Setting OutboundTrafficPolicy.Mode in ConfigMap

1

Hi,

After istio 1.6.1 , where i can configure OutboundTrafficPolicy.Mode ? I have install istio using the default profile.

The new config map doesn’t have that parameter for me to configure.

kind: ConfigMap
apiVersion: v1
metadata:
  name: istio
  namespace: istio-system
  selfLink: /api/v1/namespaces/istio-system/configmaps/istio
  uid: f44f9e9a-a57a-49f3-a7c9-682706cc8a5e
  resourceVersion: '4072935'
  creationTimestamp: '2020-06-10T04:18:04Z'
  labels:
    install.operator.istio.io/owning-resource: installed-state
    istio.io/rev: default
    operator.istio.io/component: Pilot
    operator.istio.io/managed: Reconcile
    operator.istio.io/version: 1.6.1
    release: istio
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"v1","data":{"mesh":"accessLogEncoding: TEXT\naccessLogFile:
      \"\"\naccessLogFormat: \"\"\ndefaultConfig:\n  concurrency: 2\n 
      configPath: ./etc/istio/proxy\n  connectTimeout: 10s\n 
      controlPlaneAuthPolicy: NONE\n  discoveryAddress:
      istiod.istio-system.svc:15012\n  drainDuration: 45s\n 
      parentShutdownDuration: 1m0s\n  proxyAdminPort: 15000\n 
      proxyMetadata:\n    DNS_AGENT: \"\"\n  serviceCluster: istio-proxy\n 
      tracing:\n    zipkin:\n      address:
      zipkin.istio-system:9411\ndisableMixerHttpReports:
      true\ndisablePolicyChecks: true\nenablePrometheusMerge:
      false\ningressClass: istio\ningressControllerMode: STRICT\ningressService:
      istio-ingressgateway\nprotocolDetectionTimeout:
      100ms\nreportBatchMaxEntries: 100\nreportBatchMaxTime: 1s\nsdsUdsPath:
      unix:/etc/istio/proxy/SDS\ntrustDomain: cluster.local\ntrustDomainAliases:
      null","meshNetworks":"networks:
      {}"},"kind":"ConfigMap","metadata":{"annotations":{},"creationTimestamp":"2020-06-10T04:18:04Z","labels":{"install.operator.istio.io/owning-resource":"installed-state","istio.io/rev":"default","operator.istio.io/component":"Pilot","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.6.1","release":"istio"},"name":"istio","namespace":"istio-system","resourceVersion":"4065423","selfLink":"/api/v1/namespaces/istio-system/configmaps/istio","uid":"f44f9e9a-a57a-49f3-a7c9-682706cc8a5e"}}
data:
  mesh: |-
    accessLogEncoding: TEXT
    accessLogFile: ""
    accessLogFormat: ""
    defaultConfig:
      concurrency: 2
      configPath: ./etc/istio/proxy
      connectTimeout: 10s
      controlPlaneAuthPolicy: NONE
      discoveryAddress: istiod.istio-system.svc:15012
      drainDuration: 45s
      parentShutdownDuration: 1m0s
      proxyAdminPort: 15000
      proxyMetadata:
        DNS_AGENT: ""
      serviceCluster: istio-proxy
      tracing:
        zipkin:
          address: zipkin.istio-system:9411
    disableMixerHttpReports: true
    disablePolicyChecks: true
    enablePrometheusMerge: false
    ingressClass: istio
    ingressControllerMode: STRICT
    ingressService: istio-ingressgateway
    protocolDetectionTimeout: 100ms
    reportBatchMaxEntries: 100
    reportBatchMaxTime: 1s
    sdsUdsPath: unix:/etc/istio/proxy/SDS
    trustDomain: cluster.local
    trustDomainAliases: null
2

see: https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig

3

Thanks, i found a similar issue at https://github.com/istio/istio/issues/24329

Wasn’t really familar with the ConfigMap structure, so i was wonder where should i set the outbound mode in the new ConfigMap.

The ans is

  mesh: |-
    accessLogEncoding: TEXT
    accessLogFile: /dev/stdout
    accessLogFormat: ""
    outboundTrafficPolicy:
        mode: REGISTRY_ONLY

Would it be better if that parameter is kept there? I think it helps for people that love to tinker at the config map.