Hi
One question, I have, I am a senior enterprise architect for humana and due to security reason, pulling container images directly from dockerhub is prohibited. We need to scan dockerhub images first then import it to Jfrog and then to Azure ACR. My question is - Does running istioctl pulls anything from dockerhub? If yes how we can modify source artificatory pointing to Azure ACR?
we set hub while installing istio, that changes the docker images path to jfrog and also use the imagepullsecrets, you can use azure acr url instead of jfrog.
image pull secrets should be present in all the namespaces where istio injection is enabled
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
accessLogFile: /dev/stdout
hub: <private-registry>.jfrog.io/istio
...
...
...
global:
imagePullSecrets:
- regcred
Thank you Deepak. I am looking to do full install of Istio. Do you have yaml file to share? or is there any documentation in istio, where I can get the yaml file. I went through istio.io and all I can see is istioctl install command, but no flexibility to change imagepull url.
Hi, I got into the same path past and following writeup covering this, https://medium.com/sparsecode/customize-installation-of-istio-service-mesh-in-kubernetes-cluster-8a38641471a7
refer isttio operator api, some options arent available in operator api, so i have used values
section after referring helm options
you need to create yaml file on your own :-), here is what I use for 1.5.x
1.6
needs little change (not off the top of my head)
use istioctl manifest generate -f <override.yaml>
and find if your input is rendered correctly before installing.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
hub: <change-me>.jfrog.io/istio
addonComponents:
grafana:
enabled: false
istiocoredns:
enabled: false
kiali:
enabled: true
k8s:
replicaCount: 2
prometheus:
enabled: false
tracing:
enabled: false
components:
base:
enabled: true
citadel:
enabled: false
cni:
enabled: false
galley:
enabled: false
nodeAgent:
enabled: false
policy:
enabled: false
sidecarInjector:
enabled: false
telemetry:
enabled: false
pilot:
enabled: true
k8s:
hpaSpec:
minReplicas: 2
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
hpaSpec:
minReplicas: 2
service:
type: ClusterIP
ports:
- name: http2
port: 80
targetPort: 80
- name: https
port: 443
egressGateways:
- name: istio-egressgateway
enabled: true
k8s:
hpaSpec:
minReplicas: 2
service:
type: ClusterIP
ports:
- name: http2
port: 80
values:
kiali:
prometheusAddr: http://prometheus.monitoring:9090
hub: <change-me>.jfrog.io/kiali
global:
proxy:
accessLogFile: /dev/stdout
imagePullSecrets:
- <change-me>