Istioctl x create-remote-secret never mounted

I am following the doc Install Multi-Primary and curious about the last step, Enable Endpoint Discovery.

I got remote secrets in this step but failed to figured out where these secrets get mounted. It is seems never used or attached to any pod. Could you help me figure it out?

They are picked up automatically by Istio. You can then use istioctl util to verify that remote cluster is present.

1 Like

Thank you! That’s true. istioctl remote-clusters shows the remote cluster then. I also checked with Istiod’s Role and Rolebinding and found that it has the access to Secret API.

I am following the same instructions to create the remote secrets in my 2 clusters.
I am running istio version 1.13.4 on k8s 1.21.
I too see the remote clusters show up via istioctl remote-clusters:

➜  certs git:(main) ✗ istioctl remote-clusters
NAME           SECRET                                          STATUS     ISTIOD
test-east1     istio-system/istio-remote-secret-test-east1     synced     istiod-6b7d5c567b-thp7r
➜  certs git:(main) ✗ kcuc test-east1
Switched to context "test-east1".
➜  certs git:(main) ✗ istioctl remote-clusters
NAME            SECRET                                           STATUS     ISTIOD
test2-east1     istio-system/istio-remote-secret-test2-east1     synced     istiod-58f4d85b9c-glmgt

I created a service identically on both clusters a namespace with the same name.
However, when I curl the service+port from either cluster, it only routes to pods in the same cluster.
(I’ve even repeated the steps from the istio docs verbatim, with the same result)

I am not sure what step I am missing. any guidance would be appreciated!

I was able to get past this after all. I had to restart the pods so that the sidecars picked up the updated envoy config. Now cross-cluster traffic works as expected!