From b98c319e48248b45ab37d257ddeee9874d6e444b Mon Sep 17 00:00:00 2001 From: shencurl521 <150639126+shencurl521@users.noreply.github.com> Date: Wed, 10 Jan 2024 17:05:20 +0800 Subject: [PATCH] fix: fail to dail to xds istiod.istio-system.svc:15012 (#402) Signed-off-by: shenyixiong Co-authored-by: shenyixiong --- internal/controller/istio/controller.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/internal/controller/istio/controller.go b/internal/controller/istio/controller.go index 66490139..61c8f7b7 100644 --- a/internal/controller/istio/controller.go +++ b/internal/controller/istio/controller.go @@ -23,12 +23,14 @@ import ( networking "istio.io/api/networking/v1alpha3" "istio.io/istio/pilot/pkg/config/memory" istiomodel "istio.io/istio/pilot/pkg/model" + securityModel "istio.io/istio/pilot/pkg/security/model" "istio.io/istio/pkg/adsc" istioconfig "istio.io/istio/pkg/config" "istio.io/istio/pkg/config/schema/collection" "istio.io/istio/pkg/config/schema/collections" "istio.io/istio/pkg/config/schema/gvk" "istio.io/istio/pkg/security" + "istio.io/istio/security/pkg/credentialfetcher/plugin" "istio.io/istio/security/pkg/nodeagent/cache" citadel "istio.io/istio/security/pkg/nodeagent/caclient/providers/citadel" "istio.io/pkg/log" @@ -319,11 +321,13 @@ func (c *Controller) newSecretManager() (*cache.SecretManagerClient, error) { // rootCert may be nil - in which case the system roots are used, and the CA is expected to have public key // Otherwise assume the injection has mounted /etc/certs/root-cert.pem o := &security.Options{ - CAEndpoint: c.options.IstiodAddr, - ClusterID: c.options.ClusterID, - WorkloadNamespace: c.options.NameSpace, - TrustDomain: "cluster.local", - ServiceAccount: "aeraki", + CAEndpoint: c.options.IstiodAddr, + ClusterID: c.options.ClusterID, + WorkloadNamespace: c.options.NameSpace, + TrustDomain: "cluster.local", + ServiceAccount: "aeraki", + WorkloadRSAKeySize: 2048, + CredFetcher: plugin.CreateTokenPlugin(securityModel.K8sSAJwtFileName), } tlsOpts := &citadel.TLSOptions{} tlsOpts.RootCert = istiodCACertPath