Setting gateways.istio-ingressgateway.serviceAnnotations

1

Hello,

I’m using istioctl in order to generate a manifest to install Istio. We have deployed the Istio Load Balancer in an AWS private subnet. I know that it is possible in helm to pass in the –set gateways.istio-ingressgateway.serviceAnnotations.service.beta.kubernetes.io/aws-load-balancer-internal="‘0.0.0.0/0’" flag to do this. I tried passing this flag as part of the istioctl manifest generate command, but when I check the yaml file, the annotation for the service is:
service:“map[beta:map[kubernetes:map[io/aws-load-balancer-internal:0.0.0.0/0]]]”
when I am expecting:
service.beta.kubernetes.io/aws-load-balancer-internal: ‘0.0.0.0/0’
I found the following on the internet to try and correct the problem, but it doesn’t work as I’m getting the same result:
–set gateways.istio-ingressgateway.serviceAnnotations.'service.beta.kubernetes.io/aws-load-balancer-internal’=0.0.0.0/0

Has anyone experienced this issue and have any ideas on how to correct this?

Thanks

2

You could try passing an overlay file instead of using --set - escaping in the command line can be tricky, it’s much cleaner to create a yaml file. @esnible can comment further on --set.

3

I have success with istioctl manifest generate --set 'values.gateways.istio-ingressgateway.serviceAnnotations.service\.beta\.kubernetes\.io/aws-load-balancer-internal=0.0.0.0/0'

I am using OSX, with $BASH_VERSION 3.2.57(1)-release.

The single quotes keep Bash from eating the backslashes. (Tested under my personal build of what will be 1.5.1 and under my build of 1.6.x.)

4

I’m also using OSX tried with zsh and bash version 4.4.19(1)-release. My manifest generate looks like:
istioctl manifest generate --set profile=default --set ‘values.gateways.istio-ingressgateway.serviceAnnotations.service.beta.kubernetes.io/aws-load-balancer-internal=0.0.0.0/0’ > test.yaml
But when I check my test.yaml file I see:
apiVersion: v1*
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
service: “map[beta\:map[kubernetes\:map[io/aws-load-balancer-internal:0.0.0.0/0]]]”

5

Any idea of what that overlay file would like like? Are there examples available for this type of change?

6

\. escapes do not work with Istio 1.4.x.
It works with the released 1.5.0.

I am not good with overlaying multiple specs, but to install the default profile with the annotation customization do this:

cat > overlay.yaml <<EOF
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
  namespace: istio-operator
  name: example-istiocontrolplane
spec:
  profile: default
  values:
    gateways:
      istio-ingressgateway:
        serviceAnnotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
EOF

istioctl manifest generate -f overlay.yaml
7

That worked! Thank you all for you help with this!!!

8

Hi @ed.snible, in my case, I want to setup two ingress gateway, one is for public, the other one is for internal. The internal ingress gw should have the service annotation as you AWS suggest, service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0. But your customization in the values.gateway.istio-ingressgateway seems will overwrite the svc annotation for both of them. How do I specify for separately for both public and internal ingress gateway?

1 Like