Hello,
I am trying to install istio from scratch on an on-premise cluster and it seems that the IstioOperator CR spec is not in sync with the istio-operator deployment because most of the options I configured are ignored.
Here are the steps to install:
➜ istioctl version --remote=false
1.5.0
➜ istioctl verify-install
...
-----------------------
Install Pre-Check passed! The cluster is ready for Istio installation.
➜ istioctl operator init
Using operator Deployment image: docker.io/istio/operator:1.5.0
- Applying manifest for component Operator...
✔ Finished applying manifest for component Operator.
Component Operator installed successfully.
*** Success. ***
Now that I have the operator up and running in istio-operator namespace, I’ll apply my IstioOperator CR:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-controlplane
namespace: istio-system
spec:
profile: default
meshConfig:
trustDomain: example.com
concurrency: 2
enableAutoMtls: false
enableTracing: false
sds:
enabled: true
components:
pilot:
spec:
traceSampling: 0
addonComponents:
prometheus:
enabled: false
grafana:
enabled: true
kiali:
enabled: true
createDemoSecret: true
All of the specs are set according to https://istio.io/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
However, when I describe the istiod pod, the trust domain and trace sampling remain default:
Args:
discovery
--monitoringAddr=:15014
--log_output_level=default:info
--domain
cluster.local
--secureGrpcAddr=:15011
--trust-domain=cluster.local
--keepaliveMaxServerConnectionAge
30m
--disable-install-crds=true
and
Environment:
JWT_POLICY: first-party-jwt
PILOT_CERT_PROVIDER: istiod
POD_NAME: istiod-65c5b8df9d-t9lnv (v1:metadata.name)
POD_NAMESPACE: istio-system (v1:metadata.namespace)
SERVICE_ACCOUNT: (v1:spec.serviceAccountName)
PILOT_TRACE_SAMPLING: 1
CONFIG_NAMESPACE: istio-config
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND: true
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND: false
INJECTION_WEBHOOK_CONFIG_NAME: istio-sidecar-injector
ISTIOD_ADDR: istiod.istio-system.svc:15012
PILOT_EXTERNAL_GALLEY: false
Moreover, the istio configmap doesn’t reflect any meshConfig settings that I change:
mesh: |-
accessLogEncoding: TEXT
accessLogFile: ""
accessLogFormat: ""
certificates: []
defaultConfig:
concurrency: 2
configPath: /etc/istio/proxy
connectTimeout: 10s
controlPlaneAuthPolicy: NONE
discoveryAddress: istiod.istio-system.svc:15012
drainDuration: 45s
parentShutdownDuration: 1m0s
proxyAdminPort: 15000
serviceCluster: istio-proxy
tracing:
zipkin:
address: zipkin.istio-system:9411
disableMixerHttpReports: true
disablePolicyChecks: true
enableAutoMtls: true
enableEnvoyAccessLogService: false
enableTracing: true
ingressClass: istio
ingressControllerMode: STRICT
ingressService: istio-ingressgateway
localityLbSetting:
enabled: true
outboundTrafficPolicy:
mode: ALLOW_ANY
protocolDetectionTimeout: 100ms
reportBatchMaxEntries: 100
reportBatchMaxTime: 1s
sdsUdsPath: unix:/etc/istio/proxy/SDS
trustDomain: cluster.local
trustDomainAliases: null
values.yaml: |-
appNamespaces: []
autoscaleEnabled: true
autoscaleMax: 5
autoscaleMin: 1
configMap: true
configNamespace: istio-config
configSource:
subscribedResources: []
cpu:
targetAverageUtilization: 80
deploymentLabels: {}
enableProtocolSniffingForInbound: false
enableProtocolSniffingForOutbound: true
enabled: true
env: {}
hub: ""
image: pilot
ingress:
ingressClass: istio
ingressControllerMode: STRICT
ingressService: istio-ingressgateway
jwksResolverExtraRootCA: ""
keepaliveMaxServerConnectionAge: 30m
meshNetworks:
networks: {}
namespace: istio-system
nodeSelector: {}
plugins: []
podAnnotations: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
policy:
enabled: false
replicaCount: 1
resources:
requests:
cpu: 500m
memory: 2048Mi
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
tag: ""
tolerations: []
traceSampling: 1
I’ve got the same issues when trying to remove the default ingressgateway or add a new one using the ingressGateways field.
Am I doing something wrong? Is this install supposed to work or is the CR spec wrong?