 + route: + - destination: + host: istio-pilot.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15011 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: meshexpansion-dr-pilot + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + host: pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + trafficPolicy: + portLevelSettings: + - port: + number: 15011 + tls: + mode: DISABLE + {{- end }} {{- end }} `) @@ -10209,7 +10276,7 @@ data: controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: {{ $defPilotHostname }}:15011 {{- else }} discoveryAddress: {{ $pilotAddress }}:15011 @@ -10220,7 +10287,7 @@ data: controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: {{ $defPilotHostname }}:15010 {{- else }} discoveryAddress: {{ $pilotAddress }}:15010 @@ -13170,8 +13237,6 @@ data: enableEnvoyAccessLogService: {{ .Values.global.proxy.envoyAccessLogService.enabled }} - {{- if .Values.global.istioRemote }} - {{- if .Values.global.remotePolicyAddress }} {{- if .Values.global.createRemoteSvcEndpoints }} mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004 @@ -13185,7 +13250,6 @@ data: {{- else }} mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 {{- end }} - {{- end }} {{- else }} @@ -13207,7 +13271,7 @@ data: {{- end }} - {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }} + {{- if or .Values.mixer.policy.enabled .Values.global.remotePolicyAddress }} # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. # Default is false which means the traffic is denied when the client is unable to connect to Mixer. policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} @@ -13418,7 +13482,7 @@ data: # controlPlaneAuthPolicy is for mounted secrets, will wait for the files. controlPlaneAuthPolicy: NONE {{- if .Values.global.remotePilotAddress }} - discoveryAddress: {{ .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 {{- else }} discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 {{- end }} @@ -13429,7 +13493,7 @@ data: controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15011 {{- else }} discoveryAddress: {{ $pilotAddress }}:15011 @@ -13440,7 +13504,7 @@ data: controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + {{- if .Values.global.remotePilotAddress }} discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15010 {{- else }} discoveryAddress: {{ $pilotAddress }}:15010 @@ -13656,6 +13720,8 @@ spec: - name: PILOT_EXTERNAL_GALLEY value: "false" {{- end }} + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `+"`"+`Kubernetes`+"`"+` }}" resources: {{- if .Values.pilot.resources }} {{ toYaml .Values.pilot.resources | trim | indent 12 }} @@ -35740,6 +35806,8 @@ spec: - name: ISTIO_META_MESH_ID value: "{{ .Values.global.trustDomain }}" {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ .Values.global.multiCluster.clusterName | default `+"`"+`Kubernetes`+"`"+` }}" imagePullPolicy: {{ .Values.global.imagePullPolicy | default "Always" }} readinessProbe: failureThreshold: 30 @@ -40353,6 +40421,9 @@ spec: - port: 15011 targetPort: 15011 name: tcp-pilot-grpc-tls + - port: 15012 + targetPort: 15012 + name: tcp-istiod - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls @@ -40845,39 +40916,9 @@ func profilesMinimalYaml() (*asset, error) { var _profilesRemoteYaml = []byte(`apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: - components: - pilot: - enabled: true - policy: - enabled: false - telemetry: - enabled: false - proxy: - enabled: false - sidecarInjector: - enabled: false - citadel: - enabled: false - nodeAgent: - enabled: false - galley: - enabled: false - cni: - enabled: false - addonComponents: prometheus: - enabled: false - - values: - security: - createMeshPolicy: false - - global: - istioRemote: true - enableTracing: false - network: "" -`) + enabled: false`) func profilesRemoteYamlBytes() ([]byte, error) { return _profilesRemoteYaml, nil diff --git a/pilot/cmd/pilot-discovery/main.go b/pilot/cmd/pilot-discovery/main.go index 4d0e904d16d..3ad996bb2a1 100644 --- a/pilot/cmd/pilot-discovery/main.go +++ b/pilot/cmd/pilot-discovery/main.go @@ -114,8 +114,8 @@ func init() { []string{string(serviceregistry.Kubernetes)}, fmt.Sprintf("Comma separated list of platform service registries to read from (choose one or more from {%s, %s, %s})", serviceregistry.Kubernetes, serviceregistry.Consul, serviceregistry.Mock)) - discoveryCmd.PersistentFlags().StringVar(&serverArgs.Config.ClusterRegistriesNamespace, "clusterRegistriesNamespace", metav1.NamespaceAll, - "Namespace for ConfigMap which stores clusters configs") + discoveryCmd.PersistentFlags().StringVar(&serverArgs.Config.ClusterRegistriesNamespace, "clusterRegistriesNamespace", + serverArgs.Config.ClusterRegistriesNamespace, "Namespace for ConfigMap which stores clusters configs") discoveryCmd.PersistentFlags().StringVar(&serverArgs.Config.KubeConfig, "kubeconfig", "", "Use a Kubernetes configuration file instead of in-cluster configuration") discoveryCmd.PersistentFlags().StringVar(&serverArgs.Mesh.ConfigFile, "meshConfig", "/etc/istio/config/mesh", diff --git a/pilot/pkg/bootstrap/certcontroller.go b/pilot/pkg/bootstrap/certcontroller.go index 7ea7e30fecc..7b3631f6abd 100644 --- a/pilot/pkg/bootstrap/certcontroller.go +++ b/pilot/pkg/bootstrap/certcontroller.go @@ -109,14 +109,21 @@ func (s *Server) initCertController(args *PilotArgs) error { // // TODO: If the discovery address in mesh.yaml is set to port 15012 (XDS-with-DNS-certs) and the name // matches the k8s namespace, failure to start DNS server is a fatal error. -func (s *Server) initDNSCerts(hostname string) error { +func (s *Server) initDNSCerts(hostname, namespace string) error { parts := strings.Split(hostname, ".") if len(parts) < 2 { return fmt.Errorf("invalid hostname %s, should contain at least service name and namespace", hostname) } // Names in the Istiod cert - support the old service names as well. // The first is the recommended one, also used by Apiserver for webhooks. - names := []string{hostname, "istiod.istio-system.svc", "istio-pilot.istio-system.svc"} + names := []string{hostname} + for _, altName := range []string{"istiod", "istiod-remote", "istio-pilot"} { + name := fmt.Sprintf("%v.%v.svc", altName, namespace) + if name == hostname { + continue // avoid dups + } + names = append(names, name) + } var certChain, keyPEM []byte var err error diff --git a/pilot/pkg/bootstrap/multicluster.go b/pilot/pkg/bootstrap/multicluster.go index b2107ca4223..97746f817fd 100644 --- a/pilot/pkg/bootstrap/multicluster.go +++ b/pilot/pkg/bootstrap/multicluster.go @@ -26,9 +26,7 @@ func (s *Server) initClusterRegistries(args *PilotArgs) (err error) { if hasKubeRegistry(args.Service.Registries) { mc, err := controller.NewMulticluster(s.kubeClient, args.Config.ClusterRegistriesNamespace, - args.Config.ControllerOptions.WatchedNamespace, - args.Config.ControllerOptions.DomainSuffix, - args.Config.ControllerOptions.ResyncPeriod, + args.Config.ControllerOptions, s.ServiceController(), s.EnvoyXdsServer, s.environment) diff --git a/pilot/pkg/bootstrap/server.go b/pilot/pkg/bootstrap/server.go index 2f459f58ddb..66ee0589642 100644 --- a/pilot/pkg/bootstrap/server.go +++ b/pilot/pkg/bootstrap/server.go @@ -858,7 +858,7 @@ func (s *Server) initDNSListener(args *PilotArgs) error { // Create DNS certificates. This allows injector, validation to work without Citadel, and // allows secure SDS connections to Istiod. - err = s.initDNSCerts(host) + err = s.initDNSCerts(host, args.Namespace) if err != nil { return err } diff --git a/pilot/pkg/features/pilot.go b/pilot/pkg/features/pilot.go index 6852694df0f..660018e6bb0 100644 --- a/pilot/pkg/features/pilot.go +++ b/pilot/pkg/features/pilot.go @@ -301,4 +301,7 @@ var ( JwtPolicy = env.RegisterStringVar("JWT_POLICY", jwt.JWTPolicyThirdPartyJWT, "The JWT validation policy.") + + ClusterName = env.RegisterStringVar("CLUSTER_ID", "Kubernetes", + "Defines the cluster and service registry that this Istiod instance is belongs to") ) diff --git a/pilot/pkg/model/push_context.go b/pilot/pkg/model/push_context.go index ed420fe1f95..4876564d769 100644 --- a/pilot/pkg/model/push_context.go +++ b/pilot/pkg/model/push_context.go @@ -1671,10 +1671,14 @@ func (ps *PushContext) initMeshNetworks() { continue } - registryName := getNetworkRegistry(networkConf) + registryNames := getNetworkRegistres(networkConf) gateways := []*Gateway{} + for _, gw := range gws { - gatewayAddresses := getGatewayAddresses(gw, registryName, ps.ServiceDiscovery) + gatewayAddresses := getGatewayAddresses(gw, registryNames, ps.ServiceDiscovery) + + log.Debugf("Endpoints from registry(s) %v on network %v reachable through gateway(s) %v", + registryNames, network, gatewayAddresses) for _, addr := range gatewayAddresses { gateways = append(gateways, &Gateway{addr, gw.Port}) } @@ -1684,19 +1688,17 @@ func (ps *PushContext) initMeshNetworks() { } } -func getNetworkRegistry(network *meshconfig.Network) string { - var registryName string +func getNetworkRegistres(network *meshconfig.Network) []string { + var registryNames []string for _, eps := range network.Endpoints { if eps != nil && len(eps.GetFromRegistry()) > 0 { - registryName = eps.GetFromRegistry() - break + registryNames = append(registryNames, eps.GetFromRegistry()) } } - - return registryName + return registryNames } -func getGatewayAddresses(gw *meshconfig.Network_IstioNetworkGateway, registryName string, discovery ServiceDiscovery) []string { +func getGatewayAddresses(gw *meshconfig.Network_IstioNetworkGateway, registryNames []string, discovery ServiceDiscovery) []string { // First, if a gateway address is provided in the configuration use it. If the gateway address // in the config was a hostname it got already resolved and replaced with an IP address // when loading the config @@ -1705,10 +1707,14 @@ func getGatewayAddresses(gw *meshconfig.Network_IstioNetworkGateway, registryNam } // Second, try to find the gateway addresses by the provided service name - if gwSvcName := gw.GetRegistryServiceName(); len(gwSvcName) > 0 && len(registryName) > 0 { + if gwSvcName := gw.GetRegistryServiceName(); gwSvcName != "" { svc, _ := discovery.GetService(host.Name(gwSvcName)) if svc != nil { - return svc.Attributes.ClusterExternalAddresses[registryName] + var gateways []string + for _, registryName := range registryNames { + gateways = append(gateways, svc.Attributes.ClusterExternalAddresses[registryName]...) + } + return gateways } } diff --git a/pilot/pkg/model/service.go b/pilot/pkg/model/service.go index 5e845b08cbf..20ce9bc1a72 100644 --- a/pilot/pkg/model/service.go +++ b/pilot/pkg/model/service.go @@ -384,7 +384,6 @@ type ServiceDiscovery interface { Services() ([]*Service, error) // GetService retrieves a service by host name if it exists - // Deprecated - do not use for anything other than tests GetService(hostname host.Name) (*Service, error) // InstancesByPort retrieves instances for a service on the given ports with labels that match diff --git a/pilot/pkg/networking/util/util.go b/pilot/pkg/networking/util/util.go index 33e1f643ebf..a15e98d03e4 100644 --- a/pilot/pkg/networking/util/util.go +++ b/pilot/pkg/networking/util/util.go @@ -427,6 +427,21 @@ func cloneLocalityLbEndpoints(endpoints []*endpoint.LocalityLbEndpoints) []*endp return out } +// return a shallow copy LbEndpoint +func CloneLbEndpoint(endpoint *endpoint.LbEndpoint) *endpoint.LbEndpoint { + if endpoint == nil { + return nil + } + + clone := *endpoint + if endpoint.LoadBalancingWeight != nil { + clone.LoadBalancingWeight = &wrappers.UInt32Value{ + Value: endpoint.GetLoadBalancingWeight().GetValue(), + } + } + return &clone +} + // BuildConfigInfoMetadata builds core.Metadata struct containing the // name.namespace of the config, the type, etc. Used by Mixer client // to generate attributes for policy and telemetry. diff --git a/pilot/pkg/networking/util/util_test.go b/pilot/pkg/networking/util/util_test.go index d384f67aacd..4176e90df46 100644 --- a/pilot/pkg/networking/util/util_test.go +++ b/pilot/pkg/networking/util/util_test.go @@ -39,6 +39,17 @@ import ( proto2 "istio.io/istio/pkg/proto" ) +func TestCloneLbEndpoint(t *testing.T) { + ep := &endpoint.LbEndpoint{ + LoadBalancingWeight: &wrappers.UInt32Value{Value: 100}, + } + cloned := CloneLbEndpoint(ep) + cloned.LoadBalancingWeight.Value = 200 + if ep.LoadBalancingWeight.GetValue() != 100 { + t.Errorf("original LbEndpoint is mutated") + } +} + func TestConvertAddressToCidr(t *testing.T) { tests := []struct { name string diff --git a/pilot/pkg/proxy/envoy/v2/ep_filters.go b/pilot/pkg/proxy/envoy/v2/ep_filters.go index 30c72fed77c..dcde5630dac 100644 --- a/pilot/pkg/proxy/envoy/v2/ep_filters.go +++ b/pilot/pkg/proxy/envoy/v2/ep_filters.go @@ -55,10 +55,13 @@ func EndpointsByNetworkFilter(push *model.PushContext, proxyNetwork string, endp // but can be accessed directly from local network. if epNetwork == proxyNetwork || len(push.NetworkGatewaysByNetwork(epNetwork)) == 0 { - lbEp.LoadBalancingWeight = &wrappers.UInt32Value{ + // Clone the endpoint so subsequent updates to the shared cache of + // service endpoints doesn't overwrite endpoints already in-flight. + clonedLbEp := util.CloneLbEndpoint(lbEp) + clonedLbEp.LoadBalancingWeight = &wrappers.UInt32Value{ Value: uint32(multiples), } - lbEndpoints = append(lbEndpoints, lbEp) + lbEndpoints = append(lbEndpoints, clonedLbEp) } else { // Remote network endpoint which can not be accessed directly from local network. // Increase the weight counter diff --git a/pilot/pkg/serviceregistry/aggregate/controller.go b/pilot/pkg/serviceregistry/aggregate/controller.go index cb867e4704a..7c7dcfdda71 100644 --- a/pilot/pkg/serviceregistry/aggregate/controller.go +++ b/pilot/pkg/serviceregistry/aggregate/controller.go @@ -17,6 +17,8 @@ package aggregate import ( "sync" + "istio.io/istio/pilot/pkg/features" + "github.com/hashicorp/go-multierror" "istio.io/pkg/log" @@ -221,6 +223,32 @@ func (c *Controller) InstancesByPort(svc *model.Service, port int, return instances, errs } +func nodeClusterID(node *model.Proxy) string { + if node.Metadata == nil || node.Metadata.ClusterID == "" { + return "" + } + return node.Metadata.ClusterID +} + +// Skip the service registry when there won't be a match +// because the proxy is in a different cluster. +func skipSearchingRegistryForProxy(nodeClusterID, registryClusterID, selfClusterID string) bool { + // We can't trust the default service registry because its always + // named `Kubernetes`. Use the `CLUSTER_ID` envvar to find the + // local cluster name in these cases. + // TODO(https://github.com/istio/istio/issues/22093) + if registryClusterID == string(serviceregistry.Kubernetes) { + registryClusterID = selfClusterID + } + + // We can't be certain either way + if registryClusterID == "" || nodeClusterID == "" { + return false + } + + return registryClusterID != nodeClusterID +} + // GetProxyServiceInstances lists service instances co-located with a given proxy func (c *Controller) GetProxyServiceInstances(node *model.Proxy) ([]*model.ServiceInstance, error) { out := make([]*model.ServiceInstance, 0) @@ -228,6 +256,13 @@ func (c *Controller) GetProxyServiceInstances(node *model.Proxy) ([]*model.Servi // It doesn't make sense for a single proxy to be found in more than one registry. // TODO: if otherwise, warning or else what to do about it. for _, r := range c.GetRegistries() { + nodeClusterID := nodeClusterID(node) + if skipSearchingRegistryForProxy(nodeClusterID, r.Cluster(), features.ClusterName.Get()) { + log.Debugf("GetProxyServiceInstances(): not searching registry %v: proxy %v CLUSTER_ID is %v", + r.Cluster(), node.ID, nodeClusterID) + continue + } + instances, err := r.GetProxyServiceInstances(node) if err != nil { errs = multierror.Append(errs, err) diff --git a/pilot/pkg/serviceregistry/aggregate/controller_test.go b/pilot/pkg/serviceregistry/aggregate/controller_test.go index 1ee90547ace..65cdb325f5d 100644 --- a/pilot/pkg/serviceregistry/aggregate/controller_test.go +++ b/pilot/pkg/serviceregistry/aggregate/controller_test.go @@ -535,3 +535,33 @@ func TestGetRegistries(t *testing.T) { } } } + +func TestSkipSearchingRegistryForProxy(t *testing.T) { + cases := []struct { + node string + registry string + self string + want bool + }{ + {"main", "remote", "main", true}, + {"remote", "main", "main", true}, + {"remote", "Kubernetes", "main", true}, + + {"main", "Kubernetes", "main", false}, + {"main", "main", "main", false}, + {"remote", "remote", "main", false}, + {"", "main", "main", false}, + {"main", "", "main", false}, + {"main", "Kubernetes", "", false}, + {"", "", "", false}, + } + + for i, c := range cases { + got := skipSearchingRegistryForProxy(c.node, c.registry, c.self) + if got != c.want { + t.Errorf("%s: got %v want %v", + fmt.Sprintf("[%v] registry=%v node=%v", i, c.registry, c.node), + got, c.want) + } + } +} diff --git a/pilot/pkg/serviceregistry/kube/controller/multicluster.go b/pilot/pkg/serviceregistry/kube/controller/multicluster.go index 932e6308aff..5542c901fd9 100644 --- a/pilot/pkg/serviceregistry/kube/controller/multicluster.go +++ b/pilot/pkg/serviceregistry/kube/controller/multicluster.go @@ -42,6 +42,7 @@ type Multicluster struct { ResyncPeriod time.Duration serviceController *aggregate.Controller XDSUpdater model.XDSUpdater + metrics model.Metrics m sync.Mutex // protects remoteKubeControllers remoteKubeControllers map[string]*kubeController @@ -50,24 +51,24 @@ type Multicluster struct { // NewMulticluster initializes data structure to store multicluster information // It also starts the secret controller -func NewMulticluster(kc kubernetes.Interface, secretNamespace string, - watchedNamespace string, domainSuffix string, resyncPeriod time.Duration, +func NewMulticluster(kc kubernetes.Interface, secretNamespace string, opts Options, serviceController *aggregate.Controller, xds model.XDSUpdater, networksWatcher mesh.NetworksWatcher) (*Multicluster, error) { remoteKubeController := make(map[string]*kubeController) - if resyncPeriod == 0 { + if opts.ResyncPeriod == 0 { // make sure a resync time of 0 wasn't passed in. - resyncPeriod = 30 * time.Second + opts.ResyncPeriod = 30 * time.Second log.Info("Resync time was configured to 0, resetting to 30") } mc := &Multicluster{ - WatchedNamespace: watchedNamespace, - DomainSuffix: domainSuffix, - ResyncPeriod: resyncPeriod, + WatchedNamespace: opts.WatchedNamespace, + DomainSuffix: opts.DomainSuffix, + ResyncPeriod: opts.ResyncPeriod, serviceController: serviceController, XDSUpdater: xds, remoteKubeControllers: remoteKubeController, networksWatcher: networksWatcher, + metrics: opts.Metrics, } err := secretcontroller.StartSecretController(kc, @@ -94,6 +95,7 @@ func (m *Multicluster) AddMemberCluster(clientset kubernetes.Interface, clusterI XDSUpdater: m.XDSUpdater, ClusterID: clusterID, NetworksWatcher: m.networksWatcher, + Metrics: m.metrics, }) remoteKubeController.rc = kubectl diff --git a/pilot/pkg/serviceregistry/kube/controller/multicluster_test.go b/pilot/pkg/serviceregistry/kube/controller/multicluster_test.go index 30929eefad4..70dd857f56b 100644 --- a/pilot/pkg/serviceregistry/kube/controller/multicluster_test.go +++ b/pilot/pkg/serviceregistry/kube/controller/multicluster_test.go @@ -95,7 +95,14 @@ func Test_KubeSecretController(t *testing.T) { clientset := fake.NewSimpleClientset() - mc, err := NewMulticluster(clientset, testSecretNameSpace, WatchedNamespace, DomainSuffix, ResyncPeriod, mockserviceController, nil, nil) + mc, err := NewMulticluster(clientset, + testSecretNameSpace, + Options{ + WatchedNamespace: WatchedNamespace, + DomainSuffix: DomainSuffix, + ResyncPeriod: ResyncPeriod, + }, + mockserviceController, nil, nil) if err != nil { t.Fatalf("error creating Multicluster object and startign secret controller: %v", err) diff --git a/pkg/config/mesh/mesh.go b/pkg/config/mesh/mesh.go index 30eda0008f5..a83367cdc7f 100644 --- a/pkg/config/mesh/mesh.go +++ b/pkg/config/mesh/mesh.go @@ -172,13 +172,13 @@ func ResolveHostsInNetworksConfig(config *meshconfig.MeshNetworks) { } for _, n := range config.Networks { for _, gw := range n.Gateways { - gwIP := net.ParseIP(gw.GetAddress()) - if gwIP == nil { - addrs, err := net.LookupHost(gw.GetAddress()) + gwAddr := gw.GetAddress() + gwIP := net.ParseIP(gwAddr) + if gwIP == nil && len(gwAddr) != 0 { + addrs, err := net.LookupHost(gwAddr) if err != nil { log.Warnf("error resolving host %#v: %v", gw.GetAddress(), err) - } - if err == nil && len(addrs) > 0 { + } else { gw.Gw = &meshconfig.Network_IstioNetworkGateway_Address{ Address: addrs[0], } From 2c63f13b39f0eb61e4ded9c241075a02d1ad5c50 Mon Sep 17 00:00:00 2001 From: Jason Young Date: Fri, 13 Mar 2020 22:51:43 -0700 Subject: [PATCH 2/5] fix istio-reader-service-account --- install/kubernetes/helm/istio/templates/clusterrolebinding.yaml | 2 +- install/kubernetes/helm/istio/templates/serviceaccount.yaml | 2 +- install/kubernetes/helm/istio/values-istio-remote.yaml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/kubernetes/helm/istio/templates/clusterrolebinding.yaml b/install/kubernetes/helm/istio/templates/clusterrolebinding.yaml index 9d9b37d21c0..759678ea69f 100644 --- a/install/kubernetes/helm/istio/templates/clusterrolebinding.yaml +++ b/install/kubernetes/helm/istio/templates/clusterrolebinding.yaml @@ -25,5 +25,5 @@ roleRef: name: istio-reader subjects: - kind: ServiceAccount - name: istio-reader + name: istio-reader-service-account namespace: {{ .Release.Namespace }} diff --git a/install/kubernetes/helm/istio/templates/serviceaccount.yaml b/install/kubernetes/helm/istio/templates/serviceaccount.yaml index 96b74d3c313..c377d10e489 100644 --- a/install/kubernetes/helm/istio/templates/serviceaccount.yaml +++ b/install/kubernetes/helm/istio/templates/serviceaccount.yaml @@ -7,5 +7,5 @@ metadata: apiVersion: v1 kind: ServiceAccount metadata: - name: istio-reader + name: istio-reader-service-account namespace: {{ .Release.Namespace }} diff --git a/install/kubernetes/helm/istio/values-istio-remote.yaml b/install/kubernetes/helm/istio/values-istio-remote.yaml index 4ff03c36096..372bc1b880d 100644 --- a/install/kubernetes/helm/istio/values-istio-remote.yaml +++ b/install/kubernetes/helm/istio/values-istio-remote.yaml @@ -18,6 +18,7 @@ pilot: security: enabled: true createMeshPolicy: false + selfSigned: false prometheus: enabled: false From a07967175335f67eb37195a27a6c3b50f260fcb2 Mon Sep 17 00:00:00 2001 From: Jason Young Date: Sat, 14 Mar 2020 22:39:27 -0700 Subject: [PATCH 3/5] fix prow e2e multicluster test --- tests/e2e/framework/multicluster.go | 7 +++---- tests/e2e/tests/pilot/http_test.go | 4 ++-- tests/util/kube_utils.go | 7 +++++++ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/tests/e2e/framework/multicluster.go b/tests/e2e/framework/multicluster.go index f97b27c9755..8551a817427 100644 --- a/tests/e2e/framework/multicluster.go +++ b/tests/e2e/framework/multicluster.go @@ -19,14 +19,14 @@ import ( "io/ioutil" "os" "path/filepath" - "strings" "time" v1 "k8s.io/api/core/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "istio.io/istio/tests/util" "istio.io/pkg/log" + + "istio.io/istio/tests/util" ) func getKubeConfigFromFile(dirname string) (string, error) { @@ -111,8 +111,7 @@ func (k *KubeInfo) generateRemoteIstio(dst string, useAutoInject bool, proxyHub, helmSetContent += " --set security.selfSigned=false" // Set the cluster id - config := strings.Split(k.RemoteKubeConfig, "/") - helmSetContent += " --set global.multiCluster.clusterName=" + config[len(config)-1] + helmSetContent += " --set global.multiCluster.clusterName=" + util.ClusterNameFromKubeConfig(k.RemoteKubeConfig) // Enabling access log because some tests (e.g. TestGrpc) are validating // based on the pods logs diff --git a/tests/e2e/tests/pilot/http_test.go b/tests/e2e/tests/pilot/http_test.go index d8203169ad4..fbe2ba5fc46 100644 --- a/tests/e2e/tests/pilot/http_test.go +++ b/tests/e2e/tests/pilot/http_test.go @@ -79,7 +79,7 @@ func TestHttp(t *testing.T) { // t->d:8000 should always be fine. return nil } - return errAgain + return fmt.Errorf("expected no match: %v", resp) } logEntry := fmt.Sprintf("HTTP request from %s to %s%s:%s", src, dst, domain, port) if len(resp.ID) > 0 { @@ -96,7 +96,7 @@ func TestHttp(t *testing.T) { // Expected no match for t->t return nil } - return errAgain + return fmt.Errorf("no match: %v", resp) }) } } diff --git a/tests/util/kube_utils.go b/tests/util/kube_utils.go index f8044225c72..e36b7c58d9b 100644 --- a/tests/util/kube_utils.go +++ b/tests/util/kube_utils.go @@ -915,6 +915,12 @@ func CheckPodRunning(n, name string, kubeconfig string) error { return nil } +// Generate the cluster name from the kubeconfig file path +func ClusterNameFromKubeConfig(kubeconfig string) string { + s := strings.Split(kubeconfig, "/") + return s[len(s)-1] +} + // CreateMultiClusterSecret will create the secret associated with the remote cluster func CreateMultiClusterSecret(namespace string, remoteKubeConfig string, localKubeConfig string) error { currentContext, err := ShellMuteOutput("kubectl --kubeconfig=%s config current-context", remoteKubeConfig) @@ -930,6 +936,7 @@ func CreateMultiClusterSecret(namespace string, remoteKubeConfig string, localKu } opts := multicluster.RemoteSecretOptions{ + ClusterName: ClusterNameFromKubeConfig(remoteKubeConfig), ServiceAccountName: "istio-multi", AuthType: multicluster.RemoteSecretAuthTypeBearerToken, KubeOptions: multicluster.KubeOptions{ From 52f2e337034fbcec26bb37026cef4e5b49853530 Mon Sep 17 00:00:00 2001 From: Jason Young Date: Sun, 15 Mar 2020 13:06:06 -0700 Subject: [PATCH 4/5] backport istiod-remote discoveryAddress --- .../istio-egress/templates/deployment.yaml | 9 ++++--- .../istio-ingress/templates/deployment.yaml | 9 ++++--- .../prometheus/templates/deployment.yaml | 9 ++++--- operator/pkg/vfs/assets.gen.go | 27 ++++++++++++------- 4 files changed, 36 insertions(+), 18 deletions(-) diff --git a/manifests/gateways/istio-egress/templates/deployment.yaml b/manifests/gateways/istio-egress/templates/deployment.yaml index 3ca12c9b53b..26511dc30cb 100644 --- a/manifests/gateways/istio-egress/templates/deployment.yaml +++ b/manifests/gateways/istio-egress/templates/deployment.yaml @@ -117,10 +117,13 @@ spec: - --controlPlaneAuthPolicy - NONE - --discoveryAddress - {{- if .Values.global.configNamespace }} - - istio-pilot.{{ .Values.global.configNamespace }}.svc:15012 + {{- $namespace := .Values.global.configNamespace | default "istio-system" }} + {{- if .Values.global.remotePilotAddress }} + # Use the DNS hostname instead of the IP address. The discovery address needs to match the + # SAN in istiod's cert. The istiod-remote..svc will resolve to the remotePilotAddress. + - istiod-remote.{{ $namespace }}.svc:15012 {{- else }} - - istio-pilot.istio-system.svc:15012 + - istio-pilot.{{ $namespace }}.svc:15012 {{- end }} {{- else if .Values.global.controlPlaneSecurityEnabled }} - --controlPlaneAuthPolicy diff --git a/manifests/gateways/istio-ingress/templates/deployment.yaml b/manifests/gateways/istio-ingress/templates/deployment.yaml index 57e47efe11e..b0737e5a303 100644 --- a/manifests/gateways/istio-ingress/templates/deployment.yaml +++ b/manifests/gateways/istio-ingress/templates/deployment.yaml @@ -160,10 +160,13 @@ spec: - --controlPlaneAuthPolicy - NONE - --discoveryAddress - {{- if .Values.global.configNamespace }} - - istio-pilot.{{ .Values.global.configNamespace }}.svc:15012 + {{- $namespace := .Values.global.configNamespace | default "istio-system" }} + {{- if .Values.global.remotePilotAddress }} + # Use the DNS hostname instead of the IP address. The discovery address needs to match the + # SAN in istiod's cert. The istiod-remote..svc will resolve to the remotePilotAddress. + - istiod-remote.{{ $namespace }}.svc:15012 {{- else }} - - istio-pilot.istio-system.svc:15012 + - istio-pilot.{{ $namespace }}.svc:15012 {{- end }} {{- else if .Values.global.controlPlaneSecurityEnabled }} - --controlPlaneAuthPolicy diff --git a/manifests/istio-telemetry/prometheus/templates/deployment.yaml b/manifests/istio-telemetry/prometheus/templates/deployment.yaml index 98b7107959d..069227acc27 100644 --- a/manifests/istio-telemetry/prometheus/templates/deployment.yaml +++ b/manifests/istio-telemetry/prometheus/templates/deployment.yaml @@ -79,10 +79,13 @@ spec: - --parentShutdownDuration - "1m0s" - --discoveryAddress - {{- if .Values.global.configNamespace }} - - istio-pilot.{{ .Values.global.configNamespace }}.svc:15012 + {{- $namespace := .Values.global.configNamespace | default "istio-system" }} + {{- if .Values.global.remotePilotAddress }} + # Use the DNS hostname instead of the IP address. The discovery address needs to match the + # SAN in istiod's cert. The istiod-remote..svc will resolve to the remotePilotAddress. + - istiod-remote.{{ $namespace }}.svc:15012 {{- else }} - - istio-pilot.istio-system.svc:15012 + - istio-pilot.{{ $namespace }}.svc:15012 {{- end }} {{- if .Values.global.proxy.logLevel }} - --proxyLogLevel={{ .Values.global.proxy.logLevel }} diff --git a/operator/pkg/vfs/assets.gen.go b/operator/pkg/vfs/assets.gen.go index fdc731e0c48..6036d0e7330 100644 --- a/operator/pkg/vfs/assets.gen.go +++ b/operator/pkg/vfs/assets.gen.go @@ -6855,10 +6855,13 @@ spec: - --controlPlaneAuthPolicy - NONE - --discoveryAddress - {{- if .Values.global.configNamespace }} - - istio-pilot.{{ .Values.global.configNamespace }}.svc:15012 + {{- $namespace := .Values.global.configNamespace | default "istio-system" }} + {{- if .Values.global.remotePilotAddress }} + # Use the DNS hostname instead of the IP address. The discovery address needs to match the + # SAN in istiod's cert. The istiod-remote..svc will resolve to the remotePilotAddress. + - istiod-remote.{{ $namespace }}.svc:15012 {{- else }} - - istio-pilot.istio-system.svc:15012 + - istio-pilot.{{ $namespace }}.svc:15012 {{- end }} {{- else if .Values.global.controlPlaneSecurityEnabled }} - --controlPlaneAuthPolicy @@ -7942,10 +7945,13 @@ spec: - --controlPlaneAuthPolicy - NONE - --discoveryAddress - {{- if .Values.global.configNamespace }} - - istio-pilot.{{ .Values.global.configNamespace }}.svc:15012 + {{- $namespace := .Values.global.configNamespace | default "istio-system" }} + {{- if .Values.global.remotePilotAddress }} + # Use the DNS hostname instead of the IP address. The discovery address needs to match the + # SAN in istiod's cert. The istiod-remote..svc will resolve to the remotePilotAddress. + - istiod-remote.{{ $namespace }}.svc:15012 {{- else }} - - istio-pilot.istio-system.svc:15012 + - istio-pilot.{{ $namespace }}.svc:15012 {{- end }} {{- else if .Values.global.controlPlaneSecurityEnabled }} - --controlPlaneAuthPolicy @@ -35699,10 +35705,13 @@ spec: - --parentShutdownDuration - "1m0s" - --discoveryAddress - {{- if .Values.global.configNamespace }} - - istio-pilot.{{ .Values.global.configNamespace }}.svc:15012 + {{- $namespace := .Values.global.configNamespace | default "istio-system" }} + {{- if .Values.global.remotePilotAddress }} + # Use the DNS hostname instead of the IP address. The discovery address needs to match the + # SAN in istiod's cert. The istiod-remote..svc will resolve to the remotePilotAddress. + - istiod-remote.{{ $namespace }}.svc:15012 {{- else }} - - istio-pilot.istio-system.svc:15012 + - istio-pilot.{{ $namespace }}.svc:15012 {{- end }} {{- if .Values.global.proxy.logLevel }} - --proxyLogLevel={{ .Values.global.proxy.logLevel }} From e458e117e36018ecb650289f0f19fda585010800 Mon Sep 17 00:00:00 2001 From: Jason Young Date: Mon, 16 Mar 2020 11:06:41 -0700 Subject: [PATCH 5/5] fix typo --- pilot/pkg/features/pilot.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pilot/pkg/features/pilot.go b/pilot/pkg/features/pilot.go index 660018e6bb0..62fa865427f 100644 --- a/pilot/pkg/features/pilot.go +++ b/pilot/pkg/features/pilot.go @@ -303,5 +303,5 @@ var ( "The JWT validation policy.") ClusterName = env.RegisterStringVar("CLUSTER_ID", "Kubernetes", - "Defines the cluster and service registry that this Istiod instance is belongs to") + "Defines the cluster and service registry that this Istiod instance belongs to") )