Deprecation Notice: Custom Mixer Adapter CRDs

As discussed in the Policies and Telemetry WG, we are deprecating custom CRDs used by Istio Mixer.
This should ultimately simplify the policy and telemetry configuration model to 6 CRDs total:

  • adapter, attributemanifest, and template for Istio extension declarations;
  • handler, rule, and instance for specifying extension invocations.

Istio 1.1.3 supports both custom CRDs and the simplified CRDs for in-process adapters. Out-of-process adapters require the use of the simplified resource model. We plan to disable the support for custom CRDs in Istio 1.2 by default, so we strongly recommend using the simplified configuration model in Istio 1.1.x for all new configuration.

We have updated all default configuration in 1.1.3 to use the simplified model, and documented examples of converting the config published in Istio task guides. For example, https://istio.io/docs/tasks/policy-enforcement/denial-and-list/ lists two variants of the same config:

# before:
apiVersion: config.istio.io/v1alpha2
kind: denier
metadata:
  name: denyreviewsv3handler
spec: *params
---
apiVersion: config.istio.io/v1alpha2
kind: checknothing
metadata:
  name: denyreviewsv3request
spec:
# after:
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: denyreviewsv3handler
spec:
  compiledAdapter: denier
  params: *params
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: denyreviewsv3request
spec:
  compiledTemplate: checknothing

Note the use of compiledTemplate and compiledAdapter fields to indicate the in-process adapter and template references.

An important caveat is that rewriting the configuration as above affects the qualified names of the configuration resources. A qualified name of the Mixer resource consists of three parts: name, resource kind, and an optional namespace. Therefore, in the associated rule, denyreviewsv3handler.denier changes to denyreviewsv3handler.handler or denyreviewsv3handler, and similarly, denyreviewsv3request.checknothing changes to denyreviewsv3request.instance or denyreviewsv3request, for a short form. This means that there is a possibility of a name collision if two instances or two handlers have the same name for two different kinds. Please make sure that your instances and handlers from the same namespace carry unique names.

Reach to us if you have any further questions.
Regards,
–kuat