0

I am new to the world of sidecar and istio. Have been reading about this for around a week. But still can't find an perfect answer.

First of all, is it possible to inject a custom sidecar using istio. Functionality that i want to achieve is, in request header i will receive 2 tokens(JWT). One for issuer (nonce), and other for sender (pop). I need to verify whether both these tokens are correct and if correct, i can allow them access to my microservice or else reject straight away.

So in order to achieve this functionality, i have created a sidecar, and now i want to deploy it using istio. But i can't find a way, to do it.

What i am able to achieve is the automatic sidecar injection that happens as soon as i install my containers. But now where i am struct is, i want custom sidecar to be injected using istio.

Let me know if anyone can give me a direction in what i am trying to achieve. Thank you.

Ankit Ostwal
  • 1,033
  • 3
  • 14
  • 32

1 Answers1

0

You can do this in istio with a custom sidecar injection template.

For example to overwrite the default sidecar istio-proxy, just create an overlay for the template in the IstioOperator:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: istio
spec:
  values:
    sidecarInjectorWebhook:
      templates:
        custom: |
          spec:
            containers:
            - name: istio-proxy
              env:
              - name: GREETING
                value: hello-world

By that the proxy would get the extra GREETING environment variable. You can also inject a second/different custom sidecar. First add it in the IstioOperator manifest:

[...]
  values:
    sidecarInjectorWebhook:
      templates:
        custom: |
          spec:
            containers:
            - name: my-custom-container
              image: my-custom-image

Now you can control which sidecar will be injected by annotation the pod with the inject.istio.io/templates annotation.

To replace the default istio-proxy sidecar set it like inject.istio.io/templates=custom.

To inject it as a secondary sidecar set it like inject.istio.io/templates=sidecar,custom, where sidecar would be the default istio sidecar.

You can check the istio-sidecar-injector configmap in the istio-system namespace to inspect the default config and also to verify your changes.

More on that see docs

Note that the feature is currently still experimental.

Edit

Here is an example deployment that would utilize a second sidecar. Note the annotation in the pod template:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
      annotations: 
        inject.istio.io/templates: sidecar,custom # for custom sidecar
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
Chris
  • 5,109
  • 3
  • 19
  • 40
  • Hi Chris, thanks for your input. But where are the annotations to be kept?. Can you show entire yaml file and corresponding commands. Even the doc dosent have much details. – Ankit Ostwal Nov 14 '22 at 07:03