Skip to content

Commit

Permalink
Fix usages of istioctl create-remote-secret
Browse files Browse the repository at this point in the history
By default, istioctl creates the ServiceAccount if it doesn't yet exist. If you run the `create-remote-secret` command before you create the Istio resource, the ServiceAccount won't yet exist and will therefore be created, along with a ClusterRole and ClusterRoleBinding. This will later cause the reconciliation of the Istio resource to fail because Helm will refuse to overwrite these resources.

Signed-off-by: Marko Lukša <[email protected]>
  • Loading branch information
luksa committed Dec 18, 2024
1 parent 977c9fb commit aaa2e9b
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 9 deletions.
18 changes: 12 additions & 6 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -940,7 +940,8 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
```sh
istioctl create-remote-secret \
--context="${CTX_CLUSTER1}" \
--name=cluster1 | \
--name=cluster1 \
--create-service-account=false | \
kubectl apply -f - --context="${CTX_CLUSTER2}"
```

Expand All @@ -951,7 +952,8 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
istioctl create-remote-secret \
--context="${CTX_CLUSTER1}" \
--name=cluster1 \
--server="https://${CLUSTER1_CONTAINER_IP}:6443" | \
--server="https://${CLUSTER1_CONTAINER_IP}:6443" \
--create-service-account=false | \
kubectl apply -f - --context "${CTX_CLUSTER2}"
```

Expand All @@ -960,7 +962,8 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
```sh
istioctl create-remote-secret \
--context="${CTX_CLUSTER2}" \
--name=cluster2 | \
--name=cluster2 \
--create-service-account=false | \
kubectl apply -f - --context="${CTX_CLUSTER1}"
```

Expand All @@ -971,7 +974,8 @@ These installation instructions are adapted from: https://istio.io/latest/docs/s
istioctl create-remote-secret \
--context="${CTX_CLUSTER2}" \
--name=cluster2 \
--server="https://${CLUSTER2_CONTAINER_IP}:6443" | \
--server="https://${CLUSTER2_CONTAINER_IP}:6443" \
--create-service-account=false | \
kubectl apply -f - --context "${CTX_CLUSTER1}"
```

Expand Down Expand Up @@ -1133,7 +1137,8 @@ In this setup there is a Primary cluster (`cluster1`) and a Remote cluster (`clu
```sh
istioctl create-remote-secret \
--context="${CTX_CLUSTER2}" \
--name=remote | \
--name=remote \
--create-service-account=false | \
kubectl apply -f - --context="${CTX_CLUSTER1}"
```

Expand All @@ -1144,7 +1149,8 @@ In this setup there is a Primary cluster (`cluster1`) and a Remote cluster (`clu
istioctl create-remote-secret \
--context="${CTX_CLUSTER2}" \
--name=remote \
--server="https://${REMOTE_CONTAINER_IP}:6443" | \
--server="https://${REMOTE_CONTAINER_IP}:6443" \
--create-service-account=false | \
kubectl apply -f - --context "${CTX_CLUSTER1}"
```

Expand Down
6 changes: 4 additions & 2 deletions docs/multicluster/setup-multi-primary.sh
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,8 @@ WEST_CONTAINER_IP=$(kubectl get nodes east-control-plane --context "${CTX_CLUSTE
istioctl create-remote-secret \
--context="${CTX_CLUSTER1}" \
--name=east \
--server="https://${WEST_CONTAINER_IP}:6443" | \
--server="https://${WEST_CONTAINER_IP}:6443" \
--create-service-account=false | \
kubectl apply -f - --context "${CTX_CLUSTER2}"

# 11. Install a remote secret in east that provides access to west’s API server.
Expand All @@ -175,7 +176,8 @@ EAST_CONTAINER_IP=$(kubectl get nodes west-control-plane --context "${CTX_CLUSTE
istioctl create-remote-secret \
--context="${CTX_CLUSTER2}" \
--name=west \
--server="https://${EAST_CONTAINER_IP}:6443" | \
--server="https://${EAST_CONTAINER_IP}:6443" \
--create-service-account=false | \
kubectl apply -f - --context "${CTX_CLUSTER1}"

# 12. Deploy sample applications and verify that you get a response from both v1 and v2 of the helloworld service.
Expand Down
4 changes: 3 additions & 1 deletion tests/e2e/util/istioctl/istioctl.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,9 @@ func istioctl(format string, args ...interface{}) string {
// - secretName: name of the secret
// - internalIP: internal IP of the remote cluster
func CreateRemoteSecret(remoteKubeconfig string, secretName string, internalIP string) (string, error) {
cmd := istioctl("create-remote-secret --kubeconfig %s --name %s --server=https://%s:6443", remoteKubeconfig, secretName, internalIP)
cmd := istioctl(
"create-remote-secret --kubeconfig %s --name %s --server=https://%s:6443 --create-service-account=false",
remoteKubeconfig, secretName, internalIP)
yaml, err := shell.ExecuteCommand(cmd)

return yaml, err
Expand Down

0 comments on commit aaa2e9b

Please sign in to comment.