The bootstrap config currently is almost static, we can only update the ads server address now. And it cannot communicate with server via a secure port.

IMO, we have several steps to make the ads more secure

• Support secure ads communication with kmesh token
• Support dynamic node id generate, node id is the identity correspond with pod name. "nodeType~" + ip + "~" + podname.namespace+ "~" + "namespace.svc.cluster.local"
• Bring nonce when ack/nack
• we donot need to request for listener after CDS handled each time. IMO, we only need send once each stream. Otherwise, istiod will duplicate listener pushes

/assign

Currently the ack sent from kmesh does not alogn with xds protocol ,which requires nonce, but we donot provide

kmesh should setup secure connection with port 15012 of istiod.

Istio will create a configmap named "istiod-ca-cert" when each new ns is created. kmesh should mount it to "/var/run/secrets/istio" and should use the root CA at "/var/run/secrets/istio/root-cert.pem" to authenticate control plane.

kmesh also should mount a serviceAccountToken type volume at " /var/run/secrets/tokens" and kmesh should load "/var/run/secrets/tokens/istio-token" as RPC token which used by control plane to authenticate kmesh.

kmesh seems has set nonce in ack properly, ref: https://github.com/kmesh-net/kmesh/blob/main/pkg/controller/envoy/ads_event.go#L87

@hzxuzhonghu WDYT?

what do you mean?

As see

resource names are not correctly set.