This document covers primarily the code, with some background on how the design maps to it. See the design doc for a more complete design description. The operator code is divided roughly into five areas:
IstioOperatorSpec
has pass-through fields to the Helm values.yaml API, but these are additionally validated through a schema.IstioOperatorSpec
CR.IstioOperatorSpec
API with the controller, but allows manifests to be generated and optionally applied from the command line without the need to run a privileged controller in the cluster.The operator code uses the new Helm charts in the istio/manifests/charts. It is not compatible with the older charts in istio/istio. See istio/manifests/charts
for details about the new charts and why they were created. Briefly, the new charts are intended to support production ready deployments of Istio that follow best practices like canarying for upgrade.
Throughout the document, the following terms are used:
IstioOperatorSpec
: The API directly defined in the IstioOperatorSpec proto, including feature and component groupings, namespaces and enablement, and per-component K8s settings.The IstioOperatorSpec
API is intended to replace the installation and K8s parts of Helm values.yaml.
The operator has a very similar structure to istio/installer: components are grouped into features. IstioOperatorSpec
defines functional settings at the feature level. Functional settings are those that performs some function in the Istio control plane without necessarily being tied to any one component that runs in a Deployment. Component settings are those that necessarily refer to a particular Deployment or Service. For example, the number of Pilot replicas is a component setting, because it refers to a component which is a Deployment in the cluster. Most K8s platform settings are necessarily component settings. The available features and the components that comprise each feature are as follows:
Feature | Components |
---|---|
CRDs, and other cluster wide configs | Base |
Traffic Management | Pilot |
Security | Pilot |
Configuration management | Pilot |
AutoInjection | Pilot |
Gateways | Ingress gateway |
Gateways | Egress gateway |
Policy | Policy (deprecated) |
Telemetry | Telemetry (deprecated) |
Features and components are defined in the name package.
Note: Besides the features and the components listed in the table above, some addon features and components are as follows:
Feature | Components |
---|---|
Telemetry | Prometheus |
Telemetry | Prometheus Operator |
Telemetry | Grafana |
Telemetry | Kiali |
Telemetry | Tracing |
ThirdParty | CNI |
The IstioOperatorSpec
API and underlying new Helm charts offer a lot of flexibility in which namespaces features and components are installed into. Namespace definitions can be defined and specialized at the global, feature and component level, with each lower level overriding the setting of the higher parent level. For example, if the global default namespace is defined as:
defaultNamespace: dubbo-system
and namespaces are specialized for the gateway feature and its components:
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: namespace: istio-operator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true namespace: istio-gateways
the resulting namespaces will be:
Component | Namespace |
---|---|
ingressGateways | istio-gateways |
These rules are expressed in code in the name package.
Features and components can be individually or collectively enabled or disabled. If a feature is disabled, all of its components are disabled, regardless of their component-level enablement. If a feature is enabled, all of its components are enabled, unless they are individually disabled. For example:
telemetry: enabled: true v2: enabled: false
These rules are expressed in code in the name package.
Rather than defining selective mappings from parameters to fields in K8s resources, the IstioOperatorSpec
API contains a consistent K8s block for each Istio component. The available K8s settings are defined in KubernetesResourcesSpec:
Field name | K8s API reference |
---|---|
resources | resources |
readinessProbe | readiness probes |
replicaCount | replica count |
hpaSpec | HorizontalPodAutoscaler |
podDisruptionBudget | PodDisruptionBudget |
podAnnotations | pod annotations |
env | container environment variables |
imagePullPolicy | ImagePullPolicy |
priorityClassName | priority class name |
nodeSelector | node selector |
affinity | affinity and anti-affinity |
serviceAnnotations | service annotations |
securityContext | security context |
These K8s setting are available for each component under the k8s
field, for example:
trafficManagement: components: pilot: k8s: hpaSpec: # HPA spec, as defined in K8s API
API translations are version specific and are expressed as a table of Translators indexed by minor version. This is because mapping rules are only allowed to change between minor (not patch) versions.
The IstioOperatorSpec
API fields are translated to the output manifest in two ways:
IstioOperatorSpec
API fields are mapped to the Helm values.yaml schema using the APIMapping field of the Translator struct.Other per-component mappings to Helm values.yaml are expressed in the ComponentMaps struct.
Both the IstioOperatorSpec
and Helm APIs are validated. The IstioOperatorSpec
API is validated through a table of validation rules in pkg/validate/validate.go. These rules refer to the Go struct path schema and hence have names with a capitalized first letter. The Helm values.yaml API is validated in validate_values.go and refer to the values.yaml data paths. Hence, these rules have names with a lower case first letter. Apart from validating the correctness of individual fields, the operator ensure that relationships between values in different parts of the configuration tree are correct. For example, it's an error to enable a component while its parent feature is disabled.
TODO(rcernich).
Manifest rendering is a multi-step process, shown in the figure below. The example in the figure shows the rendering being triggered by a CLI
mesh
command with a IstioOperatorSpec
CR passed to it from a file; however, the same rendering steps would occur when an in-cluster CR is updated and the controller acts upon it to generate a new manifest to apply to the cluster. Note that both the charts and configuration profiles can come from three different sources: compiled-in, local filesystem, or URL (TODO(mostrowski): describe the remote URL functionality). The source may be selected independently for the charts and profiles. The different steps in creating the manifest are as follows:
The user CR (my_custom.yaml) selects a configuration profile. If no profile is selected, the default profile is used. Each profile is defined as a set of defaults for IstioOperatorSpec
, for both the restructured fields (K8s settings, namespaces and enablement) and the Helm values (Istio behavior configuration).
The fields defined in the user CR override any values defined in the configuration profile CR. The resulting CR is converted to Helm values.yaml format and passed to the next step.
Part of the configuration profile contains settings in the Helm values.yaml schema format. User overrides of these fields are applied and merged with the output of this step. The result of this step is a merge of configuration profile defaults and user overlays, all expressed in Helm values.yaml format. This final values.yaml configuration is passed to the Helm rendering library and used to render the charts. The rendered manifests are passed to the next step.
Overlays in the user CR are applied to the rendered manifests. No values are ever defined in configuration profile CRs at this layer, so no merge is performed in this step.
The CLI mesh
command is implemented in the cmd/mesh subdirectory as a Cobra command with the following subcommands:
TODO(richardwxn).