Note: This repo has been merged to istio.io/istio/operator. Please go to that repo to make any changes to operator or installer charts. The only exception is bug backports to the 1.4 branch, which should be submitted here. The text below is preserved for reference but is no longer maintained at this location.
Istio Operator
The Istio operator CLI is beta and the controller is alpha for 1.4. You can contribute by picking an unassigned open issue, creating a bug or feature request, or just coming to the weekly Environments Working Group meeting to share your ideas.
This document is an overview of how the operator works from a user perspective. For more details about the design and architecture and a code overview, see ARCHITECTURE.md.
The operator CLI is distributed to users as part of istioctl. The mesh command
in this repo is simply a wrapper to speed up development - the subcommands are the same code that is incorporated into
istioctl. Making changes to any mesh subcommand will be reflected in istioctl after one of the regular syncs to
istio/operator.
Introduction
This repo reorganizes the current Helm installation parameters into two groups:
- The new platform level installation API, for managing K8s settings like resources, auto scaling, pod disruption budgets and others defined in the KubernetesResourceSpec
- The configuration API that currently uses the Helm installation parameters for backwards compatibility. This API is for managing the Istio control plane configuration settings.
Some parameters will temporarily exist in both APIs - for example, setting K8s resources currently can be done through either API above. However, the Istio community recommends using the first API as it is more consistent, is validated, and will naturally follow the graduation process for APIs while the same parameters in the configuration API are planned for deprecation.
This repo currently provides pre-configured Helm values sets for different scenarios as configuration profiles, which act as a starting point for an Istio install and can be customized by creating customization overlay files or passing parameters when calling Helm. Similarly, the operator API uses the same profiles (expressed internally through the new API), which can be selected as a starting point for the installation. For comparison, the following example shows the command needed to install Istio using the SDS configuration profile using Helm:
helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl apply -f -In the new API, the same profile would be selected through a CustomResource (CR):
# sds.yaml
apiVersion: operator.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: sdsSee Select a specific configuration_profile for more information.
If you don't specify a configuration profile, Istio is installed using the default configuration profile. All
profiles listed in istio.io are available by default, or profile: can point to a local file path to reference a custom
profile base to use as a starting point for customization. See the API reference
for details.
Developer quick start
The quick start describes how to install and use the operator mesh CLI command and/or controller.
Building
If you're trying to do a local build that bypasses the build container, you'll need to to execute the following step one time.
GO111MODULE=on go get github.com/jteeuwen/go-bindata/go-bindata@6025e8de665b
Clone the repo
git clone https://github.com/istio/operator.git
cd operatorCLI
To build the operator CLI, simply:
make meshThis will create a binary called mesh either in ${GOPATH}/bin or ${GOPATH}/go/src/istio.io/operator/out/,
depending on your platform. Ensure this is in your PATH to run the examples below.
Controller (in cluster)
Building a custom controller requires a Dockerhub (or similar) account. To build using the container based build:
HUB=docker.io/<your-account> TAG=latest make docker.allThis builds the controller binary and docker file, and pushes the image to the specified hub with the latest tag.
Once the images are pushed, configure kubectl to point to your cluster and install the controller. You should edit
the file deploy/operator.yaml to point to your docker hub:
image: docker.io/<your-account>/operatorInstall the controller manifest and example IstioOperator CR:
kubectl apply -k deploy/
kubectl apply -f deploy/crds/istio_v1alpha1_istiooperator_cr.yaml This installs the controller into the cluster in the istio-operator namespace. The controller in turns installs the Istio control plane into the istio-system namespace by default.
Controller (running locally)
-
Set env $WATCH_NAMESPACE and $LEADER_ELECTION_NAMESPACE (default value is "istio-operator")
-
From the operator repo root directory, run
go run ./cmd/manager/*.go server
To use Remote debugging with IntelliJ, replace above step 2 with following:
-
From ./cmd/manager path run
dlv debug --headless --listen=:2345 --api-version=2 -- server. -
In IntelliJ, create a new Go Remote debug configuration with default settings.
-
Start debugging process and verify it is working. For example, try adding a breakpoint at Reconcile logic and apply a new CR.
Relationship between the CLI and controller
The CLI and controller share the same API and codebase for generating manifests from the API. You can think of the
controller as the CLI command mesh manifest apply running in a loop in a pod in the cluster and using the config
from the in-cluster IstioOperator CustomResource (CR).
There are two major differences:
- The controller does not accept any dynamic user config through flags. All user interaction is through the IstioOperator CR.
- The controller has additional logic that mirrors istioctl commands like upgrade, but is driven from the declarative API rather than command line.
Quick tour of CLI commands
Flags
The mesh command supports the following flags:
-
logtostderr: log to console (by default logs go to ./mesh-cli.log). -
dry-run: console output only, nothing applied to cluster or written to files. -
verbose: display entire manifest contents and other debug info (default is false).
Basic default manifest
The following command generates a manifest with the compiled-in default profile and charts:
mesh manifest generateYou can see these sources for the compiled-in profiles and charts in the repo under data/. These profiles and charts are also included in the Istio release tar.
Output to dirs
The output of the manifest is concatenated into a single file. To generate a directory hierarchy with subdirectory levels representing a child dependency, use the following command:
mesh manifest generate -o istio_manifestsUse depth first search to traverse the created directory hierarchy when applying your YAML files. This is needed for correct sequencing of dependencies. Child manifest directories must wait for their parent directory to be fully applied, but not their sibling manifest directories.
Just apply it for me
The following command generates the manifests and applies them in the correct dependency order, waiting for the dependencies to have the needed CRDs available:
mesh manifest applyReview the values of a configuration profile
The following commands show the values of a configuration profile:
# show available profiles
mesh profile list
# show the values in demo profile
mesh profile dump demo
# show the values after a customization file is applied
mesh profile dump -f samples/policy-off.yaml
# show differences between the default and demo profiles
mesh profile dump default > 1.yaml
mesh profile dump demo > 2.yaml
mesh profile diff 1.yaml 2.yaml
# show the differences in the generated manifests between the default profile and a customized install
mesh manifest generate > 1.yaml
mesh manifest generate -f samples/pilot-k8s.yaml > 2.yaml
mesh manifest diff 1.yam1 2.yaml
The profile dump sub-command supports a couple of useful flags:
-
config-path: select the root for the configuration subtree you want to see e.g. just show Pilot:
mesh profile dump --config-path components.pilot-
set: set a value in the configuration before dumping the resulting profile e.g. show the minimal profile:
mesh profile dump --set profile=minimalSelect a specific configuration profile
The simplest customization is to select a profile different to default e.g. sds. See samples/sds.yaml:
# sds-install.yaml
apiVersion: operator.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: sdsUse the Istio operator mesh binary to generate the manifests for the new configuration profile:
mesh manifest generate -f samples/sds.yamlAfter running the command, the Helm charts are rendered using data/profiles/sds.yaml.
Install from file path
The compiled in charts and profiles are used by default, but you can specify a file path, for example:
apiVersion: operator.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: /usr/home/bob/go/src/github.com/ostromart/istio-installer/data/profiles/default.yaml
installPackagePath: /usr/home/bob/go/src/github.com/ostromart/istio-installer/data/charts/You can mix and match these approaches. For example, you can use a compiled-in configuration profile with charts in your local file system.
Migration from values.yaml
The following command takes helm values.yaml files and output the new IstioOperatorSpec:
mesh manifest migrate /usr/home/bob/go/src/istio.io/installer/istio-control/istio-discovery/values.yamlIf a directory is specified, all files called "values.yaml" under the directory will be converted into a single combined IstioOperatorSpec:
mesh manifest migrate /usr/home/bob/go/src/istio.io/installer/istio-controlIf no file is specified, the IstioOperator CR in the kube config cluster is used as an input:
mesh manifest migrateCheck diffs of manifests
The following command takes two manifests and output the differences in a readable way. It can be used to compare between the manifests generated by operator API and helm directly:
mesh manifest diff ./out/helm-template/manifest.yaml ./out/mesh-manifest/manifest.yamlNew API customization
The new platform level installation API defines install time parameters like feature and component enablement and namespace, and K8s settings like resources, HPA spec etc. in a structured way. The simplest customization is to turn features and components on and off. For example, to turn off all policy (samples/sds-policy-off.yaml):
apiVersion: operator.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: sds
components:
policy:
enabled: falseThe operator validates the configuration and automatically detects syntax errors. Helm lacks this capability. If you are using Helm values that are incompatible, the schema validation used in the operator may reject input that is valid for Helm. Each Istio component has K8s settings, and these can be overridden from the defaults using official K8s APIs rather than Istio defined schemas (samples/pilot-k8s.yaml):
apiVersion: operator.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
pilot:
k8s:
resources:
requests:
cpu: 1000m # override from default 500m
memory: 4096Mi # ... default 2048Mi
hpaSpec:
maxReplicas: 10 # ... default 5
minReplicas: 2 # ... default 1
nodeSelector: # ... default empty
master: "true"
tolerations: # ... default empty
- key: dedicated
operator: Exists
effect: NoSchedule
- key: CriticalAddonsOnly
operator: ExistsThe K8s settings are defined in detail in the operator API. The settings are the same for all components, so a user can configure pilot K8s settings in exactly the same, consistent way as galley settings. Supported K8s settings currently include:
- resources
- readiness probes
- replica count
- HorizontalPodAutoscaler
- PodDisruptionBudget
- pod annotations
- container environment variables
- ImagePullPolicy
- priority calss name
- node selector
- toleration
- affinity and anti-affinity
- deployment strategy
All of these K8s settings use the K8s API definitions, so K8s documentation can be used for reference. All K8s overlay values are also validated in the operator.
Customizing the old values.yaml API
The new platform install API above deals with K8s level settings. The remaining values.yaml parameters deal with Istio control plane operation rather than installation. For the time being, the operator just passes these through to the Helm charts unmodified (but validated through a schema). Values.yaml settings are overridden the same way as the new API, though a customized CR overlaid over default values for the selected profile. Here's an example of overriding some global level default values (samples/values-global.yaml):
apiVersion: operator.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: sds
values:
global:
logging:
level: "default:warning" # override from infoValues overrides can also be specified for a particular component (samples/values-pilot.yaml):
apiVersion: operator.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
mixer:
telemetry:
loadshedding:
latencyThreshold: 200ms Advanced K8s resource overlays
Advanced users may occasionally have the need to customize parameters (like container command line flags) which are not exposed through either of the installation or configuration APIs described in this document. For such cases, it's possible to overlay the generated K8s resources before they are applied with user-defined overlays. For example, to override some container level values in the Pilot container (samples/pilot-advanced-override.yaml):
apiVersion: operator.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
pilot:
k8s:
overlays:
- kind: Deployment
name: istio-pilot
patches:
- path: spec.template.spec.containers.[name:discovery].args.[30m]
value: "60m" # OVERRIDDEN
- path: spec.template.spec.containers.[name:discovery].ports.[containerPort:8080].containerPort
value: 8090 # OVERRIDDEN
- kind: Service
name: istio-pilot
patches:
- path: spec.ports.[name:grpc-xds].port
value: 15099 # OVERRIDDENThe user-defined overlay uses a path spec that includes the ability to select list items by key. In the example above, the container with the key-value "name: discovery" is selected from the list of containers, and the command line parameter with value "30m" is selected to be modified. The advanced overlay capability is described in more detail in the spec.
Interaction with controller
The controller shares the same API as the operator CLI, so it's possible to install any of the above examples as a CR
in the cluster in the istio-operator namespace and the controller will react to it with the same outcome as running
mesh manifest apply -f <path-to-custom-resource-file>.
Architecture
See ARCHITECTURE.md