search

kiali / kiali

Kiali project, observability for the Istio service mesh
https://www.kiali.io
Apache License 2.0
3.4k stars 490 forks source link

Script 'kiali-prepare-remote-cluster.sh' Fails with Cluster Name ARN Format Error #7160

Closed isarns closed 8 months ago

isarns commented 8 months ago

Describe the bug

When using the script kiali-prepare-remote-cluster.sh to create a multi-cluster Kiali setup, an error is thrown regarding the remote cluster name not conforming to Kubernetes rules for secret key data. The script fails with the following error:

ERROR: The remote cluster name [arn:aws:eks:eu-west-1:123456789000:cluster/my-super-cool-cluster] does not conform to Kubernetes rules for secret key data. Use --remote-cluster-name to specify a name that matches the regex '^[-._a-zA-Z0-9]+$'

This issue arises when creating the kubeconfig using aws eks update-kubeconfig, which names the cluster with the ARN of the cluster, resulting in a name that does not match the required regex pattern.

Expected Behavior

The script should either handle cluster names in ARN format or provide a clear instruction on how to format the cluster name correctly.

Steps to Reproduce

  1. Create an EKS cluster and update the kubeconfig using aws eks update-kubeconfig --name my-super-cool-cluster --alias my-super-cool-cluster.
  2. Run the script ./kiali-prepare-remote-cluster.sh --kiali-cluster-context some-cluster --remote-cluster-context my-super-cool-cluster --view-only false --dry-run true
  3. Observe the error message regarding the remote cluster name not conforming to Kubernetes rules for secret key data.

Environment

Kiali version: 1.79.0
Istio version: 1.20.2
Kubernetes implementation: EKS
Kubernetes version: 1.28
nrfox commented 8 months ago

@jmazzitelli does the istioctl create remote secret script work with ARNs? Is the problem just in how Kiali is naming the secrets/clusters? It seems like if the name works for the istioctl command then it should work with the kiali script. There might be other types of names that aren't ARNs but also fail because they don't conform to the kubernetes secret name rules. Does the cluster name need to be a key in the secret? Can we get around the naming constraints by not having it be a key?

jmazzitelli commented 8 months ago

istioctl create remote secret script work with ARNs?

I do not know. @isarns probably does.

It seems like if the name works for the istioctl command then it should work with the kiali script.

It will work after the PR is merged after my suggested change is committed ;)

Does the cluster name need to be a key in the secret? Can we get around the naming constraints by not having it be a key?

The cluster name is used for more than just the key name. See here for example (the annotation, the context name and cluster name in the kubeconfig). I thought we needed the cluster name in here somewhere at least to allow the server to look it up by cluster name; I can't remember the details. But, besides all of this, if there might be other types of names that aren't ARNs but also fail because they don't conform and you hit one of those cases, you can always explicitly declare the cluster name via the --remote-cluster-name option to the script, thus avoiding the code that uses the discovered cluster name from the kubeconfig context.

isarns commented 8 months ago

istioctl create remote secret script work with ARNs?

Unfortunately I didn't use istioctl (was much easier to use helm). so I don't know how it handles this situation.