Istio can be deployed via IstioOperator.
You can patch anything created by a certain component using the K8sObjectOverlay, which takes a PathValue. I cannot for the life of me understand how to provide complicated PathValues.
Here are some example patches I've found (search for "patches:" on those pages) in case it helps.
The patch I'm trying to apply is changing the default ingressGateway that gets created from:
...
spec:
profile: default
components:
ingressGateways:
- namespace: istio-system
name: istio-ingressgateway
enabled: trueI can view the default ingress gateway that gets created with kubectl edit gateway/ingressgateway -n istio-system and see this snippet:
spec:
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTPMy goal is to change it to this:
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
tls:
httpsRedirect: true # sends 301 redirect for http requests
- port:
number: 443
name: https-443
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE # enables HTTPS on this port
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
I believe that the ObjectOverlay that I should add to the first YAML block above should start with something like this:
k8s:
overlays:
- apiVersion: networking.istio.io/v1beta1
Kind: Gateway
name: ingressgateway
patches:
- path: spec.servers.but I don't know how to specify that I want to add tls.httpsRedirect: true to the first list item, or how to create a list item with the relatively complicated values above.
The PathValue docs I linked above are not clear to me. Istio itself just links to StackOverflow with the [Istio] Tag, so I guess this is where I come for help.
You will have to provide a whole array as a patch. Here is a working example on v1.4.9:
apiVersion: install.istio.io/v1alpha2
kind: IstioOperator
spec:
profile: default
gateways:
components:
ingressGateway:
enabled: true
k8s:
overlays:
- kind: Gateway
name: ingressgateway
patches:
- path: spec.servers
value:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: domain-com
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "*.domain.com"This is a part of an overlay that will add another server entry with some example specs. Just tweak it to be the way you want it to be. You can also override your first server entry with a path of spec.servers[0] and then set the value to whatever you want it to be.
ingressGateways:
- enabled: true
k8s:
overlays:
- apiVersion: networking.istio.io/v1alpha3
kind: Gateway
name: ingressgateway
patches:
- path: spec.servers[1]
value:
hosts:
- '*.example.com'
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: example-cert
mode: SIMPLE
privateKey: sds
serverCertificate: sdsUpdate: I haven't tried it out, but you could try just defining that expression as the path path, i think it then just set that single value inside the rest of the object:
- path: spec.servers[0].tls.httpsRedirect
value: trueIt might be necessary to define the entire tls object though, i'm not sure right now if it'd be valid with just the httpsRedirect attribute defined.
- path: spec.servers[0].tls
value:
httpsRedirect: true
other required attributes defined here just like httpsRedirectAFAIK it's not posibble, as you can read in the below documentation it's more for like enable,disable some components, memory, labels.
If you want to edit specific components like ingress gateway then use istioctl manifest generate
You can generate a yaml with every istio component which will be installed.
In your example use
istioctl manifest generate --set profile=default > my-default.yamlUse vi search to find the ingress gateway, it should look like this.
apiVersion: networking.istio.io/v1alpa3
kind: Gateway
metadata:
name: ingressgateway
namespace: istio-system
labels:
release: istio
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
Modify it with your specs
apiVersion: networking.istio.io/v1alpa3
kind: Gateway
metadata:
name: ingressgateway
namespace: istio-system
labels:
release: istio
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
tls:
httpsRedirect: true # sends 301 redirect for http requests
- port:
number: 443
name: https-443
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE # enables HTTPS on this port
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.keyAnd install istio with your modified ingress-gateway with kubectl apply
kubectl apply -f my-default.yamlTested it myself and everything works. Hope it answer your question.