Istio injection with an app with secret and configmap

8/29/2018

I am trying to test SSL pass-thru with Istio/envoy ingress as I was able to achieve it with nginx ingress controller. So I created a nginx https deployment and tested the deployment/pod/service works.

However, when I run this as usual, kubectl apply -f <(istioctl kube-inject -f ~/nginx/nginx-app.yaml) the deployment doesn't proceed (so no pod is created).

It seems the volume & mount causing the issue. It seems Istio also trying to mount these.

spec:
      volumes:
      - name: secret-volume
        secret:
          secretName: nginxsecret
      - name: configmap-volume
        configMap:
          name: nginxconfigmap
      containers:
      - image: nginx
        imagePullPolicy: Always
        name: nginx
        ports:
        - containerPort: 80
        - containerPort: 443
        volumeMounts:
          - mountPath: /etc/nginx/ssl
            name: secret-volume
          - mountPath: /etc/nginx/conf.d
            name: configmap-volume

Does anyone have an insight?

Thank you!

-- J H
envoyproxy
istio
kubernetes

1 Answer

8/31/2018

I found a solution. It's related to https://github.com/istio/istio/issues/3548 The issue is fixed but not merged yet. So a workaround is to add sidecar.istio.io/inject: "false"

For example

spec:
  replicas: 1
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "false"
      labels:
        app: nginx
-- J H
Source: StackOverflow