To istioctl or to helm

https://gcsweb.istio.io/gcs/istio-release/releases/1.4.0/docker/

2 Likes

I donā€™t see the ingressgateway image there. Iā€™ve sampled some of the tar.gzā€™s to see if they had it, but I havenā€™t found it so far. Is there another location for it by any chance?

EDIT: Oops, nvmā€¦ the image for it is actually proxyv2.

Another snagā€¦

Now that Iā€™ve pushed the pilot and proxyv2 images to our own repo, how do I make the istioctl install pull them from there?

I tried updating the hub in default.yaml. It didnā€™t work. Iā€™m using minimal, but I didnā€™t find anything in minimal.yaml. (I admittedly have yet to read up on how these profiles work.)

I also tried updating the hub in values.yaml (for helm), just for kicks. It didnā€™t work.

It should be possible, right? With the Quick Install evaluation I did, I was able to update the demo yaml, and it worked fine.

For this istioctl install, how do I accomplish the same?

Thanks again,
J

K, figured out this muchā€¦ I simply had to do generate to output the yaml to a fileā€¦ then, update the resulting yaml before applying it.

Is this sustainable? During upgrades, will I be able to do the same thing?

Anyhow, the next snag isā€¦ my ingressgateway is not starting up. Nor does the istio-proxy container in pilot. Theyā€™re both looking for cert files (see partial log below). The Quick Install was indeed quick. It spoiled me. I didnā€™t have to worry about these things. Will do some reading up, but if you or anyone has the quick answer, Iā€™d appreciate it.

|2019-11-26T01:44:59.435745Z|info|Monitored certs: string{"/etc/certs/cert-chain.pem", ā€œ/etc/certs/key.pemā€, ā€œ/etc/certs/root-cert.pemā€}|
|2019-11-26T01:44:59.435751Z|info|waiting 2m0s for /etc/certs/cert-chain.pem|
|2019-11-26T01:45:00.437327Z|info|waiting for file|
|2019-11-26T01:45:00.537534Z|info|waiting for file|

Iā€™m still stuck with that same problem. Iā€™ve tried different things to no avail.

I do not want to deal with certs for now. What do I need to change in the generated manifest (or pass as an argument to the manifest generate/apply command) so that my pilot and ingressgateway pods do not look for these certs during start-up? I think itā€™s a matter of disabling mtls, but I cannot figure out where that can be done in the manifest.

Thanks,
J

Hi Jaid, I think your problems have drifted quite a ways from the thread title - I suggest you create a new thread with an appropriate title and put some of these question there so that other community members will see them.

They have, havenā€™t they? :slight_smile: Yes, let me do that. Thanks!

Actually, @ostromart, would you mind addressing my question regarding the sustainability of what I just did? I created the manifest and then updated the images to point to my own repo before applying it.

Would I be able to do the same thing during future Istio upgrades? Is there a better way of accomplishing the same thing?

You should definitely not have to edit the output manifest. The hub/tag parameters are part of the API and should work. Could you post the command you ran to change the hub value so I can try to repro?

I actually did not run any command. Is there such a command?

I found ā€œhubā€ in default.yaml. I didnā€™t find it anywhere else. So I modified it even when I was going to use the minimal profile, thinking that the default.yaml would still be somehow used (is it?).

(Also in default.yaml, I modified the images for proxyv2 and pilot to have the ā€œistio-ā€ prefix just because thatā€™s how I tagged it.)

Neither change took effect when I ran the manifest apply/generate command.

What is the correct way of updating the hub (and possibly the image names, too) before running the manifest command?

Thanks again!

You should use the IstioControlPlane API (see links above).
So you would do something like istioctl manifest generate --set hub=

1 Like

Thanks. That worked.

Iā€™ve written a post clarifying the future of Helm Support in Istio.