feat: Add support for Istio multicluster setup. Fixes #1191.

[shakti-das]

Fixes #1191

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this is a chore.
• The title of the PR is (a) conventional, (b) states what changed, and (c) suffixes the related issues number. E.g. "fix(controller): Updates such and such. Fixes #1234".
• I've signed my commits with DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My builds are green. Try syncing with master if they are not.
• My organization is added to USERS.md.

[shakti-das]

Verified the change in our multicluster setup. I will update the docs on how to set it up next. In brief:

1. Use istioctl x create-remote-secret to generate a secret for the Istio primary cluster.
2. Label the secret with label istio.argoproj.io/primary-cluster: true.
3. Rollout controller during startup checks for the existence of this secret.
4. If a secret with this label exists, then configure Istio Controller kube client to read/watch/update from the primary/config cluster instead of the current cluster.

[shakti-das]

@jessesuen Please take a look whenever you find the time. Thanks.

[shakti-das]

@jessesuen could you please take a look and provide any feedback for the approach? Thanks.

[codecov]

Codecov Report

Merging #1274 (ba80df2) into master (503c520) will decrease coverage by 0.11%.
The diff coverage is 48.83%.

@@            Coverage Diff             @@
##           master    #1274      +/-   ##
==========================================
- Coverage   81.40%   81.28%   -0.12%     
==========================================
  Files         106      107       +1     
  Lines        9778     9818      +40     
==========================================
+ Hits         7960     7981      +21     
- Misses       1278     1295      +17     
- Partials      540      542       +2     

Impacted Files	Coverage Δ
utils/istio/multicluster.go	45.00% <45.00%> (ø)
rollout/controller.go	78.35% <100.00%> (ø)
rollout/trafficrouting.go	88.46% <100.00%> (ø)
rollout/trafficrouting/istio/controller.go	45.73% <0.00%> (+2.32%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 503c520...ba80df2. Read the comment docs.

[huikang]

Looks good. Just some minor questions. Thanks.

[huikang]

The default role in the manifest folder should be good

argo-rollouts/manifests/role/argo-rollouts-clusterrole.yaml

Lines 139 to 150 in 460262e

	# virtualservice/destinationrule access needed for using the Istio provider
	- apiGroups:
	- networking.istio.io
	resources:
	- virtualservices
	- destinationrules
	verbs:
	- watch
	- get
	- update
	- patch
	- list

Could you put a note there so that user doesn't need to create extra clusterrole.

[shakti-das]

Good point. If Argo controller is also installed in the primary cluster (not mandatory), then we could just use the default argo-rollouts-clusterrole instead of creating another in the primary cluster. I will add a note to mention the same. Thanks.

[huikang]

Shall we return an error here? If a user sets up the PrimaryClusterSecretLabel, the intention is to use the multi-cluster feature. Without returning an error, user may miss the error message in the caller.

[shakti-das]

It depends on do we want to stop the controller from starting up if there is an error in this setup? The current behavior is that the error related to the primary cluster setup will be logged as an error, but it won't stop the argo controller from starting up. The controller will just continue doing what it does now, i.e., assume the cluster it's running on as the cluster where Istio config is available.

[huikang]

can we include the clusterID in the returned error message, fmt.Errorf("Error building kubeconfig for primary cluster %s: %v", clusterId, err)

[huikang]

Could you elaborate a bit on how to determine the clusterid to return its config? Thanks.

[shakti-das]

The Secret passed to this method is the secret generated via istioctl x create-remote-secret and labeled istio.argoproj.io/primary-cluster: true. The istioctl x create-remote-secret command generates a Secret with the data as: clusterId: encoded-cluster-config. Here we read that data and build the kube config for the primary cluster.

[jessesuen]

Great work!

[jessesuen]

Change LGTM. @shakti-das - can you fix linting errors and I can merge it in

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[shakti-das]

@jessesuen did a gofmt -s -w but don't know if it fixed the CI error, still see:

4 workflows awaiting approval
First-time contributors need a maintainer to approve running workflows

Could you please re-trigger the workflows? Thanks.

[shakti-das]

The log in Lint Go job:

Current runner version: '2.278.0'
Operating System
Virtual Environment
GITHUB_TOKEN Permissions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/checkout@v2'
Warning: Failed to download action 'https://api.github.com/repos/actions/checkout/tarball/5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f'. Error: The operation was canceled.
Warning: Back off 26.085 seconds before retry.
Warning: Failed to download action 'https://api.github.com/repos/actions/checkout/tarball/5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f'. Error: The operation was canceled.
Warning: Back off 18.385 seconds before retry.
Error: The operation was canceled.

[jessesuen]

Yep this was a hiccup in the github action. Reran and linting has passed