This document covers primarily the code, with some background on how the design maps to it. See the design doc for a more complete design description. The operator code is divided roughly into five areas:
- IstioOperatorSpec API and related infrastructure, which is expressed as a
proto and
compiled to Go
structs.
IstioOperatorSpec
has pass-through fields to the Helm values.yaml API, but these are additionally validated through a schema. - Controller code. The code comprises the K8s listener, webhook and logic for reconciling the cluster
to an
IstioOperatorSpec
CR. - Manifest creation code. User settings are overlaid on top of the selected profile values and passed to a renderer in the Helm library to create manifests. Further customization on the created manifests can be done through overlays.
- CLI code. CLI code shares the
IstioOperatorSpec
API with the controller, but allows manifests to be generated and optionally applied from the command line without the need to run a privileged controller in the cluster. - Migration tools. The migration tools are intended to automate configuration migration from Helm to the operator.
The operator code uses the new Helm charts in the istio/manifests/charts. It is not
compatible with the older charts in istio/istio.
See istio/manifests/charts
for details about the new charts and why they were created. Briefly, the new charts
are intended to support production ready deployments of Istio that follow best practices like canarying for upgrade.
Throughout the document, the following terms are used:
IstioOperatorSpec
: The API directly defined in the IstioOperatorSpec proto, including feature and component groupings, namespaces and enablement, and per-component K8s settings.- Helm values.yaml API, implicitly defined through the various values.yaml files in the istio/manifests/charts and schematized in the operator through values_types.proto.
The IstioOperatorSpec
API is intended to replace the installation and K8s parts of Helm values.yaml.
The operator has a very similar structure to istio/installer: components are grouped into features.
IstioOperatorSpec
defines functional settings at the feature level. Functional settings are those that performs some
function in the Istio control plane without necessarily being tied to any one component that runs in a Deployment.
Component settings are those that necessarily refer to a particular Deployment or Service. For example, the number
of Pilot replicas is a component setting, because it refers to a component which is a Deployment in the
cluster. Most K8s platform settings are necessarily component settings.
The available features and the components that comprise each feature are as follows:
Feature | Components |
---|---|
Base | CRDs |
Traffic Management | Pilot |
Policy | Policy |
Telemetry | Telemetry |
Security | Citadel |
Security | Node agent |
Security | Cert manager |
Configuration management | Galley |
Gateways | Ingress gateway |
Gateways | Egress gateway |
AutoInjection | Sidecar injector |
Features and components are defined in the name package.
Note: Besides the features and the components listed in the table above, some addon features and components are as follows:
Feature | Components |
---|---|
Telemetry | Prometheus |
Telemetry | Prometheus Operator |
Telemetry | Grafana |
Telemetry | Kiali |
Telemetry | Tracing |
ThirdParty | CNI |
The IstioOperatorSpec
API and underlying new Helm charts offer a lot of flexibility in which namespaces features and
components are installed into. Namespace definitions can be defined and specialized at the global, feature and component
level, with each lower level overriding the setting of the higher parent level. For example, if the global default
namespace is defined as:
defaultNamespace: istio-system
and namespaces are specialized for the security feature and one of the components:
security:
components:
namespace: istio-security
citadel:
policy:
components:
policy:
the resulting namespaces will be:
Component | Namespace |
---|---|
policy | istio-system |
citadel | istio-security |
These rules are expressed in code in the | |
name package. |
Features and components can be individually or collectively enabled or disabled. If a feature is disabled, all of its components are disabled, regardless of their component-level enablement. If a feature is enabled, all of its components are enabled, unless they are individually disabled. For example:
security:
enabled: true
components:
citadel:
enabled: false
will enable all components of the security feature except citadel.
These rules are expressed in code in the name package.
Rather than defining selective mappings from parameters to fields in K8s resources, the IstioOperatorSpec
API
contains a consistent K8s block for each Istio component. The available K8s settings are defined in
KubernetesResourcesSpec:
Field name | K8s API reference |
---|---|
resources | resources |
readinessProbe | readiness probes |
replicaCount | replica count |
hpaSpec | HorizontalPodAutoscaler |
podDisruptionBudget | PodDisruptionBudget |
podAnnotations | pod annotations |
env | container environment variables |
imagePullPolicy | ImagePullPolicy |
priorityClassName | priority class name |
nodeSelector | node selector |
affinity | affinity and anti-affinity |
serviceAnnotations | service annotations |
These K8s setting are available for each component under the k8s
field, for example:
trafficManagement:
components:
pilot:
k8s:
hpaSpec:
# HPA spec, as defined in K8s API
API translations are version specific and are expressed as a table of Translators indexed by minor version. This is because mapping rules are only allowed to change between minor (not patch) versions.
The IstioOperatorSpec
API fields are translated to the output manifest in two ways:
- The
IstioOperatorSpec
API fields are mapped to the Helm values.yaml schema using the APIMapping field of the Translator struct. - The K8s settings are applied to resources in the output manifest using the KubernetesMapping field in the Translator struct.
Other per-component mappings to Helm values.yaml are expressed in the ComponentMaps struct.
Both the IstioOperatorSpec
and Helm APIs are validated. The IstioOperatorSpec
API is validated through a
table of validation rules in
pkg/validate/validate.go. These rules
refer to the Go struct path schema and hence have names with a capitalized first letter.
The Helm values.yaml API is validated in
validate_values.go
and refer to the values.yaml data paths. Hence, these rules have names with a lower case first letter.
Apart from validating the correctness of individual fields, the operator ensure that relationships between values in
different parts of the configuration tree are correct. For example, it's an error to enable a component while its
parent feature is disabled.
TODO(rcernich).
Manifest rendering is a multi-step process, shown in the figure below. The example in the figure shows the rendering being triggered by a CLI mesh
command with a IstioOperatorSpec
CR passed to it from a file; however, the same rendering steps would occur when an
in-cluster CR is updated and the controller acts upon it to generate a new manifest to apply to the cluster. Note that
both the charts and configuration profiles can come from three different sources: compiled-in, local filesystem, or URL
(TODO(mostrowski): describe the remote URL functionality).
The source may be selected independently for the charts and profiles. The different steps in creating the manifest are
as follows:
-
The user CR (my_custom.yaml) selects a configuration profile. If no profile is selected, the default profile is used. Each profile is defined as a set of defaults for
IstioOperatorSpec
, for both the restructured fields (K8s settings, namespaces and enablement) and the Helm values (Istio behavior configuration). -
The fields defined in the user CR override any values defined in the configuration profile CR. The resulting CR is converted to Helm values.yaml format and passed to the next step.
-
Part of the configuration profile contains settings in the Helm values.yaml schema format. User overrides of these fields are applied and merged with the output of this step. The result of this step is a merge of configuration profile defaults and user overlays, all expressed in Helm values.yaml format. This final values.yaml configuration is passed to the Helm rendering library and used to render the charts. The rendered manifests are passed to the next step.
-
Overlays in the user CR are applied to the rendered manifests. No values are ever defined in configuration profile CRs at this layer, so no merge is performed in this step.
The CLI mesh
command is implemented in the cmd/mesh
subdirectory as a Cobra command with the following subcommands:
- manifest: the manifest subcommand is used to generate, install, diff or migrate Istio manifests, it has the following subcommands:
- install: the install subcommand is used to generate an Istio install manifest and apply it to a cluster.
- diff: the diff subcommand is used to compare manifest from two files or directories.
- generate: the generate subcommand is used to generate an Istio install manifest.
- migrate: the migrate subcommand is used to migrate a configuration in Helm values format to IstioOperator format.
- versions: the versions subcommand is used to list the version of Istio recommended for and supported by this version of the operator binary.
- profile: dumps the default values for a selected profile, it has the following subcommands:
- upgrade: performs an in-place upgrade of the Istio control plane with eligibility checks.
TODO(richardwxn).