From 08606a374873bd021f3575dbd5921f4fceee9b18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Wed, 24 Sep 2025 14:31:14 +0200 Subject: [PATCH 1/8] Update Istio configuration to use CNI node agents instead of `istio-init` containers --- multi_cluster/tools/install_istio.sh | 21 +- multi_cluster/tools/install_istio_central.sh | 2 +- .../install_istio_separate_network.sh | 188 ------------------ 3 files changed, 19 insertions(+), 192 deletions(-) delete mode 100755 scripts/release/kubectl-mongodb/install_istio_separate_network.sh diff --git a/multi_cluster/tools/install_istio.sh b/multi_cluster/tools/install_istio.sh index 8e65b56fc..b446ad610 100755 --- a/multi_cluster/tools/install_istio.sh +++ b/multi_cluster/tools/install_istio.sh @@ -38,6 +38,7 @@ make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER3}-cacerts" || make # create cluster secret objects with the certs and keys kubectl --context="${CTX_CLUSTER1}" delete ns istio-system || true kubectl --context="${CTX_CLUSTER1}" create ns istio-system +kubectl --context="${CTX_CLUSTER1}" label --overwrite ns istio-system pod-security.kubernetes.io/enforce=privileged kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-system \ --from-file=${CTX_CLUSTER1}/ca-cert.pem \ --from-file=${CTX_CLUSTER1}/ca-key.pem \ @@ -46,6 +47,7 @@ kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-syste kubectl --context="${CTX_CLUSTER2}" delete ns istio-system || true kubectl --context="${CTX_CLUSTER2}" create ns istio-system +kubectl --context="${CTX_CLUSTER2}" label --overwrite ns istio-system pod-security.kubernetes.io/enforce=privileged kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-system \ --from-file=${CTX_CLUSTER2}/ca-cert.pem \ --from-file=${CTX_CLUSTER2}/ca-key.pem \ @@ -54,6 +56,7 @@ kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-syste kubectl --context="${CTX_CLUSTER3}" delete ns istio-system || true kubectl --context="${CTX_CLUSTER3}" create ns istio-system +kubectl --context="${CTX_CLUSTER3}" label --overwrite ns istio-system pod-security.kubernetes.io/enforce=privileged kubectl --context="${CTX_CLUSTER3}" create secret generic cacerts -n istio-system \ --from-file=${CTX_CLUSTER3}/ca-cert.pem \ --from-file=${CTX_CLUSTER3}/ca-key.pem \ @@ -67,6 +70,10 @@ apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: tag: ${VERSION} + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -81,13 +88,17 @@ spec: network: network1 EOF -bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml -y & +bin/istioctl install --set components.cni.enabled=true --context="${CTX_CLUSTER1}" -f cluster1.yaml -y & cat <cluster2.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: tag: ${VERSION} + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -102,13 +113,17 @@ spec: network: network1 EOF -bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml -y & +bin/istioctl install --set components.cni.enabled=true --context="${CTX_CLUSTER2}" -f cluster2.yaml -y & cat <cluster3.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: tag: ${VERSION} + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -123,7 +138,7 @@ spec: network: network1 EOF -bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml -y & +bin/istioctl install --set components.cni.enabled=true --context="${CTX_CLUSTER3}" -f cluster3.yaml -y & wait diff --git a/multi_cluster/tools/install_istio_central.sh b/multi_cluster/tools/install_istio_central.sh index da6f84477..c0b84e49e 100755 --- a/multi_cluster/tools/install_istio_central.sh +++ b/multi_cluster/tools/install_istio_central.sh @@ -10,4 +10,4 @@ source multi_cluster/tools/download_istio.sh cd istio-${VERSION} bin/istioctl x uninstall --context="${CTX_CLUSTER}" --purge --skip-confirmation -bin/istioctl install --context="${CTX_CLUSTER}" --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation +bin/istioctl install --set components.cni.enabled=true --context="${CTX_CLUSTER}" --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation diff --git a/scripts/release/kubectl-mongodb/install_istio_separate_network.sh b/scripts/release/kubectl-mongodb/install_istio_separate_network.sh deleted file mode 100755 index adda0ff92..000000000 --- a/scripts/release/kubectl-mongodb/install_istio_separate_network.sh +++ /dev/null @@ -1,188 +0,0 @@ -#!/usr/bin/env bash - -set -eux - -# define here or provide the cluster names externally -export CTX_CLUSTER1=${CTX_CLUSTER1} -export CTX_CLUSTER2=${CTX_CLUSTER2} -export CTX_CLUSTER3=${CTX_CLUSTER3} -export ISTIO_VERSION=${ISTIO_VERSION} - -# download Istio under the path -curl -L https://istio.io/downloadIstio | sh - - -# checks if external IP has been assigned to a service object, in our case we are interested in east-west gateway -function_check_external_ip_assigned() { - while : ; do - ip=$(kubectl --context="$1" get svc istio-eastwestgateway -n istio-system --output jsonpath='{.status.loadBalancer.ingress[0].ip}') - if [ -n "${ip}" ] - then - echo "external ip assigned ${ip}" - break - else - echo "waiting for external ip to be assigned" - fi -done -} - -cd "istio-${ISTIO_VERSION}" -mkdir -p certs -pushd certs - -# create root trust for the clusters -make -f ../tools/certs/Makefile.selfsigned.mk root-ca -make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER1}-cacerts" -make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER2}-cacerts" -make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER3}-cacerts" - -kubectl --context="${CTX_CLUSTER1}" create ns istio-system -kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-system \ - --from-file="${CTX_CLUSTER1}/ca-cert.pem" \ - --from-file="${CTX_CLUSTER1}/ca-key.pem" \ - --from-file="${CTX_CLUSTER1}/root-cert.pem" \ - --from-file="${CTX_CLUSTER1}/cert-chain.pem" - -kubectl --context="${CTX_CLUSTER2}" create ns istio-system -kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-system \ - --from-file="${CTX_CLUSTER2}/ca-cert.pem" \ - --from-file="${CTX_CLUSTER2}/ca-key.pem" \ - --from-file="${CTX_CLUSTER2}/root-cert.pem" \ - --from-file="${CTX_CLUSTER2}/cert-chain.pem" - -kubectl --context="${CTX_CLUSTER3}" create ns istio-system -kubectl --context="${CTX_CLUSTER3}" create secret generic cacerts -n istio-system \ - --from-file="${CTX_CLUSTER3}/ca-cert.pem" \ - --from-file="${CTX_CLUSTER3}/ca-key.pem" \ - --from-file="${CTX_CLUSTER3}/root-cert.pem" \ - --from-file="${CTX_CLUSTER3}/cert-chain.pem" -popd - -# label namespace in cluster1 -kubectl --context="${CTX_CLUSTER1}" get namespace istio-system && \ - kubectl --context="${CTX_CLUSTER1}" label namespace istio-system topology.istio.io/network=network1 - -cat < cluster1.yaml -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - global: - meshID: mesh1 - multiCluster: - clusterName: cluster1 - network: network1 -EOF -bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml -samples/multicluster/gen-eastwest-gateway.sh \ - --mesh mesh1 --cluster cluster1 --network network1 | \ - bin/istioctl --context="${CTX_CLUSTER1}" install -y -f - - - -# check if external IP is assigned to east-west gateway in cluster1 -function_check_external_ip_assigned "${CTX_CLUSTER1}" - - -# expose services in cluster1 -kubectl --context="${CTX_CLUSTER1}" apply -n istio-system -f \ - samples/multicluster/expose-services.yaml - - -kubectl --context="${CTX_CLUSTER2}" get namespace istio-system && \ - kubectl --context="${CTX_CLUSTER2}" label namespace istio-system topology.istio.io/network=network2 - - -cat < cluster2.yaml -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - global: - meshID: mesh1 - multiCluster: - clusterName: cluster2 - network: network2 -EOF - -bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml - -samples/multicluster/gen-eastwest-gateway.sh \ - --mesh mesh1 --cluster cluster2 --network network2 | \ - bin/istioctl --context="${CTX_CLUSTER2}" install -y -f - - -# check if external IP is assigned to east-west gateway in cluster2 -function_check_external_ip_assigned "${CTX_CLUSTER2}" - -kubectl --context="${CTX_CLUSTER2}" apply -n istio-system -f \ - samples/multicluster/expose-services.yaml - -# cluster3 -kubectl --context="${CTX_CLUSTER3}" get namespace istio-system && \ - kubectl --context="${CTX_CLUSTER3}" label namespace istio-system topology.istio.io/network=network3 - -cat < cluster3.yaml -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - values: - global: - meshID: mesh1 - multiCluster: - clusterName: cluster3 - network: network3 -EOF - -bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml - -samples/multicluster/gen-eastwest-gateway.sh \ - --mesh mesh1 --cluster cluster3 --network network3 | \ - bin/istioctl --context="${CTX_CLUSTER3}" install -y -f - - - -# check if external IP is assigned to east-west gateway in cluster3 -function_check_external_ip_assigned "${CTX_CLUSTER3}" - -kubectl --context="${CTX_CLUSTER3}" apply -n istio-system -f \ - samples/multicluster/expose-services.yaml - - -# enable endpoint discovery -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER1}" \ - -n istio-system \ - --name=cluster1 | \ - kubectl apply -f - --context="${CTX_CLUSTER2}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER1}" \ - -n istio-system \ - --name=cluster1 | \ - kubectl apply -f - --context="${CTX_CLUSTER3}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER2}" \ - -n istio-system \ - --name=cluster2 | \ - kubectl apply -f - --context="${CTX_CLUSTER1}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER2}" \ - -n istio-system \ - --name=cluster2 | \ - kubectl apply -f - --context="${CTX_CLUSTER3}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER3}" \ - -n istio-system \ - --name=cluster3 | \ - kubectl apply -f - --context="${CTX_CLUSTER1}" - -bin/istioctl x create-remote-secret \ - --context="${CTX_CLUSTER3}" \ - -n istio-system \ - --name=cluster3 | \ - kubectl apply -f - --context="${CTX_CLUSTER2}" - - # cleanup: delete the istio repo at the end -cd .. -rm -r "istio-${ISTIO_VERSION}" -rm -f cluster1.yaml cluster2.yaml cluster3.yaml From b695d5190815df5ce2944f961620e503f74311b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Wed, 24 Sep 2025 16:31:42 +0200 Subject: [PATCH 2/8] Internal review fixes --- multi_cluster/tools/install_istio.sh | 6 +++--- multi_cluster/tools/install_istio_central.sh | 2 +- .../install_istio_separate_network.sh | 19 ++++++++++++++++--- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/multi_cluster/tools/install_istio.sh b/multi_cluster/tools/install_istio.sh index b446ad610..15ca12d46 100755 --- a/multi_cluster/tools/install_istio.sh +++ b/multi_cluster/tools/install_istio.sh @@ -88,7 +88,7 @@ spec: network: network1 EOF -bin/istioctl install --set components.cni.enabled=true --context="${CTX_CLUSTER1}" -f cluster1.yaml -y & +bin/istioctl install --context="${CTX_CLUSTER1}" --set components.cni.enabled=true -f cluster1.yaml -y & cat <cluster2.yaml apiVersion: install.istio.io/v1alpha1 @@ -113,7 +113,7 @@ spec: network: network1 EOF -bin/istioctl install --set components.cni.enabled=true --context="${CTX_CLUSTER2}" -f cluster2.yaml -y & +bin/istioctl install --context="${CTX_CLUSTER2}" --set components.cni.enabled=true -f cluster2.yaml -y & cat <cluster3.yaml apiVersion: install.istio.io/v1alpha1 @@ -138,7 +138,7 @@ spec: network: network1 EOF -bin/istioctl install --set components.cni.enabled=true --context="${CTX_CLUSTER3}" -f cluster3.yaml -y & +bin/istioctl install --context="${CTX_CLUSTER3}" --set components.cni.enabled=true -f cluster3.yaml -y & wait diff --git a/multi_cluster/tools/install_istio_central.sh b/multi_cluster/tools/install_istio_central.sh index c0b84e49e..2ee3e5427 100755 --- a/multi_cluster/tools/install_istio_central.sh +++ b/multi_cluster/tools/install_istio_central.sh @@ -10,4 +10,4 @@ source multi_cluster/tools/download_istio.sh cd istio-${VERSION} bin/istioctl x uninstall --context="${CTX_CLUSTER}" --purge --skip-confirmation -bin/istioctl install --set components.cni.enabled=true --context="${CTX_CLUSTER}" --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation +bin/istioctl install --context="${CTX_CLUSTER}" --set components.cni.enabled=true --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation diff --git a/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh b/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh index 12f063bc1..dc66101c6 100755 --- a/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh +++ b/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh @@ -80,6 +80,10 @@ cat < cluster1.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -93,7 +97,8 @@ spec: clusterName: cluster1 network: network1 EOF -bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml -y +bin/istioctl install --context="${CTX_CLUSTER1}" --set components.cni.enabled=true -f cluster1.yaml -y + samples/multicluster/gen-eastwest-gateway.sh \ --mesh mesh1 --cluster cluster1 --network network1 | \ bin/istioctl --context="${CTX_CLUSTER1}" install -y -f - @@ -116,6 +121,10 @@ cat < cluster2.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -130,7 +139,7 @@ spec: network: network2 EOF -bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml -y +bin/istioctl install --context="${CTX_CLUSTER2}" --set components.cni.enabled=true -f cluster2.yaml -y samples/multicluster/gen-eastwest-gateway.sh \ --mesh mesh1 --cluster cluster2 --network network2 | \ @@ -150,6 +159,10 @@ cat < cluster3.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: + components: + cni: + namespace: istio-system + enabled: true meshConfig: defaultConfig: terminationDrainDuration: 30s @@ -164,7 +177,7 @@ spec: network: network3 EOF -bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml -y +bin/istioctl install --context="${CTX_CLUSTER3}" --set components.cni.enabled=true -f cluster3.yaml -y samples/multicluster/gen-eastwest-gateway.sh \ --mesh mesh1 --cluster cluster3 --network network3 | \ From 592f35d1bb9d743264d4f4718eabc4a660d2c8b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Fri, 10 Oct 2025 14:18:14 +0200 Subject: [PATCH 3/8] Bump istio version because of the issue with CNI -> https://github.com/istio/istio/issues/29511 --- multi_cluster/tools/README.md | 6 +++--- multi_cluster/tools/download_istio.sh | 2 +- multi_cluster/tools/install_istio.sh | 5 +---- .../code_snippets/ra-03_0040_install_istio.sh | 2 +- .../ra-03-setup-istio/install_istio_separate_network.sh | 2 +- 5 files changed, 7 insertions(+), 10 deletions(-) diff --git a/multi_cluster/tools/README.md b/multi_cluster/tools/README.md index b9e09744d..8809191ec 100644 --- a/multi_cluster/tools/README.md +++ b/multi_cluster/tools/README.md @@ -5,15 +5,15 @@ The script is intended to install Istio in the multi E2E clusters that we have c Steps to run the script and verify it: * Install the istioctl binary: - `curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION=1.9.1 sh -` + `curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION=1.27.1 sh -` `export PATH=$PATH:$HOME/.istioctl/bin` * Export cluster variables: `export CTX_CLUSTER1=e2e.cluster1.mongokubernetes.com` - + `export CTX_CLUSTER2=e2e.cluster2.mongokubernetes.com ` * Run the script : `sh ./install_istio.sh` -* [Verify the Istio installation](https://istio.io/latest/docs/setup/install/multicluster/verify/) \ No newline at end of file +* [Verify the Istio installation](https://istio.io/latest/docs/setup/install/multicluster/verify/) diff --git a/multi_cluster/tools/download_istio.sh b/multi_cluster/tools/download_istio.sh index 0fb687682..880644f48 100755 --- a/multi_cluster/tools/download_istio.sh +++ b/multi_cluster/tools/download_istio.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -Eeou pipefail -export VERSION=${VERSION:-1.16.1} +export VERSION=${VERSION:-1.27.1} ISTIO_SCRIPT_CHECKSUM="254c6bd6aa5b8ac8c552561c84d8e9b3a101d9e613e2a8edd6db1f19c1871dbf" echo "Checking if we need to download Istio ${VERSION}" diff --git a/multi_cluster/tools/install_istio.sh b/multi_cluster/tools/install_istio.sh index 15ca12d46..380a9bec6 100755 --- a/multi_cluster/tools/install_istio.sh +++ b/multi_cluster/tools/install_istio.sh @@ -5,7 +5,7 @@ set -eux export CTX_CLUSTER1=${CTX_CLUSTER1:-e2e.cluster1.mongokubernetes.com} export CTX_CLUSTER2=${CTX_CLUSTER2:-e2e.cluster2.mongokubernetes.com} export CTX_CLUSTER3=${CTX_CLUSTER3:-e2e.cluster3.mongokubernetes.com} -export VERSION=${VERSION:-1.12.8} +export VERSION=${VERSION:-1.27.1} IS_KIND="false" if [[ $CTX_CLUSTER1 = kind* ]]; then @@ -127,9 +127,6 @@ spec: meshConfig: defaultConfig: terminationDrainDuration: 30s - proxyMetadata: - ISTIO_META_DNS_AUTO_ALLOCATE: "true" - ISTIO_META_DNS_CAPTURE: "true" values: global: meshID: mesh1 diff --git a/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh b/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh index a27cc779e..9033ece35 100755 --- a/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh +++ b/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh @@ -1,5 +1,5 @@ CTX_CLUSTER1=${K8S_CLUSTER_0_CONTEXT_NAME} \ CTX_CLUSTER2=${K8S_CLUSTER_1_CONTEXT_NAME} \ CTX_CLUSTER3=${K8S_CLUSTER_2_CONTEXT_NAME} \ -ISTIO_VERSION="1.20.2" \ +ISTIO_VERSION="1.27.1" \ ./install_istio_separate_network.sh diff --git a/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh b/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh index dc66101c6..2ad345e17 100755 --- a/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh +++ b/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh @@ -9,7 +9,7 @@ set -eux -export ISTIO_VERSION=${ISTIO_VERSION:-1.20.2} +export ISTIO_VERSION=${ISTIO_VERSION:-1.27.1} if [[ ! -d istio-${ISTIO_VERSION} ]]; then # download Istio under the path From 9013035faceab0f6a4ab531ef04a4759858a23c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Fri, 10 Oct 2025 17:22:49 +0200 Subject: [PATCH 4/8] Test fixes --- multi_cluster/tools/install_istio.sh | 21 +++++++++++--------- multi_cluster/tools/install_istio_central.sh | 4 ++-- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/multi_cluster/tools/install_istio.sh b/multi_cluster/tools/install_istio.sh index 380a9bec6..3574cfb6f 100755 --- a/multi_cluster/tools/install_istio.sh +++ b/multi_cluster/tools/install_istio.sh @@ -127,6 +127,9 @@ spec: meshConfig: defaultConfig: terminationDrainDuration: 30s + proxyMetadata: + ISTIO_META_DNS_AUTO_ALLOCATE: "true" + ISTIO_META_DNS_CAPTURE: "true" values: global: meshID: mesh1 @@ -143,46 +146,46 @@ CLUSTER_1_ADDITIONAL_OPTS="" CLUSTER_2_ADDITIONAL_OPTS="" CLUSTER_3_ADDITIONAL_OPTS="" if [[ $IS_KIND == "true" ]]; then - CLUSTER_1_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER1} get node e2e-cluster-1-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" - CLUSTER_2_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER2} get node e2e-cluster-2-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" - CLUSTER_3_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER3} get node e2e-cluster-3-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" + CLUSTER_1_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER1}" get node e2e-cluster-1-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" + CLUSTER_2_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER2}" get node e2e-cluster-2-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" + CLUSTER_3_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER3}" get node e2e-cluster-3-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" fi # enable endpoint discovery bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER1}" \ -n istio-system \ - --name=cluster1 ${CLUSTER_1_ADDITIONAL_OPTS} | + --name=cluster1 "${CLUSTER_1_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER2}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER1}" \ -n istio-system \ - --name=cluster1 ${CLUSTER_1_ADDITIONAL_OPTS} | + --name=cluster1 "${CLUSTER_1_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER3}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER2}" \ -n istio-system \ - --name=cluster2 ${CLUSTER_2_ADDITIONAL_OPTS} | + --name=cluster2 "${CLUSTER_2_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER1}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER2}" \ -n istio-system \ - --name=cluster2 ${CLUSTER_2_ADDITIONAL_OPTS} | + --name=cluster2 "${CLUSTER_2_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER3}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER3}" \ -n istio-system \ - --name=cluster3 ${CLUSTER_3_ADDITIONAL_OPTS} | + --name=cluster3 "${CLUSTER_3_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER1}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER3}" \ -n istio-system \ - --name=cluster3 ${CLUSTER_3_ADDITIONAL_OPTS} | + --name=cluster3 "${CLUSTER_3_ADDITIONAL_OPTS}" | kubectl apply -f - --context="${CTX_CLUSTER2}" # disable namespace injection explicitly for istio-system namespace kubectl --context="${CTX_CLUSTER1}" label namespace istio-system istio-injection=disabled diff --git a/multi_cluster/tools/install_istio_central.sh b/multi_cluster/tools/install_istio_central.sh index 2ee3e5427..2fcdadc12 100755 --- a/multi_cluster/tools/install_istio_central.sh +++ b/multi_cluster/tools/install_istio_central.sh @@ -2,12 +2,12 @@ set -eux -export VERSION=${VERSION:-1.14.2} +export VERSION=${VERSION:-1.27.1} export CTX_CLUSTER=${CTX_CLUSTER:-e2e.operator.mongokubernetes.com} source multi_cluster/tools/download_istio.sh -cd istio-${VERSION} +cd istio-"${VERSION}" bin/istioctl x uninstall --context="${CTX_CLUSTER}" --purge --skip-confirmation bin/istioctl install --context="${CTX_CLUSTER}" --set components.cni.enabled=true --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation From 0f482786dc79f9196168ce7237ba417ccea401c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Fri, 10 Oct 2025 17:36:35 +0200 Subject: [PATCH 5/8] Workaround for istio init-container issue --- .../opsmanager/fixtures/om_https_enabled.yaml | 25 ++++++++++++++-- .../fixtures/om_localmode-single-pv.yaml | 8 +++++ .../fixtures/remote_fixtures/nginx.yaml | 29 ++++++++++++++++--- .../tests/opsmanager/om_remotemode.py | 5 ++++ .../ops-manager/ops-manager-remote-mode.yaml | 11 ++++++- 5 files changed, 71 insertions(+), 7 deletions(-) diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_https_enabled.yaml b/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_https_enabled.yaml index 85545d7f2..930a96e9b 100644 --- a/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_https_enabled.yaml +++ b/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_https_enabled.yaml @@ -22,7 +22,7 @@ spec: spec: volumes: - name: mongodb-versions - emptyDir: {} + emptyDir: { } containers: - name: mongodb-ops-manager volumeMounts: @@ -37,6 +37,8 @@ spec: initContainers: - name: setting-up-rhel-mongodb image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -48,6 +50,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-4-4 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -59,6 +63,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-5-0 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -70,6 +76,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-6-0 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -81,6 +89,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-6-0-sig image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -92,6 +102,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-6-0-21 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -103,6 +115,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-6-0-21-sig image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -112,9 +126,10 @@ spec: volumeMounts: - name: mongodb-versions mountPath: /mongodb-ops-manager/mongodb-releases - - name: setting-up-rhel-mongodb-7-0 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -126,6 +141,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-7-0-sig image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -137,6 +154,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-8-0 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -148,6 +167,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-8-0-sig image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_localmode-single-pv.yaml b/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_localmode-single-pv.yaml index 59079a224..32193de7a 100644 --- a/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_localmode-single-pv.yaml +++ b/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/om_localmode-single-pv.yaml @@ -35,6 +35,8 @@ spec: initContainers: - name: setting-up-rhel-mongodb-4-2-8 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -46,6 +48,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-6-0-21 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -57,6 +61,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-7-0 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -68,6 +74,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases - name: setting-up-rhel-mongodb-8-0 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/remote_fixtures/nginx.yaml b/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/remote_fixtures/nginx.yaml index adb665a0e..0911c9c58 100644 --- a/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/remote_fixtures/nginx.yaml +++ b/docker/mongodb-kubernetes-tests/tests/opsmanager/fixtures/remote_fixtures/nginx.yaml @@ -29,6 +29,8 @@ spec: initContainers: - name: setting-up-mongosh-1-4-1 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -38,6 +40,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-1-9-1 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -47,6 +51,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-1-10-4 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -56,6 +62,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-2-0-0 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -65,6 +73,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-2-0-2 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -74,6 +84,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-2-0-2-om7 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -83,6 +95,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-2-1-5-om7 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -92,6 +106,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-2-2-3-om7 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -101,6 +117,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-2-2-4-om7 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -110,6 +128,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-2-4-0 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -119,6 +139,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/compass - name: setting-up-mongosh-2-5-6 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - sh - -c @@ -126,15 +148,14 @@ spec: volumeMounts: - name: mongosh-versions mountPath: /mongodb-ops-manager/mongodb-releases/compass - restartPolicy: Always - securityContext: {} + securityContext: { } terminationGracePeriodSeconds: 30 volumes: - name: mongodb-versions - emptyDir: {} + emptyDir: { } - name: mongosh-versions - emptyDir: {} + emptyDir: { } - configMap: name: nginx-conf name: nginx-conf diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_remotemode.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_remotemode.py index e75525a94..83b1577dc 100644 --- a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_remotemode.py +++ b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_remotemode.py @@ -14,6 +14,7 @@ VERSION_NOT_IN_WEB_SERVER = "4.2.1" + # If this test is failing after an OM Bump, ensure that the nginx deployment fixture contains the associated mongosh # version. More details in this ticket: https://jira.mongodb.org/browse/CLOUDP-332640 @@ -47,6 +48,10 @@ def add_mdb_version_to_deployment(deployment: Dict[str, Any], version: str): "name": KubernetesTester.random_k8s_name(prefix="mdb-download"), "image": "curlimages/curl:latest", "command": ["sh", "-c", f"{curl_command} && true"], + "securityContext": { + # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers + "runAsUser": "1337", + }, "volumeMounts": [ { "name": "mongodb-versions", diff --git a/public/samples/ops-manager/ops-manager-remote-mode.yaml b/public/samples/ops-manager/ops-manager-remote-mode.yaml index 80c5fa253..00c6bb957 100644 --- a/public/samples/ops-manager/ops-manager-remote-mode.yaml +++ b/public/samples/ops-manager/ops-manager-remote-mode.yaml @@ -53,6 +53,8 @@ spec: initContainers: - name: setting-up-rhel-mongodb-4-4 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -64,6 +66,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/linux - name: setting-up-ubuntu-mongodb-4-4 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -73,9 +77,10 @@ spec: volumeMounts: - name: mongodb-versions mountPath: /mongodb-ops-manager/mongodb-releases/linux - - name: setting-up-rhel-mongodb-4-4-ent image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -87,6 +92,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/linux - name: setting-up-ubuntu-mongodb-4-4-ent image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L @@ -98,6 +105,8 @@ spec: mountPath: /mongodb-ops-manager/mongodb-releases/linux - name: setting-up-rhel-mongodb-8-0-0 image: curlimages/curl:latest + securityContext: + runAsUser: 1337 # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers command: - curl - -L From 5bda5af5d08d145090d059f4e6371f69b7d2e49a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Mon, 13 Oct 2025 14:01:08 +0200 Subject: [PATCH 6/8] Revert Istio version bump --- multi_cluster/tools/README.md | 6 +++--- multi_cluster/tools/download_istio.sh | 2 +- multi_cluster/tools/install_istio.sh | 2 +- multi_cluster/tools/install_istio_central.sh | 2 +- .../code_snippets/ra-03_0040_install_istio.sh | 2 +- .../ra-03-setup-istio/install_istio_separate_network.sh | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/multi_cluster/tools/README.md b/multi_cluster/tools/README.md index 8809191ec..b9e09744d 100644 --- a/multi_cluster/tools/README.md +++ b/multi_cluster/tools/README.md @@ -5,15 +5,15 @@ The script is intended to install Istio in the multi E2E clusters that we have c Steps to run the script and verify it: * Install the istioctl binary: - `curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION=1.27.1 sh -` + `curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION=1.9.1 sh -` `export PATH=$PATH:$HOME/.istioctl/bin` * Export cluster variables: `export CTX_CLUSTER1=e2e.cluster1.mongokubernetes.com` - + `export CTX_CLUSTER2=e2e.cluster2.mongokubernetes.com ` * Run the script : `sh ./install_istio.sh` -* [Verify the Istio installation](https://istio.io/latest/docs/setup/install/multicluster/verify/) +* [Verify the Istio installation](https://istio.io/latest/docs/setup/install/multicluster/verify/) \ No newline at end of file diff --git a/multi_cluster/tools/download_istio.sh b/multi_cluster/tools/download_istio.sh index 880644f48..0fb687682 100755 --- a/multi_cluster/tools/download_istio.sh +++ b/multi_cluster/tools/download_istio.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -Eeou pipefail -export VERSION=${VERSION:-1.27.1} +export VERSION=${VERSION:-1.16.1} ISTIO_SCRIPT_CHECKSUM="254c6bd6aa5b8ac8c552561c84d8e9b3a101d9e613e2a8edd6db1f19c1871dbf" echo "Checking if we need to download Istio ${VERSION}" diff --git a/multi_cluster/tools/install_istio.sh b/multi_cluster/tools/install_istio.sh index 3574cfb6f..7c3abb292 100755 --- a/multi_cluster/tools/install_istio.sh +++ b/multi_cluster/tools/install_istio.sh @@ -5,7 +5,7 @@ set -eux export CTX_CLUSTER1=${CTX_CLUSTER1:-e2e.cluster1.mongokubernetes.com} export CTX_CLUSTER2=${CTX_CLUSTER2:-e2e.cluster2.mongokubernetes.com} export CTX_CLUSTER3=${CTX_CLUSTER3:-e2e.cluster3.mongokubernetes.com} -export VERSION=${VERSION:-1.27.1} +export VERSION=${VERSION:-1.12.8} IS_KIND="false" if [[ $CTX_CLUSTER1 = kind* ]]; then diff --git a/multi_cluster/tools/install_istio_central.sh b/multi_cluster/tools/install_istio_central.sh index 2fcdadc12..a9ce279c1 100755 --- a/multi_cluster/tools/install_istio_central.sh +++ b/multi_cluster/tools/install_istio_central.sh @@ -2,7 +2,7 @@ set -eux -export VERSION=${VERSION:-1.27.1} +export VERSION=${VERSION:-1.14.2} export CTX_CLUSTER=${CTX_CLUSTER:-e2e.operator.mongokubernetes.com} diff --git a/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh b/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh index 9033ece35..a27cc779e 100755 --- a/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh +++ b/public/architectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh @@ -1,5 +1,5 @@ CTX_CLUSTER1=${K8S_CLUSTER_0_CONTEXT_NAME} \ CTX_CLUSTER2=${K8S_CLUSTER_1_CONTEXT_NAME} \ CTX_CLUSTER3=${K8S_CLUSTER_2_CONTEXT_NAME} \ -ISTIO_VERSION="1.27.1" \ +ISTIO_VERSION="1.20.2" \ ./install_istio_separate_network.sh diff --git a/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh b/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh index 2ad345e17..dc66101c6 100755 --- a/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh +++ b/public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh @@ -9,7 +9,7 @@ set -eux -export ISTIO_VERSION=${ISTIO_VERSION:-1.27.1} +export ISTIO_VERSION=${ISTIO_VERSION:-1.20.2} if [[ ! -d istio-${ISTIO_VERSION} ]]; then # download Istio under the path From 34294e3c8e8ca02f5e153754a4e10dc6a1fc5f94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Mon, 13 Oct 2025 15:35:55 +0200 Subject: [PATCH 7/8] Revert some changes --- multi_cluster/tools/install_istio.sh | 18 +++++++++--------- multi_cluster/tools/install_istio_central.sh | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/multi_cluster/tools/install_istio.sh b/multi_cluster/tools/install_istio.sh index 7c3abb292..15ca12d46 100755 --- a/multi_cluster/tools/install_istio.sh +++ b/multi_cluster/tools/install_istio.sh @@ -146,46 +146,46 @@ CLUSTER_1_ADDITIONAL_OPTS="" CLUSTER_2_ADDITIONAL_OPTS="" CLUSTER_3_ADDITIONAL_OPTS="" if [[ $IS_KIND == "true" ]]; then - CLUSTER_1_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER1}" get node e2e-cluster-1-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" - CLUSTER_2_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER2}" get node e2e-cluster-2-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" - CLUSTER_3_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER3}" get node e2e-cluster-3-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" + CLUSTER_1_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER1} get node e2e-cluster-1-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" + CLUSTER_2_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER2} get node e2e-cluster-2-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" + CLUSTER_3_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER3} get node e2e-cluster-3-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443" fi # enable endpoint discovery bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER1}" \ -n istio-system \ - --name=cluster1 "${CLUSTER_1_ADDITIONAL_OPTS}" | + --name=cluster1 ${CLUSTER_1_ADDITIONAL_OPTS} | kubectl apply -f - --context="${CTX_CLUSTER2}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER1}" \ -n istio-system \ - --name=cluster1 "${CLUSTER_1_ADDITIONAL_OPTS}" | + --name=cluster1 ${CLUSTER_1_ADDITIONAL_OPTS} | kubectl apply -f - --context="${CTX_CLUSTER3}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER2}" \ -n istio-system \ - --name=cluster2 "${CLUSTER_2_ADDITIONAL_OPTS}" | + --name=cluster2 ${CLUSTER_2_ADDITIONAL_OPTS} | kubectl apply -f - --context="${CTX_CLUSTER1}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER2}" \ -n istio-system \ - --name=cluster2 "${CLUSTER_2_ADDITIONAL_OPTS}" | + --name=cluster2 ${CLUSTER_2_ADDITIONAL_OPTS} | kubectl apply -f - --context="${CTX_CLUSTER3}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER3}" \ -n istio-system \ - --name=cluster3 "${CLUSTER_3_ADDITIONAL_OPTS}" | + --name=cluster3 ${CLUSTER_3_ADDITIONAL_OPTS} | kubectl apply -f - --context="${CTX_CLUSTER1}" bin/istioctl x create-remote-secret \ --context="${CTX_CLUSTER3}" \ -n istio-system \ - --name=cluster3 "${CLUSTER_3_ADDITIONAL_OPTS}" | + --name=cluster3 ${CLUSTER_3_ADDITIONAL_OPTS} | kubectl apply -f - --context="${CTX_CLUSTER2}" # disable namespace injection explicitly for istio-system namespace kubectl --context="${CTX_CLUSTER1}" label namespace istio-system istio-injection=disabled diff --git a/multi_cluster/tools/install_istio_central.sh b/multi_cluster/tools/install_istio_central.sh index a9ce279c1..2ee3e5427 100755 --- a/multi_cluster/tools/install_istio_central.sh +++ b/multi_cluster/tools/install_istio_central.sh @@ -7,7 +7,7 @@ export VERSION=${VERSION:-1.14.2} export CTX_CLUSTER=${CTX_CLUSTER:-e2e.operator.mongokubernetes.com} source multi_cluster/tools/download_istio.sh -cd istio-"${VERSION}" +cd istio-${VERSION} bin/istioctl x uninstall --context="${CTX_CLUSTER}" --purge --skip-confirmation bin/istioctl install --context="${CTX_CLUSTER}" --set components.cni.enabled=true --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation From 99243e88a37161bff24b487ed8fe45cd07b7f135 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kara=C5=9B?= Date: Mon, 13 Oct 2025 16:34:38 +0200 Subject: [PATCH 8/8] om_remotemode test fixes --- .../mongodb-kubernetes-tests/tests/opsmanager/om_remotemode.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_remotemode.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_remotemode.py index 83b1577dc..80bd0a81f 100644 --- a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_remotemode.py +++ b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_remotemode.py @@ -50,7 +50,7 @@ def add_mdb_version_to_deployment(deployment: Dict[str, Any], version: str): "command": ["sh", "-c", f"{curl_command} && true"], "securityContext": { # workaround for init-container istio issue -> https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers - "runAsUser": "1337", + "runAsUser": 1337, }, "volumeMounts": [ {