This is the first time I have been trying to install managed Anthos into one of the clusters in GKE. I admit I do not fully understand the full process of installation and troubleshooting I have already done.
It looks like a managed service has failed to install. When I run:
kubectl describe controlplanerevision asm-managed -n istio-system
I get this status:
Status:
Conditions:
Last Transition Time: 2022-03-15T14:16:21Z
Message: The provisioning process has not completed successfully
Reason: NotProvisioned
Status: False
Type: Reconciled
Last Transition Time: 2022-03-15T14:16:21Z
Message: Provisioning has finished
Reason: ProvisioningFinished
Status: True
Type: ProvisioningFinished
Last Transition Time: 2022-03-15T14:16:21Z
Message: Workload identity is not enabled at node level
Reason: PreconditionFailed
Status: True
Type: Stalled
Events: <none>
However, I have Workload identity enabled on a cluster level and I cannot see any options in GCP Console to set that for just a node level.
I am not sure if this is related to istiod-asm-1125-0 logging some errors. One of them is about failure to load CA secret:
Nevertheless, the service mesh does not show as added or connected in Anthos Dashboard. The cluster is registered with Anthos.
I created a new node pool with more CPU and more nodes as I was getting warning about not having enough CPU. Istio service mesh increases the need for CPU.
I migrated my deployment from old node pool to the new one.
I run
istioctl analyze -Aand found a few warnings aboutistio-injectionnot being enabled in a few namespaces. I fixed that.I re run
asmcli installcommand withoutCA./asmcli install --project_id my-app --cluster_name my-cluster --cluster_location europe-west1-b --fleet_id my-app --output_dir anthos-service-mesh --enable_allAll or some of the above did the trick.