Trying to Install Multi-Primary but fails at creating remote secret

leo00 · April 2, 2021, 3:23am

Hoping someone ran into the same issue and can provide some further insight and guidance into the problem I am having.

$ istioctl x create-remote-secret \
>     --context="${CTX_CLUSTER1}" \
>     --name=cluster1 | \
>     kubectl apply -f - --context="${CTX_CLUSTER2}"
error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
Error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
error: no objects passed to apply

jmazzitelli · April 2, 2021, 3:51am

I JUST hit this very same problem a couple days ago. It is fixed already (PR merged) but is NOT in any released istioctl binary yet. You have to build your own.

You will get this if, for example, you are on OpenShift.

See this for how you can build your own istioctl to work around this: [hack] multi-cluster setup scripts by jmazzitelli · Pull Request #3713 · kiali/kiali · GitHub

Because istio/istio#30565 isn't released yet, to use this stuff, you need to build your own istioctl binary. So pull the latest istio master and run this - the resultant /tmp/istiobuild/istioctl should be copied into your Istio installation:

git checkout tags/1.9.2 -b 192-plus-istioctl-fix
git cherry-pick 1acfc29db93de5d46337c7f182b0c28456e4dcd7
make -e TARGET_OUT=/tmp/istiobuild gen-charts istioctl
cp /tmp/istiobuild/istioctl <where your existing istioctl is>

jmazzitelli · April 2, 2021, 3:53am

NOTE! If you use this istioctl to install things, you have to remember to pass in --set tag=1.9.2 because the tag default hardcoded in istioctl will be “1.9-dev” and those images aren’t on gcr.io - you need to tell the Istio Operator to use a released tag – 1.9.2 for example.

leo00 · April 2, 2021, 4:07am

Thanks @jmazzitelli. Will give it a try.

leo00 · April 2, 2021, 5:59am

This command doesn’t generate istioctl in the /tmp/istiobuild.

cp /tmp/istiobuild/istioctl .                                                          192-plus-istioctl-fix
cp: cannot stat '/tmp/istiobuild/istioctl': No such file or directory

leo00 · April 3, 2021, 5:02pm

@jmazzitelli
Tried:
make -e TARGET_OUT=/tmp/istiobuild gen-charts istioctl
on another computer and it worked there.
copied that istioctl to the existing istioctl.

Run into this problem after cleaning out the previous istio install and reinstall istio with the --set tag=1.9.2
Seems to have gotten just a litte further.

istioctl x create-remote-secret --kubeconfig=config-demo \
    --context="${CTX_CLUSTER1}" \
    --name=cluster1 | \
    kubectl apply -f - --context="${CTX_CLUSTER2}" --kubeconfig=config-demo
error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account, please use --secret-name to specify one
Error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account, please use --secret-name to specify one
error: no objects passed to apply

jmazzitelli · April 3, 2021, 5:53pm

Error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account, please use --secret-name to specify one

Did you do what that error messages says to do?

leo00 · April 3, 2021, 6:37pm

Which is the correct one to pick? How do you determine that? Yes, this is happening in openshift.

jmazzitelli · April 3, 2021, 6:43pm

I just picked the one with “token” in the name. Works for me.

leo00 · April 3, 2021, 6:45pm

But there is two with “token” in the name , perhaps that is why the program throws the error. Is it expecting only one?

jmazzitelli · April 3, 2021, 7:00pm

It’s not like you have 100s of them, right? Should only be like 2. Pick one. If it doesn’t work, pick the other I bet you could use any of them - I just picked one of them to use and it worked for me.

Read the PR that fixes this issue for further details on why it (erroneously) expects just one: Introduce remote secret name parameter for "istioctl x create-remote-secret" by libesz · Pull Request #30565 · istio/istio · GitHub

leo00 · April 3, 2021, 7:47pm

Thanks. I picked one and that seems to work.
secret/istio-remote-secret-cluster1 created

However, the second part,
Install a remote secret in cluster1 that provides access to cluster2’s API server.
fails:

error: no "ca.crt" data found
Error: no "ca.crt" data found
error: no objects passed to apply

I tried both tokens there with the same results.

Following the instructions laid out here:
https://istio.io/latest/docs/setup/install/multicluster/multi-primary/

jmazzitelli · April 3, 2021, 10:14pm

Feel free to check out the scripts I’m writing - might help you figure it out. These work for me (they work for both openshift and minikube). See the scripts in this PR: [hack] multi-cluster setup scripts by jmazzitelli · Pull Request #3713 · kiali/kiali · GitHub

leo00 · April 9, 2021, 7:06pm

Thank you. They helped and I was able to get further along. Much obliged.

Topic		Replies	Views
Multi-primary auth in AWS EKS	1	333	October 20, 2022
Istioctl x create-remote-secret never mounted	4	1406	June 29, 2022
Install Multi-Primary on different networks for OpenShift	1	2055	July 8, 2021
ISTIO Multi Cluster on two different network	5	345	August 31, 2023
Install Multi-Primary on different networks, TLS error	7	1434	March 28, 2021

Trying to Install Multi-Primary but fails at creating remote secret

Related topics