Istio complicated K8sObjectOverlay.PathValue

Question

Istio can be deployed via IstioOperator.

You can patch anything created by a certain component using the K8sObjectOverlay, which takes a PathValue. I cannot for the life of me understand how to provide complicated PathValues.

Here are some example patches I've found (search for "patches:" on those pages) in case it helps.

The patch I'm trying to apply is changing the default ingressGateway that gets created from:

...
spec:
  profile: default
  components:
    ingressGateways:
      - namespace: istio-system
        name: istio-ingressgateway
        enabled: true

I can view the default ingress gateway that gets created with kubectl edit gateway/ingressgateway -n istio-system and see this snippet:

spec:
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP

My goal is to change it to this:

spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"
      tls:
        httpsRedirect: true # sends 301 redirect for http requests
    - port:
        number: 443
        name: https-443
        protocol: HTTPS
      hosts:
        - "*"
      tls:
        mode: SIMPLE # enables HTTPS on this port
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key

I believe that the ObjectOverlay that I should add to the first YAML block above should start with something like this:

        k8s:
          overlays:
            - apiVersion: networking.istio.io/v1beta1
              Kind: Gateway
              name: ingressgateway
              patches:
                - path: spec.servers.

but I don't know how to specify that I want to add tls.httpsRedirect: true to the first list item, or how to create a list item with the relatively complicated values above.

The PathValue docs I linked above are not clear to me. Istio itself just links to StackOverflow with the [Istio] Tag, so I guess this is where I come for help.

Jens Wurm · Accepted Answer · 2020-05-11T07:04:54.800

This is a part of an overlay that will add another server entry with some example specs. Just tweak it to be the way you want it to be. You can also override your first server entry with a path of spec.servers[0] and then set the value to whatever you want it to be.

ingressGateways: 
  - enabled: true
    k8s:
      overlays:
      - apiVersion: networking.istio.io/v1alpha3
        kind: Gateway
        name: ingressgateway
        patches:
        - path: spec.servers[1]
          value:
            hosts:
              - '*.example.com'
            port:
              name: https
              number: 443
              protocol: HTTPS
            tls:
              credentialName: example-cert
              mode: SIMPLE
              privateKey: sds
              serverCertificate: sds

Update: I haven't tried it out, but you could try just defining that expression as the path path, i think it then just set that single value inside the rest of the object:

- path: spec.servers[0].tls.httpsRedirect
  value: true

It might be necessary to define the entire tls object though, i'm not sure right now if it'd be valid with just the httpsRedirect attribute defined.

- path: spec.servers[0].tls
  value: 
    httpsRedirect: true
    other required attributes defined here just like httpsRedirect

So there is no way to add `tls.httpsRedirect: true` to `[0]` without redefining `[0]` completely? — jeremysprofile, May 07 '20 at 14:57
I haven't tried it out, but you could try just defining that expression as the path path, i think it then just set that single value inside the rest of the object: ` - path: spec.servers[0].tls.httpsRedirect value: true ` It might be necessary to define the entire tls object though, i'm not sure right now if it'd be valid with just the httpsRedirect attribute defined. `- path: spec.servers[0].tls value: httpsRedirect: true other attributes ` — Jens Wurm, May 11 '20 at 06:57
I've updated the original reply, better code formatting available there. — Jens Wurm, May 11 '20 at 07:06

score 3 · Answer 2 · answered May 18 '20 at 08:39

You will have to provide a whole array as a patch. Here is a working example on v1.4.9:

apiVersion: install.istio.io/v1alpha2
kind: IstioOperator
spec:
  profile: default
  gateways:
    components:
      ingressGateway:
        enabled: true
        k8s:
          overlays:
            - kind: Gateway
              name: ingressgateway
              patches:
                - path: spec.servers
                  value:
                    - port:
                        number: 80
                        name: http
                        protocol: HTTP
                      hosts:
                        - "*"
                    - port:
                        number: 443
                        name: domain-com
                        protocol: HTTPS
                      tls:
                        mode: SIMPLE
                        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
                        privateKey: /etc/istio/ingressgateway-certs/tls.key
                      hosts:
                        - "*.domain.com"

score 1 · Answer 3 · answered Apr 21 '20 at 08:27

AFAIK it's not posibble, as you can read in the below documentation it's more for like enable,disable some components, memory, labels.

If you want to edit specific components like ingress gateway then use istioctl manifest generate

You can generate a yaml with every istio component which will be installed.

In your example use

istioctl manifest generate --set profile=default > my-default.yaml

Use vi search to find the ingress gateway, it should look like this.

apiVersion: networking.istio.io/v1alpa3
kind: Gateway
metadata:
  name: ingressgateway
  namespace: istio-system
  labels:
    release: istio
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
      - "*"

Modify it with your specs

apiVersion: networking.istio.io/v1alpa3
kind: Gateway
metadata:
  name: ingressgateway
  namespace: istio-system
  labels:
    release: istio
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"
      tls:
        httpsRedirect: true # sends 301 redirect for http requests
    - port:
        number: 443
        name: https-443
        protocol: HTTPS
      hosts:
        - "*"
      tls:
        mode: SIMPLE # enables HTTPS on this port
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key

And install istio with your modified ingress-gateway with kubectl apply

kubectl apply -f my-default.yaml

Tested it myself and everything works. Hope it answer your question.

I do not think this shows it is impossible to do what I'm asking. I see the [pilot options](https://istio.io/docs/reference/config/installation-options/#pilot-options) mentioned here do not mention the K8sObjectOverlay.PathValues specified in this [Istio-provided example override](https://github.com/istio/operator/blob/master/samples/pilot-advanced-override.yaml), so the fact that `servers:` isn't mentioned in the gateway options doesn't mean it can't be edited the way I'm trying to describe above. — jeremysprofile, Apr 21 '20 at 16:09
That being said, I realize this is a nonstandard approach. The problem I'm trying to solve by not having a second ingress-gateway yaml is that I can't apply these changes immediately back-to-back; I have to wait some amount of time from my initial istio deployment to when I apply the ingress-gateway changes or the ingress-gateway fails to take effect as it can't find the resources it expects. This prevents me from making a single helm chart that deploys Istio in the manner I want as I need a `sleep` between applying the yamls. — jeremysprofile, Apr 21 '20 at 16:12
Your answer looks very similar to what I currently have, which is useful for validating my approach is more standard. +1 for taking the time. — jeremysprofile, Apr 21 '20 at 16:13
I'm wondering if that just override the values or is it posibble to "add" them like you want. I will try to find the answer. If I find something I will edit my answer. — Jakub, Apr 23 '20 at 06:32
[Documentation](https://istio.io/docs/reference/config/istio.operator.v1alpha1/#K8sObjectOverlay-PathValue) clearly states that resource might be added/deleted/modified that way: ```Value to add, delete or replace. For add, the path should be a new leaf. For delete, value should be unset. For replace, path should reference an existing node. All values are strings but are converted into appropriate type based on schema.``` — Anton Yurchenko, May 18 '20 at 08:44

Istio complicated K8sObjectOverlay.PathValue

3 Answers3

Linked