K
Q

How to enable Istio SDS on existing GKE cluster

8/13/2019

I have an existing GKE cluster with the Istio addon installed, e.g.:

gcloud beta container clusters create istio-demo \
    --addons=Istio --istio-config=auth=MTLS_PERMISSIVE \
    --cluster-version=[cluster-version] \
    --machine-type=n1-standard-2 \
    --num-nodes=4

I am following this guide to install cert-manager in order to automatically provision TLS certificates from Let's Encrypt. According to the guide, Istio needs SDS enabled which can be done at the point of installation:

helm install istio.io/istio \
       --name istio \
       --namespace istio-system \
       --set gateways.istio-ingressgateway.sds.enabled=true

As I already have Istio installed via GKE, how can I enable SDS on the existing cluster? Alternatively, is it possible to use the gcloud CLI to enable SDS at the point of cluster creation?

-- Andrew Ridout
google-cloud-platform
google-kubernetes-engine
istio

Similar Questions

kube-apiserver pod sticks in the CreateContainerError status
Error: pod has unbound immediate PersistentVolumeClaims
Is it possible to use Azure Dev Spaces with API Management?
ingress.yaml template returns error in renderring --> nil pointer evaluating interface {}.service

3 Answers

8/15/2019

Managed Istio per design will revert any custom configuration and will disable SDS again. So, IMHO, it is a non-useful scenario. You can enable SDS manually following this guide, but keep in mind that the configuration will remain active only for 2-3 minutes.

Currently GKE doesn't support enabling SDS when creating a cluster from scratch. On GKE managed Istio, Google is looking to have the ability to enable SDS on GKE clusters, but they don't have an ETA yet for that release.

However, if you use non-managed (open source) Istio, SDS feature is in the Istio roadmap, and I think it should be available in version 1.2, but it is not a guarantee.

-- Carlos Cuevas
Source: StackOverflow
11/12/2019

Even though currently the default ingress gateway created by Istio on GKE doesn't support SDS, you can add your own extra ingress gateway manually.

You can get the manifest of the default istio-ingressgateway deployment and service in your istio-system namespace and modify it to add the SDS container and change the name and then apply it to your cluster. But it's a little too tedious, there's a simpler way to do that:

First download the open-source helm chart of istio (choose a version that works with your Istio on GKE version, in my case my Istio on GKE is 1.1.3 and I downloaded open-source istio 1.1.17 and it works):

curl -O https://storage.googleapis.com/istio-release/releases/1.1.17/charts/istio-1.1.17.tgz
# extract under current working directory
tar xzvf istio-1.1.17.tgz

Then render the helm template for only the ingressgateway component:

helm template istio/ --name istio \
--namespace istio-system \
-x charts/gateways/templates/deployment.yaml \
-x charts/gateways/templates/service.yaml \
--set gateways.istio-egressgateway.enabled=false \
--set gateways.istio-ingressgateway.sds.enabled=true > istio-ingressgateway.yaml

Then manually modify the rendered istio-ingressgateway.yaml file with following modifications:

  1. Change the metadata.name for both the deployment and service to something else like istio-ingressgateway-sds
  2. Change the metadata.lables.istio for both the deployment and service to something else like ingressgateway-sds
  3. Change the spec.template.metadata.labels for the deployment similarly to ingressgateway-sds
  4. Change the spec.selector.istio for the service to same value like ingressgateway-sds

Then apply the yaml file to your GKE cluster:

kubectl apply -f istio-ingressgateway.yaml

Holla! You have your own istio ingressgatway with SDS created now and you can get the load balancer IP of it by:

kubectl -n istio-system get svc istio-ingressgateway-sds

To let your Gateway to use the correct sds enabled ingressgateway you need to set spec.selector.istio to match the one you set. Below is an example of a Gateway resource using a kubernetes secret as TLS cert:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gateway-test
spec:
  selector:
    istio: ingressgateway-sds
  servers:
  - hosts:
    - '*.example.com'
    port:
      name: http
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - '*.example.com'
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: example-com-cert
      mode: SIMPLE
      privateKey: sds
      serverCertificate: sds
-- duan
Source: StackOverflow
8/16/2019

Per Carlos' answer, I decided not to use the Istio on GKE addon as there is very limited customization available when using Istio as a managed service.

I created a standard GKE cluster...

gcloud beta container clusters create istio-demo \
    --cluster-version=[cluster-version] \
    --machine-type=n1-standard-2 \
    --num-nodes=4

And then manually installed Istio...

  1. Create the namespace:
kubectl create namespace istio-system
  1. Install the Istio CRDs:
helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
  1. Install Istio using the default configuration profile with my necessary customizations:
helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --set gateways.enabled=true \
    --set gateways.istio-ingressgateway.enabled=true \
    --set gateways.istio-ingressgateway.sds.enabled=true \
    --set gateways.istio-ingressgateway.externalTrafficPolicy="Local" \
    --set global.proxy.accessLogFile="/dev/stdout" \
    --set global.proxy.accessLogEncoding="TEXT" \
    --set grafana.enabled=true \
    --set kiali.enabled=true \
    --set prometheus.enabled=true \
    --set tracing.enabled=true \
  | kubectl apply -f -
  1. Enable Istio sidecar injection on default namespace
kubectl label namespace default istio-injection=enabled
-- Andrew Ridout
Source: StackOverflow