Istio-operator

Istio-operator is based on the Istio helm charts. Aside from embedding all installation logic into the operator (e.g. removing create-custom-resources.yaml templates), the changes made to the base Istio charts can be found below.

Component Modifications

General

  • GODEBUG environment variable settings have been removed from all templates.

  • A maistra-version label has been added to all resources.

  • The istio-multi ServiceAccount and ClusterRoleBinding have been removed, as well as the istio-reader ClusterRole.

  • All Ingress resources have been converted to OpenShift Route resources.

Galley

  • A named targetPort has been added to the Galley Service.

  • The Galley webhook port has been moved from 443 to 8443.

  • The Galley health file has been moved to /tmp/heath (from /health)

  • The --validation-port option has been added to the Galley.

Sidecar Injector

  • Sidecar proxy init containers have been configured as privileged, regardless of global.proxy.privileged setting.

  • The opt-out mechanism for injection has been modified when sidecarInjectorWebhook.enableNamespacesByDefault is enabled. Namespaces now opt-out by adding an istio.openshift.com/ignore-namespace label to the namespace.

  • A named targetPort has been added to the Sidecar Injector Service.

  • The Sidecar Injector webhook port has been moved from 443 to 8443.

Gateways

  • A Route has been added for the istio-ingressgateway gateway.

  • The istio-egressgateway gateway has been enabled by default.

Grafana

  • Has been enabled by default.

  • Ingress has been enabled by default.

  • A ServiceAccount has been added for Grafana.

Tracing

  • Has been enabled by default.

  • Ingress has been enabled by default.

  • The name for the Zipkin port name has changed to jaeger-collector-zipkin (from http)

  • Jaeger uses Elasticsearch for storage.

Kiali

  • Has been enabled by default.

  • Ingress has been enabled by default.

  • Updates have been made to the Kiali ConfigMap.

  • Updates have been made to the ClusterRole settings for Kiali.

  • A demo Secret has been added that will get created using values from kiali.dashboard.user and kiali.dashboard.passphrase, if specified.

Known Issues

The following are known issues that need to be addressed:

  • Istio CustomResourceDefinition resources are not removed during uninstall.

  • Updates have not been tested (e.g. modifying a ServiceMeshControlPlane resource to enable/disable a component).

  • Uninstall is a little sloppy (i.e. resources are just deleted, and not in an intelligent fashion).

  • Reconciliation is only performed on the ServiceMeshControlPlane resource (i.e. the operator is not watching installed resources, e.g. Galley deployment). This means users may modify those resources and the operator will not revert them (unless the ServiceMeshControlPlane resource is modified).

  • Rollout may hang if configuration changes are made to the istio-operator deployment.