Cloud Service Mesh には、Istio シークレットを直接作成するのではなく、マルチクラスタ トラフィックを制御する宣言型 API があります。この API は、Istio シークレットを実装の詳細として扱い、Istio シークレットを手動で作成するよりも信頼性が高いです。今後の Cloud Service Mesh の機能は宣言型 API に依存するため、これらの新機能を Istio シークレットと直接使用することはできません。今後サポート対象となる方法は、宣言型 API のみです。
Istio シークレットを使用している場合は、宣言型 API への移行をできるだけ早く行ってください。multicluster_mode 設定では、各クラスタがメッシュ内の他のすべてのクラスタにトラフィックを転送するように指示します。シークレットを使用すると、より柔軟な構成が可能になり、メッシュ内のどのクラスタにトラフィックを転送するかをクラスタごとに構成できます。宣言型 API と Istio シークレットでサポートされている機能の違いの一覧については、Istio API を使用するサポートされている機能をご覧ください。
Istio シークレットから宣言型 API に移行する
フリート機能の API で自動管理を使用して Cloud Service Mesh をプロビジョニングした場合は、次の手順を行う必要はありません。これらの手順は、asmcli --managed を使用してオンボーディングした場合にのみ適用されます。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[],[],null,["# Configuration updates for modernization\n=======================================\n\nThis document describes configuration updates you may need to make to your\nmanaged Cloud Service Mesh before modernizing your mesh to\nthe `TRAFFIC_DIRECTOR` control plane from the `ISTIOD` control plane.\n\nFor more information on the modernization workflow, see the\n[Managed control plane modernization](/service-mesh/v1.24/docs/modernization) page.\n\nMigrate from Istio secrets to multicluster_mode\n-----------------------------------------------\n\nMulti-cluster secrets are not supported when a cluster is using the\n`TRAFFIC_DIRECTOR` control plane. This document describes how you\ncan modernize from using Istio multi-cluster secrets to using `multicluster_mode`.\n\n### Istio secrets versus declarative API overview\n\n[Open source istio multi-cluster](https://istio.io/latest/docs/setup/install/multicluster/) endpoint discovery works by\nusing `istioctl` or other tools to create a [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/) in a\ncluster. This secret allows a cluster to load balance traffic to another cluster\nin the mesh. The `ISTIOD` control plane then reads this\nsecret and begins routing traffic to that other cluster.\n\nCloud Service Mesh has a [declarative API](/service-mesh/v1.24/docs/operate-and-maintain/multi-cluster#endpoint-discovery-declarative-api)\nto control\nmulti-cluster traffic instead of directly creating Istio secrets. This API\ntreats Istio secrets as an implementation detail and is more reliable\nthan creating Istio secrets manually. Future Cloud Service Mesh features will\ndepend on the declarative API, and you won't be able to use those new\nfeatures with Istio secrets directly. The declarative API is the only\nsupported path forward.\n\nIf you are using Istio Secrets, migrate to using the declarative API as\nsoon as possible. Note that the `multicluster_mode` setting directs each cluster\nto direct traffic to every other cluster in the mesh. Using secrets allows a\nmore flexible configuration, letting you configure for each cluster which other\ncluster it should direct traffic to in the mesh.\nFor a full list of the differences between the supported\nfeatures of the declarative API and Istio secrets, see\n[Supported features using Istio APIs](/service-mesh/v1.24/docs/supported-features-managed#multi-cluster_deployment).\n| **Important:** With the declarative API, an entire cluster is opted into endpoint discovery at a time. This means that every cluster with \\`multicluster_mode=connected\\` will discover endpoints for every other cluster in the fleet that also has \\`multicluster_mode=connected\\`.\n\n### Migrate from Istio secrets to declarative API\n\nIf you provisioned Cloud Service Mesh using automatic management with the\n[fleet feature API](/service-mesh/v1.24/docs/onboarding/provision-control-plane), you don't\nneed to follow these instructions.\nThese steps only apply if you onboarded using `asmcli --managed`.\n\nNote, this process changes secrets that point to a cluster. During this process,\nthe endpoints are removed and then re-added. In between the endpoints\nbeing removed and added, the traffic will\nbriefly revert to routing locally instead of load balancing to other clusters.\nFor more information, see the\n[GitHub issue](https://github.com/istio/istio/issues/36365).\n\nTo move from using Istio secrets to the declarative API, follow these steps.\nExecute these steps at the same time or in close succession:\n\n1. Enable the declarative API for each cluster in the fleet where you want to\n enable multi cluster endpoint discovery by setting\n `multicluster_mode=connected`. Note that you need to explicitly set\n `multicluster_mode=disconnected` if you don't want the cluster to be\n discoverable.\n\n Use the following command to opt in a cluster for multi cluster endpoint\n discovery: \n\n kubectl patch configmap/asm-options -n istio-system --type merge -p '{\"data\":{\"multicluster_mode\":\"connected\"}}'\n\n Use the following command to opt a cluster out of endpoint discovery: \n\n kubectl patch configmap/asm-options -n istio-system --type merge -p '{\"data\":{\"multicluster_mode\":\"disconnected\"}}'\n\n2. Delete old secrets.\n\n After setting `multicluster_mode=connected` on your clusters, each\n cluster will have a new secret generated for every other cluster that also\n has `multicluster_mode=connected` set.\n The secret is placed in the istio-system namespace and have the following\n format: \n\n istio-remote-secret-projects-\u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e-locations-\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e-memberships-\u003cvar translate=\"no\"\u003eMEMBERSHIPS\u003c/var\u003e\n\n Each secret will also have the label `istio.io/owned-by: mesh.googleapis.com` applied.\n\n Once the new secrets are created, you can delete any secrets manually\n created with `istioctl create-remote-secret`: \n\n kubectl delete secret \u003cvar translate=\"no\"\u003eSECRET_NAME\u003c/var\u003e -n istio-system\n\nOnce migrated, check your request metrics to make sure they're routed as\nexpected."]]