lazyload启动失败

[xiangtianyu]

启用lazyload时在应用namespace下的global sidecar启动失败，日志如下： 2021-11-04T06:00:31.056838Z error failed to start envoy agent: failed to generate bootstrap metadata: failed to find root CA cert for XDS: root CA file for XDS does not exist var/run/secrets/istio/root-cert.pem Error: failed to start envoy agent: failed to generate bootstrap metadata: failed to find root CA cert for XDS: root CA file for XDS does not exist var/run/secrets/istio/root-cert.pem

lazyload.yaml

---
apiVersion: config.netease.com/v1alpha1
kind: SlimeBoot
metadata:
  name: lazyload
  namespace: mesh-operator
spec:
  image:
    pullPolicy: Always
    repository: docker.io/slimeio/slime-lazyload
    tag: v0.2.6-d808438
  module:
    - name: lazyload
      enable: true
      fence:
        wormholePort:
          - "9080"
      metric:
        prometheus:
          address: http://prometheus.istio-system:9090
          handlers:
            destination:
              query: |
                sum(istio_requests_total{source_app="$source_app",reporter="destination"})by(destination_service)
              type: Group
  component:
    globalSidecar:
      enable: true
      type: namespaced
      namespace:
        - istio-public
      resources:
        requests:
          cpu: 200m
          memory: 200Mi
        limits:
          cpu: 400m
          memory: 200Mi
      image:
        repository: istio/proxyv2
        tag: 1.11.4
    pilot:
      enable: true
      resources:
        requests:
          cpu: 200m
          memory: 200Mi
        limits:
          cpu: 400m
          memory: 800Mi
      image:
        repository: docker.io/slimeio/pilot
        tag: globalPilot-7.0-v0.0.3-713c611962

[ X ] Configuration Lazy Loading [ ] Http Plugin Management [ ] Adaptive Ratelimit [ ] Slime Boot

[cywang1905]

global-sidecar与global-sidecar-pilot交互，目前global-sidecar-pilot的镜像globalPilot-7.0-v0.0.3-713c611962基于1.7版本istiod，所以请把global-sidecar镜像切换为1.7.0 镜像的tag信息参考 https://github.com/slime-io/slime/wiki/Slime-Project-Tag-and-Image-Tag-Mapping-Table

[xiangtianyu]

切换了版本，使用项目sample中的yaml，现在pilot报错： [root@vm5 workspace]# kubectl logs -n mesh-operator global-sidecar-pilot-cfff475c5-dczzp gc 1 @0.017s 1%: 0.040+1.1+0.21 ms clock, 1.2+0.20/1.3/0.44+6.9 ms cpu, 4->4->1 MB, 5 MB goal, 32 P gc 2 @0.024s 2%: 0.021+85+0.20 ms clock, 0.69+0.27/85/0.53+6.5 ms cpu, 4->4->2 MB, 5 MB goal, 32 P gc 3 @0.114s 3%: 0.063+0.97+0.19 ms clock, 2.0+0.23/2.1/0.90+6.2 ms cpu, 5->5->3 MB, 6 MB goal, 32 P gc 4 @0.211s 1%: 0.086+1.5+0.030 ms clock, 2.7+0.16/3.9/0.13+0.97 ms cpu, 7->7->5 MB, 8 MB goal, 32 P gc 5 @0.313s 0%: 0.062+96+0.037 ms clock, 1.9+0/4.5/3.2+1.2 ms cpu, 11->11->9 MB, 12 MB goal, 32 P gc 6 @0.521s 0%: 0.062+88+0.008 ms clock, 1.9+1.0/5.3/3.5+0.25 ms cpu, 17->17->10 MB, 18 MB goal, 32 P Error: unknown flag: --secureGrpcAddr 2021-11-05T01:30:38.461173Z error unknown flag: --secureGrpcAddr

[YonkaFang]

global pilot的镜像也请换回原来的版本

[stanxing]

请教下为何需要一个 global-sidecar-pilot 去下发配置，而不是直接由 istiod 下发全量配置到 global sidecar 呢

[cywang1905]

global-sidecar-pilot为global-sidecar做了一些配置定制化改造，比如，普通的sidecar在无法解析请求的服务时，会根据兜底envoyfilter规则，发送到global-sidecar，但是这个兜底envoyfilter规则不能对global-sidecar生效。所以不能直接从pilot获取配置，我们也在考虑global-sidecar-pilot的维护成本，有考虑将其去除，统一从集群原有的pilot处获取