shared control plane multicluster fixes#22173
shared control plane multicluster fixes#22173istio-testing merged 6 commits intoistio:release-1.5from
Conversation
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
cc @linsun |
07e13ca to
18771db
Compare
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
* Rename the remote istiod service and endpoint to `istiod-remote` to avoid conflicts with the real local istiod service. * Use the `istiod-remote.<namespace>.svc` hostname for the sidecar and ingress proxies discoveryAddress. This address needs to match the SAN in istiod's cert. The `istiod-remote` headless service will resolve the hostname to the remote IP address. * Add the `istiod-remote` hostname to istiod's SANs. Also use istiod's namespace to construct the legacy service names instead of hardcoding them to `istio-system`. * Simplify the remote profile by removing redundant and unused values. * clone LbEndpoint to prevent data race (istio#22023) * fix meshexpansion ports for non-istiod deployments
18771db to
036fc76
Compare
…-release-1.5-backport-multicluster-fixes
|
/retest |
|
/retest |
| # Create a secret access a remote cluster with an auth plugin | ||
| istioctl --Kubeconfig=c0.yaml x create-remote-secret --name c0 --auth-type=plugin --auth-plugin-name=gcp \ | ||
| | kubectl -n istio-system --Kubeconfig=c1.yaml apply -f - | ||
| | kubectl --Kubeconfig=c1.yaml apply -f - |
There was a problem hiding this comment.
@ayj what would be the cmd if users don't install istio to istio-system ns? use -n {namespace}?
There was a problem hiding this comment.
Also, where can I find docs for this auth-plugin, auth-type?
There was a problem hiding this comment.
Yes, user's can use -n <namespace> if they install in a different namespace.
There aren't any additional docs yet for auth->{plugin,type}.
|
This should be ready for review. This is mostly a backport of #21912. Charts between 1.5 and master have diverged so its worth taking a second look at the legacy helm charts in particular. |
Rename the remote istiod service and endpoint to
istiod-remotetoavoid conflicts with the real local istiod service.
Use the
istiod-remote.<namespace>.svchostname for the sidecar andingress proxies discoveryAddress. This address needs to match the
SAN in istiod's cert. The
istiod-remoteheadless service willresolve the hostname to the remote IP address.
Add the
istiod-remotehostname to istiod's SANs. Also use istiod'snamespace to construct the legacy service names instead of
hardcoding them to
istio-system.Simplify the remote profile by removing redundant and unused values.
Manually backport #21912 from master.