updated multi primary multi network docs

[jforce]

I was just trying out multi primary multi network by following the documentation here and it wasn't working until I added spec.values.pilot.env.ROOT_CA_DIR: /etc/cacerts in the Istio resource.

Without this, I was getting the below error:

upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end

It seems like some other versions of the docs specified this too github.com/openshift-service-mesh/sail-operator/pull/144
@

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: jforce / name: James Force (692d3a2)

[istio-testing]

Hi @jforce. Thanks for your PR.

I'm waiting for a istio-ecosystem or istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[luksa]

Hmm. The default path for ROOT_CA_DIR is ./etc/cacerts (defined here), but we mount the cacerts secret into /etc/cacerts (here).

I wonder why the default doesn't match. Maybe because the working dir used to be /, which meant that ./etc/cacerts == /etc/cacerts, but that's no longer the case?

[luksa]

/ok-to-test

[luksa]

LGTM.

We can revert this if/when we fix the default path.

[istio-testing]

@jforce: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
e2e-kind-multicluster_sail-operator_main	692d3a2	link	true	/test e2e-kind-multicluster

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[luksa]

Hmm, interesting. The RedHat's build of the pilot image does set WORKDIR /. The upstream Istio image also uses / as the workdir:

$ docker run --entrypoint pwd docker.io/istio/pilot:1.24.1
/

So I'm not sure why it doesn't work in your case. What pilot image are you using, @jforce?

[luksa]

/hold until we confirm that this is truly needed

[jforce]

I don't have the cluster I was using to hand now, but I was using OSSM 3.0 TP2 (istio 1.24.1) on OpenShift (so the Red Hat build)