How to use SDS with GKE Istio Addon


on my new created GKE cluster I wanted to try the pre-installed Istio as addon. But it looks like I can’t get SDS running with this type of Istio installation.

Based on this documenation, I wanted to use the Cert-Manager and SDS.

So I did the first step and expected to have the nodeagent running afterwards to deliver the certificates via sds. But there is no nodeagent in my istio-system namesapce.

$ istioctl manifest apply \
  --set values.gateways.istio-ingressgateway.sds.enabled=true \
  --set \
  --set \

So here are a few questions:

  1. Is SDS somehow not usable when installing Istio via GKE addon?
  2. Do I need the sidecar container (injection) to make use of sds?
  3. Can I uninstall the GKE addon and preserve all settings from Istio (installing it via helm before/afterwards)? I don’t want my IP address to be changed.

Kind regards,

You cannot modify Istio when using the GKE addon

Thank you @howardjohn
Actually there should be a big red note when you create a GKE cluster at the moment you want to enable Istio. Atm it is just “beta”. I can’t even find any information which profile is getting installed.
I disabled Istio in the GKE, updated the cluster and installed Istio by myself. Everything is running fine now.