Dynamic Istio token generation for VM workloads

I’m able to get virtual machine installation working with Istio 1.8, however there is still the practical issue of how new Istio tokens should be generated for dynamic workloads. Istio / Virtual Machine Installation

The guide does not mention VM must have a unique Istio token. This creates a problem for VMs that are deployed in an auto-scaling group. While the root certificate, mesh.yaml, hosts, and cluster.env files can be prepared ahead of time, the Istio token must be generated as the VM boots.

Naively, one way to accomplish this would be to supply Kubernetes credentials to each VM to allow it to run istioctl x workload entry configure -f workloadgroup.yaml -o "${WORK_DIR}" --clusterID "${CLUSTER}". Has anyone implemented this?

Is anyone aware of another option? Although this topic is referenced in SPIRE documentation, I haven’t seen it discussed with Istio.

Sorry to drag this back from the depths… Did you end up figuring out a solution to this? I have two VMs in an autoscaling group that will eventually be replaced, and it’d be nice if I don’t have to manually rejoin them to the mesh when that happens :slight_smile:

Thanks!!

Yes. I’ve been out of the Kubernetes world for about a year though so I’m a bit fuzzy.
I’m pretty sure the naive approach I laid out is what we used. You need to give the VM access to Kubernetes through either IAM roles or secrets.