shared control plane multicluster fixes

install/kubernetes/helm/istio/templates/clusterrolebinding.yaml

@@ -25,5 +25,5 @@ roleRef:
   name: istio-reader
 subjects:
 - kind: ServiceAccount
-  name: istio-reader
+  name: istio-reader-service-account
   namespace: {{ .Release.Namespace }}

install/kubernetes/helm/istio/templates/configmap.yaml

@@ -316,7 +316,7 @@ data:
       controlPlaneAuthPolicy: MUTUAL_TLS
       #
       # Address where istio Pilot service is running
-      {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+      {{- if .Values.global.remotePilotAddress }}
       discoveryAddress: {{ $defPilotHostname }}:15011
       {{- else }}
       discoveryAddress: {{ $pilotAddress }}:15011
@@ -327,7 +327,7 @@ data:
       controlPlaneAuthPolicy: NONE
       #
       # Address where istio Pilot service is running
-      {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+      {{- if .Values.global.remotePilotAddress }}
       discoveryAddress: {{ $defPilotHostname }}:15010
       {{- else }}
       discoveryAddress: {{ $pilotAddress }}:15010

install/kubernetes/helm/istio/templates/endpoints.yaml

@@ -1,4 +1,4 @@
-{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+{{- if .Values.global.remotePilotAddress }}
 apiVersion: v1
 kind: Endpoints
 metadata:

install/kubernetes/helm/istio/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+{{- if .Values.global.remotePilotAddress }}
 apiVersion: v1
 kind: Service
 metadata:

install/kubernetes/helm/istio/templates/serviceaccount.yaml

@@ -7,5 +7,5 @@ metadata:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: istio-reader
+  name: istio-reader-service-account
   namespace: {{ .Release.Namespace }}

install/kubernetes/helm/istio/values-istio-remote.yaml

@@ -18,6 +18,7 @@ pilot:
 security:
   enabled: true
   createMeshPolicy: false
+  selfSigned: false
 
 prometheus:
   enabled: false

istioctl/pkg/multicluster/remote_secret.go

@@ -86,15 +86,15 @@ func NewCreateRemoteSecretCommand() *cobra.Command {
 		Example: `
 # Create a secret to access cluster c0's apiserver and install it in cluster c1.
 istioctl --Kubeconfig=c0.yaml x create-remote-secret --name c0 \
-    | kubectl -n istio-system --Kubeconfig=c1.yaml apply -f -
+    | kubectl --Kubeconfig=c1.yaml apply -f -
 
 # Delete a secret that was previously installed in c1
 istioctl --Kubeconfig=c0.yaml x create-remote-secret --name c0 \
-    | kubectl -n istio-system --Kubeconfig=c1.yaml delete -f -
+    | kubectl --Kubeconfig=c1.yaml delete -f -
 
 # Create a secret access a remote cluster with an auth plugin
 istioctl --Kubeconfig=c0.yaml x create-remote-secret --name c0 --auth-type=plugin --auth-plugin-name=gcp \
-    | kubectl -n istio-system --Kubeconfig=c1.yaml apply -f -
+    | kubectl --Kubeconfig=c1.yaml apply -f -
 `,
 		Args: cobra.NoArgs,
 		RunE: func(c *cobra.Command, args []string) error {
@@ -383,6 +383,8 @@ func createRemoteSecret(opt RemoteSecretOptions, client kubernetes.Interface, en
 	if err != nil {
 		return nil, err
 	}
+
+	remoteSecret.Namespace = opt.Namespace
 	return remoteSecret, nil
 }
 

istioctl/pkg/multicluster/remote_secret_test.go

@@ -110,6 +110,7 @@ metadata:
   labels:
     istio/multiCluster: "true"
   name: istio-remote-secret-54643f96-eca0-11e9-bb97-42010a80000a
+  namespace: istio-system-test
 stringData:
   54643f96-eca0-11e9-bb97-42010a80000a: |
     apiVersion: v1

manifests/base/templates/endpoints.yaml

@@ -1,4 +1,5 @@
-{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+{{- if .Values.global.remotePilotAddress }}
+  {{- if not .Values.global.istiod.enabled }}
 apiVersion: v1
 kind: Endpoints
 metadata:
@@ -15,25 +16,25 @@ subsets:
   - port: 8080
     name: http-legacy-discovery # direct
   - port: 15012
-    name: http-istiod
+    name: tcp-istiod
   - port: 15014
     name: http-monitoring
----
+  {{- else }}
 apiVersion: v1
 kind: Endpoints
 metadata:
-  name: istiod
+  name: istiod-remote
   namespace: {{ .Release.Namespace }}
 subsets:
 - addresses:
   - ip: {{ .Values.global.remotePilotAddress }}
   ports:
   - port: 15012
-    name: http-istiod
+    name: tcp-istiod
+  {{- end }}
+---
 {{- end }}
-
 {{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }}
----
 apiVersion: v1
 kind: Endpoints
 metadata:

manifests/base/templates/services.yaml

@@ -1,4 +1,5 @@
-{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+{{- if .Values.global.remotePilotAddress }}
+  {{- if not .Values.global.istiod.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -13,20 +14,22 @@ spec:
   - port: 8080
     name: http-legacy-discovery # direct
   - port: 15012
-    name: http-istiod    
+    name: tcp-istiod
   - port: 15014
     name: http-monitoring
   clusterIP: None
----
+  {{- else }}
 apiVersion: v1
 kind: Service
 metadata:
-  name: istiod
+  name: istiod-remote
   namespace: {{ .Release.Namespace }}
 spec:
   ports:
   - port: 15012
-    name: http-istiod
+    name: tcp-istiod
+  clusterIP: None
+  {{- end }}
 ---
 {{- end }}
 {{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }}

manifests/gateways/istio-egress/templates/deployment.yaml

@@ -117,10 +117,13 @@ spec:
           - --controlPlaneAuthPolicy
           - NONE
           - --discoveryAddress
-          {{- if .Values.global.configNamespace }}
-          - istio-pilot.{{ .Values.global.configNamespace }}.svc:15012
+          {{- $namespace := .Values.global.configNamespace | default "istio-system" }}
+          {{- if .Values.global.remotePilotAddress }}
+          # Use the DNS hostname instead of the IP address. The discovery address needs to match the
+          # SAN in istiod's cert. The istiod-remote.<namespace>.svc will resolve to the remotePilotAddress.
+          - istiod-remote.{{ $namespace }}.svc:15012
           {{- else }}
-          - istio-pilot.istio-system.svc:15012
+          - istio-pilot.{{ $namespace }}.svc:15012
           {{- end }}
         {{- else if .Values.global.controlPlaneSecurityEnabled }}
           - --controlPlaneAuthPolicy

manifests/gateways/istio-ingress/templates/deployment.yaml

@@ -160,10 +160,13 @@ spec:
           - --controlPlaneAuthPolicy
           - NONE
           - --discoveryAddress
-          {{- if .Values.global.configNamespace }}
-          - istio-pilot.{{ .Values.global.configNamespace }}.svc:15012
+          {{- $namespace := .Values.global.configNamespace | default "istio-system" }}
+          {{- if .Values.global.remotePilotAddress }}
+          # Use the DNS hostname instead of the IP address. The discovery address needs to match the
+          # SAN in istiod's cert. The istiod-remote.<namespace>.svc will resolve to the remotePilotAddress.
+          - istiod-remote.{{ $namespace }}.svc:15012
           {{- else }}
-          - istio-pilot.istio-system.svc:15012
+          - istio-pilot.{{ $namespace }}.svc:15012
           {{- end }}
           {{- else if .Values.global.controlPlaneSecurityEnabled }}
           - --controlPlaneAuthPolicy

manifests/gateways/istio-ingress/templates/meshexpansion.yaml

@@ -1,4 +1,5 @@
 {{- if .Values.global.meshExpansion.enabled }}
+  {{- if .Values.global.istiod.enabled }}
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -17,7 +18,6 @@ spec:
       hosts:
         - "*"
 ---
-
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -39,7 +39,6 @@ spec:
         port:
           number: 15012
 ---
-
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -55,6 +54,70 @@ spec:
         number: 15012
       tls:
         mode: DISABLE
-
+---
+  {{- else }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: meshexpansion-gateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - port:
+        number: 15011
+        protocol: TCP
+        name: tcp-pilot
+      hosts:
+        - "*"
+    - port:
+        number: 15004
+        name: tls-mixer
+        protocol: TLS
+      tls:
+        mode: AUTO_PASSTHROUGH
+      hosts:
+        - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: meshexpansion-vs-pilot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+spec:
+  hosts:
+    - istio-pilot.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+  gateways:
+    - meshexpansion-gateway
+  tcp:
+    - match:
+        - port: 15011
+      route:
+        - destination:
+            host: istio-pilot.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+            port:
+              number: 15011
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: meshexpansion-dr-pilot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+spec:
+  host: pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
+  trafficPolicy:
+    portLevelSettings:
+      - port:
+          number: 15011
+        tls:
+          mode: DISABLE
+  {{- end }}
 {{- end }}
 

manifests/global.yaml

@@ -560,13 +560,11 @@ global:
   # webhook configurations. When this option is set as false, webhooks manage their
   # own webhook configurations.
   operatorManageWebhooks: false
-  istioRemote: false
 
   # Settings for remote cluster.
   createRemoteSvcEndpoints: false
 
   # configure remote pilot and istiod service and endpoint
-  remotePilotCreateSvcEndpoint: false
   remotePolicyAddress: ""
   remotePilotAddress: ""
   remoteTelemetryAddress: ""

manifests/istio-control/istio-autoinject/templates/configmap.yaml

@@ -99,7 +99,7 @@ data:
       controlPlaneAuthPolicy: MUTUAL_TLS
       #
       # Address where istio Pilot service is running
-      {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+      {{- if .Values.global.remotePilotAddress }}
       discoveryAddress: {{ $defPilotHostname }}:15011
       {{- else }}
       discoveryAddress: {{ $pilotAddress }}:15011
@@ -110,7 +110,7 @@ data:
       controlPlaneAuthPolicy: NONE
       #
       # Address where istio Pilot service is running
-      {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+      {{- if .Values.global.remotePilotAddress }}
       discoveryAddress: {{ $defPilotHostname }}:15010
       {{- else }}
       discoveryAddress: {{ $pilotAddress }}:15010

manifests/istio-control/istio-discovery/templates/configmap.yaml

@@ -36,8 +36,6 @@ data:
 
     enableEnvoyAccessLogService: {{ .Values.global.proxy.envoyAccessLogService.enabled }}
 
-    {{- if .Values.global.istioRemote }}
-
     {{- if .Values.global.remotePolicyAddress }}
     {{- if .Values.global.createRemoteSvcEndpoints }}
     mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004
@@ -51,7 +49,6 @@ data:
     {{- else }}
     mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004
     {{- end }}
-    {{- end }}
 
     {{- else }}
 
@@ -73,7 +70,7 @@ data:
 
     {{- end }}
 
-    {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }}
+    {{- if or .Values.mixer.policy.enabled .Values.global.remotePolicyAddress }}
     # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
     # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
     policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }}
@@ -284,7 +281,7 @@ data:
       # controlPlaneAuthPolicy is for mounted secrets, will wait for the files.
       controlPlaneAuthPolicy: NONE
       {{- if .Values.global.remotePilotAddress }}
-      discoveryAddress: {{ .Values.global.remotePilotAddress }}
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
       {{- else }}
       discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
       {{- end }}
@@ -295,7 +292,7 @@ data:
       controlPlaneAuthPolicy: MUTUAL_TLS
       #
       # Address where istio Pilot service is running
-      {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+      {{- if .Values.global.remotePilotAddress }}
       discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15011
       {{- else }}
       discoveryAddress: {{ $pilotAddress }}:15011
@@ -306,7 +303,7 @@ data:
       controlPlaneAuthPolicy: NONE
       #
       # Address where istio Pilot service is running
-      {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
+      {{- if .Values.global.remotePilotAddress }}
       discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15010
       {{- else }}
       discoveryAddress: {{ $pilotAddress }}:15010

manifests/istio-control/istio-discovery/templates/deployment.yaml

@@ -156,6 +156,8 @@ spec:
           - name: PILOT_EXTERNAL_GALLEY
             value: "false"
 {{- end }}
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
           resources:
 {{- if .Values.pilot.resources }}
 {{ toYaml .Values.pilot.resources | trim | indent 12 }}