External Istiod single cluster steps

Please use this instruction on istio.io instead.

The steps below are tested using Istio 1.7. It won't work in prior Istio releases.

1. Setup required config on remote cluster (c2) using a given ns (istio2). Deploy the following Istio operator config (istiod2-remote.yaml):

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio2
spec:
  meshConfig:
    defaultConfig:
      discoveryAddress: istiod2.x.x:15012
      controlPlaneAuthPolicy: MUTUAL_TLS  
  components:
    base:
      enabled: true
    pilot:
      enabled: false
    istiodRemote:
      enabled: true
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true

  values:
    global:
      caAddress: istiod2.x.x:15012
      istioNamespace: istio2

    meshConfig:
      rootNamespace: istio2

    istiodRemote:
      injectionURL: https://istiod2.x.x:15017/inject

    base:
      validationURL: https://istiod2.x.x:15017/validate

    telemetry:
      enabled: false
      v2:
        enabled: false

You may generate the yaml using istioctl cmd, then deploy it:

go run "${GOPATH}"/src/istio.io/istio/istioctl/cmd/istioctl/main.go manifest generate -f istiod2-remote.yaml --charts manifests > ../testingdir/istiod2-remote-deploy.yaml

2. Create c2's kube config as secret on control plane cluster(c1) in istio2 namespace, e.g.

k create secret generic istio-kubeconfig --from-file=/Users/linsun/go/src/istio.io/testingdir/config -n istio2

3. Deploy istiod on control plane cluster(c1), also in the same ns (istio2):

Note:

• base is not enabled, you need to create istiod-service-account in ns istio2 first.

k create sa istiod-service-account -n istio2

• You may generate the yaml using istioctl cmd, then deploy it:

istioctl manifest generate -f istiod-cluster.yaml --charts manifests > ../testingdir/istiod-cluster-deploy.yaml

sample istiod-cluster.yaml

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio2
spec:
  meshConfig:
    defaultConfig:
      discoveryAddress: istiod2.x.x:15012
      controlPlaneAuthPolicy: MUTUAL_TLS  
  components:
    base:
      enabled: false
    pilot:
      enabled: true
    ingressGateways:
    - name: istio-ingressgateway
      enabled: false      
  values:
    global:
      caAddress: istiod2.x.x:15012
      istioNamespace: istio2
      operatorManageWebhooks: true

    pilot:
      env:
        ISTIOD_CUSTOM_HOST: istiod2.x.x

    meshConfig:
      rootNamespace: istio2

    telemetry:
      enabled: false
      v2:
        enabled: false
        metadataExchange: {}
        prometheus:
          enabled: false

Deploy Istio mesh on External control plane cluster to manage traffic to Istiod deployments.

4. Deploy min profile of Istio plus ingress gw (or default profile) on control plane cluster so that istiod can be exposed on its ingress gateway, e.g. minimal-istio1.yaml below.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio1
spec:
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        k8s:
          service:
            ports:
              - port: 15021
                targetPort: 15021
                name: status-port
              - port: 80
                targetPort: 8080
                name: http2
              - port: 443
                targetPort: 8443
                name: https
              - port: 15443
                targetPort: 15443
                name: tls              
              - port: 15012
                targetPort: 15012
                name: tls-xds
              - port: 15017
                targetPort: 15017
                name: tls-webhook    

  addonComponents:
    prometheus:
      enabled: false
  
  meshConfig:
    enableAutoMtls: false
    rootNamespace: istio1

  values:
    global:
      istioNamespace: istio1

    telemetry:
      enabled: false
      v2:
        enabled: false
        prometheus:
          enabled: false

Generate the deploy-able yaml file and deploy it:

istioctl manifest generate -f minimal-istio1.yaml --charts manifests > ../testingdir/minimal-istio1-deploy.yaml

5. Expose istiod deployed in istio2 ns on the istio ingress gw deployed from minimal profile. Deploy the following config:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istiod2
  namespace: istio2
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 15012
        protocol: tls
        name: TLS-XDS
      tls:
        mode: PASSTHROUGH
      hosts:
      - "istiod2.x.x"
    - port:
        number: 15017
        protocol: tls
        name: TLS-WEBHOOK
      tls:
        mode: PASSTHROUGH
      hosts:
      - "istiod2.x.x"

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
    name: istiod2-vs
    namespace: istio2
spec:
    hosts:
    - istiod2.x.x
    gateways:
    - istiod2
    tls:
    - match:
      - port: 15012
        sniHosts:
        - istiod2.x.x
      route:
      - destination:
          host: istiod
          port:
            number: 15012
    - match:
      - port: 15017
        sniHosts:
        - istiod2.x.x
      route:
      - destination:
          host: istiod
          port:
            number: 443

6. You may need to restart the istio ingress gw pod(on c2) to allow it reach running status.

7. You should be able to deploy any workloads to the mesh on c2.

8. You can repeat 1,2,3,5 to deploy another istiod on c1 using a new namespace and another remote cluster data plane for that istiod on a different cluster.