Istio Operator Overlays alternative in Helm chart

1

Hello
I try to setup Istio with Custom CA, my goal is to integrate Istio with Vault.
Following this doc, I plan to use Istio-CSR as a controller and this is requires to apply custom configuration parameters on Istio installation.
Istio-CSR has example about how to install Istio using Operator.

But issues come out:

  1. official docs says: “Use of the operator for new Istio installations is discouraged” - Istio / Istio Operator Install
  2. we want to use Helm chart for Istio installation

Here the config which uses Overlays to adjust istiod args.

Could you suggest to how to apply the same changes using Istio Helm chart?

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
spec:
  profile: "demo"
  hub: gcr.io/istio-release
  meshConfig:
    # Change the following line to configure the trust domain of the Istio cluster.
    trustDomain: cluster.local
  values:
    global:
      # Change certificate provider to cert-manager istio agent for istio agent
      caAddress: cert-manager-istio-csr.cert-manager.svc:443
  components:
    pilot:
      k8s:
        env:
          # Disable istiod CA Sever functionality
        - name: ENABLE_CA_SERVER
          value: "false"
        overlays:
        - apiVersion: apps/v1
          kind: Deployment
          name: istiod
          patches:

            # Mount istiod serving and webhook certificate from Secret mount
          - path: spec.template.spec.containers.[name:discovery].args[-1]
            value: "--tlsCertFile=/etc/cert-manager/tls/tls.crt"
          - path: spec.template.spec.containers.[name:discovery].args[-1]
            value: "--tlsKeyFile=/etc/cert-manager/tls/tls.key"
          - path: spec.template.spec.containers.[name:discovery].args[-1]
            value: "--caCertFile=/etc/cert-manager/ca/root-cert.pem"

          - path: spec.template.spec.containers.[name:discovery].volumeMounts[-1]
            value:
              name: cert-manager
              mountPath: "/etc/cert-manager/tls"
              readOnly: true
          - path: spec.template.spec.containers.[name:discovery].volumeMounts[-1]
            value:
              name: ca-root-cert
              mountPath: "/etc/cert-manager/ca"
              readOnly: true

          - path: spec.template.spec.volumes[-1]
            value:
              name: cert-manager
              secret:
                secretName: istiod-tls
          - path: spec.template.spec.volumes[-1]
            value:
              name: ca-root-cert
              configMap:
                defaultMode: 420
                name: istio-ca-root-cert
1 Like
2

I think you might use istioctl to setup istio, I think istioctl is a combination of operator and helm chart.

The profile is a operator crd actually, and you can set helm values in this crd, eg:

Other resources:

3

thanks @ErikXu,
Let me explain. I want to add custom args parameters to istiod (discovery container).
In IstioOperator manifest this is done by using Overlays, snippet from my comment above:

overlays:
        - apiVersion: apps/v1
          kind: Deployment
          name: istiod
          patches:

            # Mount istiod serving and webhook certificate from Secret mount
          - path: spec.template.spec.containers.[name:discovery].args[-1]
            value: "--tlsCertFile=/etc/cert-manager/tls/tls.crt"
          - path: spec.template.spec.containers.[name:discovery].args[-1]
            value: "--tlsKeyFile=/etc/cert-manager/tls/tls.key"
          - path: spec.template.spec.containers.[name:discovery].args[-1]
            value: "--caCertFile=/etc/cert-manager/ca/root-cert.pem"

          - path: spec.template.spec.containers.[name:discovery].volumeMounts[-1]
            value:
              name: cert-manager
              mountPath: "/etc/cert-manager/tls"
              readOnly: true
          - path: spec.template.spec.containers.[name:discovery].volumeMounts[-1]
            value:
              name: ca-root-cert
              mountPath: "/etc/cert-manager/ca"
              readOnly: true

          - path: spec.template.spec.volumes[-1]
            value:
              name: cert-manager
              secret:
                secretName: istiod-tls
          - path: spec.template.spec.volumes[-1]
            value:
              name: ca-root-cert
              configMap:
                defaultMode: 420
                name: istio-ca-root-cert

And it works when you install Istio using IstioOperator and that manifest file. In the result, I got:

k describe deployment istiod -n istio-system

...
Containers:
   discovery:
    Image:       gcr.io/istio-release/pilot:1.12.0
    Ports:       8080/TCP, 15010/TCP, 15017/TCP
    Host Ports:  0/TCP, 0/TCP, 0/TCP
    Args:
      discovery
      --monitoringAddr=:15014
      --log_output_level=default:info
      --domain
      cluster.local
      --keepaliveMaxServerConnectionAge
      30m
      --tlsCertFile=/etc/cert-manager/tls/tls.crt
      --tlsKeyFile=/etc/cert-manager/tls/tls.key
      --caCertFile=/etc/cert-manager/ca/root-cert.pem
...

But, we prefer to use Helm chart for Istio installation, I checked deployment paramaters of istiod and didn’t fine the way how to add custom args there

Maybe, I’m missing something but it seems it would be good to have parameters for custom args in the Helm chart.

4

In my opinion, official means not using operator directly, using istioctl or helm instead.
In your scenario, you might use the command istioctl install -f {your profile/operator crd}.yaml instead of istioctl operator init.

5

Having this same issue. Need the helm chart install and want to connect to istio-csr