Operator Installation
IstioControlPlane is a schema for both defining and customizing Istio control plane installations. Running the operator with an empty user defined InstallSpec results in an control plane with default values, using the default charts.
The simplest install specialization is to point the user InstallSpec profile to a different values file, for example an Istio minimal control plane, which will use the values associated with the minimal control plane profile for Istio.
Deeper customization is possible at three levels:
New APIs defined in this file
Feature API: this API groups an Istio install by features and allows enabling/disabling the features, selecting base control plane profiles, as well as some additional high level settings that are feature specific. Each feature contains one or more components, which correspond to Istio components (Pods) in the cluster.
k8s API: this API is a pass through to k8s resource settings for Istio k8s resources. It allows customizing Istio k8s resources like Affinity, Resource requests/limits, PodDisruptionBudgetSpec, Selectors etc. in a more consistent and k8s specific way compared to values.yaml. See KubernetesResourcesSpec in this file for details.
values.yaml
The entirety of values.yaml settings is accessible through InstallSpec (see CommonComponentSpec/Values). This API will gradually be deprecated and values there will be moved either into CRDs that are used to directly configure components or, in the case of k8s settings, will be replaced by the new API above.
k8s resource overlays
Once a manifest is rendered from InstallSpec, a further customization can be applied by specifying k8s resource overlays. The concept is similar to kustomize, where JSON patches are applied for object paths. This allows customization at the lowest level and eliminates the need to create ad-hoc template parameters, or edit templates.
Here are a few example uses:
Default Istio install
spec:
Default minimal profile install
spec: profile: minimal
Default install with telemetry disabled
spec: telemetry: enabled: false
Default install with each feature installed to different namespace and security components in separate namespaces
spec: traffic_management: components: namespace: istio-traffic-management policy: components: namespace: istio-policy telemetry: components: namespace: istio-telemetry config_management: components: namespace: istio-config-management security: components: citadel: namespace: istio-citadel cert_manager: namespace: istio-cert-manager node_agent: namespace: istio-node-agent
Default install with specialized k8s settings for pilot
spec: traffic_management: components: pilot: k8s: resources: limits: cpu: 444m memory: 333Mi requests: cpu: 222m memory: 111Mi readinessProbe: failureThreshold: 44 initialDelaySeconds: 11 periodSeconds: 22 successThreshold: 33
Default install with values.yaml customizations for proxy
spec: traffic_management: components: proxy: values: - global.proxy.enableCoreDump: true - global.proxy.dnsRefreshRate: 10s
Default install with modification to container flag in galley
spec: configuration_management: components: galley: k8s: overlays: - apiVersion: extensions/v1beta1 kind: Deployment name: istio-galley patches: - path: spec.template.spec.containers.[name:galley].command.[--livenessProbeInterval] value: --livenessProbeInterval=123s
AutoInjectionFeatureSpec
Configuration options for auto injection feature.
AutoInjectionFeatureSpec.Components
CNIComponentSpec
Configuration options for cni component.
CNIFeatureSpec
Configuration options for cni feature.
CNIFeatureSpec.Components
CertManagerComponentSpec
Configuration options for certificate manager component.
CitadelComponentSpec
Configuration options for Citadel component.
ConfigManagementFeatureSpec
Configuration options for configuration management feature.
ConfigManagementFeatureSpec.Components
DeploymentStrategy
Mirrors k8s.io.api.apps.v1.DeploymentStrategy for unmarshaling.
EgressGatewayComponentSpec
Configuration options for egress gateways.
ExecAction
Mirrors k8s.io.api.core.v1.ExecAction for unmarshaling
GalleyComponentSpec
Configuration options for galley component.
GatewayFeatureSpec
Configuration options for gateway feature.
GatewayFeatureSpec.Components
HTTPGetAction
Mirrors k8s.io.api.core.v1.HTTPGetAction for unmarshaling
HTTPHeader
Mirrors k8s.io.api.core.v1.HTTPHeader for unmarshaling
IngressGatewayComponentSpec
Configuration options for ingress gateways.
InstallStatus
Observed state of IstioControlPlane.
InstallStatus.Status
Name | Description |
---|---|
NONE | |
UPDATING | |
HEALTHY | |
ERROR | |
RECONCILING |
InstallStatus.VersionStatus
IstioControlPlane
IstioControlPlane is a CustomResourceDefinition (CRD) describing an Istio control plane.
IstioControlPlaneSpec
IstioControlPlaneSpec defines the desired state of IstioControlPlane. The spec is a used to define a customization of the default profile values that are supplied with each Istio release. It is grouped at the top level by feature, where behavior of Istio functional areas is specified. Each feature contains components, where k8s resource level defaults can be overridden. Because the spec is a customization API, specifying an empty InstallSpec results in a default Istio control plane.
KubernetesResourcesSpec
KubernetesResourcesConfig is a common set of k8s resource configs for components.
NodeAgentComponentSpec
Configuration options for node agent component.
ObjectMeta
PilotComponentSpec
Configuration options for the pilot component.
PodDisruptionBudgetSpec
Mirrors k8s.io.api.policy.v1beta1.PodDisruptionBudget for unmarshaling.
PolicyComponentSpec
Configuration options for the policy enforcement component.
PolicyFeatureSpec
Configuration options for the policy feature.
PolicyFeatureSpec.Components
Component specific config.
ProxyComponentSpec
Configuration options for the proxy.
ReadinessProbe
Mirrors k8s.io.api.core.v1.Probe for unmarshaling
Resources
Mirrors k8s.io.api.core.v1.ResourceRequirements for unmarshaling.
RollingUpdateDeployment
Mirrors k8s.io.api.apps.v1.RollingUpdateDeployment for unmarshaling.
SecurityFeatureSpec
Configuration options for security feature.
SecurityFeatureSpec.Components
SidecarInjectorComponentSpec
Configuration options for the sidecar injector component.
TCPSocketAction
Mirrors k8s.io.api.core.v1.TCPSocketAction for unmarshaling
TelemetryComponentSpec
Configuration options for the telemetry component.
TelemetryFeatureSpec
Configuration options for the telemetry feature.
TelemetryFeatureSpec.Components
Component specific config.
TrafficManagementFeatureSpec
Configuration options for traffic management.
TrafficManagementFeatureSpec.Components
Component specific config.
TypeBoolValueForPB
GOTYPE: *BoolValueForPB
TypeIntOrStringForPB
GOTYPE: *IntOrStringForPB
TypeInterface
GOTYPE: interface{}
TypeMapStringInterface
GOTYPE: map[string]interface{}
k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec
HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
k8s.io.api.core.v1.Affinity
Affinity is a group of affinity scheduling rules.
k8s.io.api.core.v1.EnvVar
EnvVar represents an environment variable present in a Container.
k8s.io.api.core.v1.ServiceSpec
ServiceSpec describes the attributes that a user creates on a service.
k8s.io.api.core.v1.Toleration
The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
k8sObjectOverlay
Patch for an existing k8s resource.