Skip to content

Update Istio configuration to use CNI node agents instead of istio-init containers #474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
+53 −213
Draft

Update Istio configuration to use CNI node agents instead of istio-init containers #474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
08606a3
Update Istio configuration to use CNI node agents instead of `istio-i…
MaciejKaras Sep 24, 2025
b695d51
Internal review fixes
MaciejKaras Sep 24, 2025
40048fc
Merge branch 'master' into maciejk/istio-cni-node-agent
MaciejKaras Sep 29, 2025
f51f321
Merge branch 'master' into maciejk/istio-cni-node-agent
MaciejKaras Oct 10, 2025
592f35d
Bump istio version because of the issue with CNI -> https://github.co…
MaciejKaras Oct 10, 2025
9013035
Test fixes
MaciejKaras Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions multi_cluster/tools/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@ The script is intended to install Istio in the multi E2E clusters that we have c
Steps to run the script and verify it:

* Install the istioctl binary:
`curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION=1.9.1 sh -`
`curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION=1.27.1 sh -`
`export PATH=$PATH:$HOME/.istioctl/bin`

* Export cluster variables:
`export CTX_CLUSTER1=e2e.cluster1.mongokubernetes.com`

`export CTX_CLUSTER2=e2e.cluster2.mongokubernetes.com `


* Run the script : `sh ./install_istio.sh`

* [Verify the Istio installation](https://istio.io/latest/docs/setup/install/multicluster/verify/)
* [Verify the Istio installation](https://istio.io/latest/docs/setup/install/multicluster/verify/)
2 changes: 1 addition & 1 deletion multi_cluster/tools/download_istio.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/usr/bin/env bash
set -Eeou pipefail

export VERSION=${VERSION:-1.16.1}
export VERSION=${VERSION:-1.27.1}
ISTIO_SCRIPT_CHECKSUM="254c6bd6aa5b8ac8c552561c84d8e9b3a101d9e613e2a8edd6db1f19c1871dbf"

echo "Checking if we need to download Istio ${VERSION}"
Expand Down
41 changes: 28 additions & 13 deletions multi_cluster/tools/install_istio.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ set -eux
export CTX_CLUSTER1=${CTX_CLUSTER1:-e2e.cluster1.mongokubernetes.com}
export CTX_CLUSTER2=${CTX_CLUSTER2:-e2e.cluster2.mongokubernetes.com}
export CTX_CLUSTER3=${CTX_CLUSTER3:-e2e.cluster3.mongokubernetes.com}
export VERSION=${VERSION:-1.12.8}
export VERSION=${VERSION:-1.27.1}

IS_KIND="false"
if [[ $CTX_CLUSTER1 = kind* ]]; then
Expand Down Expand Up @@ -38,6 +38,7 @@ make -f ../tools/certs/Makefile.selfsigned.mk "${CTX_CLUSTER3}-cacerts" || make
# create cluster secret objects with the certs and keys
kubectl --context="${CTX_CLUSTER1}" delete ns istio-system || true
kubectl --context="${CTX_CLUSTER1}" create ns istio-system
kubectl --context="${CTX_CLUSTER1}" label --overwrite ns istio-system pod-security.kubernetes.io/enforce=privileged
kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-system \
--from-file=${CTX_CLUSTER1}/ca-cert.pem \
--from-file=${CTX_CLUSTER1}/ca-key.pem \
Expand All @@ -46,6 +47,7 @@ kubectl --context="${CTX_CLUSTER1}" create secret generic cacerts -n istio-syste

kubectl --context="${CTX_CLUSTER2}" delete ns istio-system || true
kubectl --context="${CTX_CLUSTER2}" create ns istio-system
kubectl --context="${CTX_CLUSTER2}" label --overwrite ns istio-system pod-security.kubernetes.io/enforce=privileged
kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-system \
--from-file=${CTX_CLUSTER2}/ca-cert.pem \
--from-file=${CTX_CLUSTER2}/ca-key.pem \
Expand All @@ -54,6 +56,7 @@ kubectl --context="${CTX_CLUSTER2}" create secret generic cacerts -n istio-syste

kubectl --context="${CTX_CLUSTER3}" delete ns istio-system || true
kubectl --context="${CTX_CLUSTER3}" create ns istio-system
kubectl --context="${CTX_CLUSTER3}" label --overwrite ns istio-system pod-security.kubernetes.io/enforce=privileged
kubectl --context="${CTX_CLUSTER3}" create secret generic cacerts -n istio-system \
--from-file=${CTX_CLUSTER3}/ca-cert.pem \
--from-file=${CTX_CLUSTER3}/ca-key.pem \
Expand All @@ -67,6 +70,10 @@ apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
tag: ${VERSION}
components:
cni:
namespace: istio-system
enabled: true
meshConfig:
defaultConfig:
terminationDrainDuration: 30s
Expand All @@ -81,13 +88,17 @@ spec:
network: network1
EOF

bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml -y &
bin/istioctl install --context="${CTX_CLUSTER1}" --set components.cni.enabled=true -f cluster1.yaml -y &

cat <<EOF >cluster2.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
tag: ${VERSION}
components:
cni:
namespace: istio-system
enabled: true
meshConfig:
defaultConfig:
terminationDrainDuration: 30s
Expand All @@ -102,13 +113,17 @@ spec:
network: network1
EOF

bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml -y &
bin/istioctl install --context="${CTX_CLUSTER2}" --set components.cni.enabled=true -f cluster2.yaml -y &

cat <<EOF >cluster3.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
tag: ${VERSION}
components:
cni:
namespace: istio-system
enabled: true
meshConfig:
defaultConfig:
terminationDrainDuration: 30s
Expand All @@ -123,54 +138,54 @@ spec:
network: network1
EOF

bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml -y &
bin/istioctl install --context="${CTX_CLUSTER3}" --set components.cni.enabled=true -f cluster3.yaml -y &

wait

CLUSTER_1_ADDITIONAL_OPTS=""
CLUSTER_2_ADDITIONAL_OPTS=""
CLUSTER_3_ADDITIONAL_OPTS=""
if [[ $IS_KIND == "true" ]]; then
CLUSTER_1_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER1} get node e2e-cluster-1-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443"
CLUSTER_2_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER2} get node e2e-cluster-2-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443"
CLUSTER_3_ADDITIONAL_OPTS="--server https://$(kubectl --context=${CTX_CLUSTER3} get node e2e-cluster-3-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443"
CLUSTER_1_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER1}" get node e2e-cluster-1-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443"
CLUSTER_2_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER2}" get node e2e-cluster-2-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443"
CLUSTER_3_ADDITIONAL_OPTS="--server https://$(kubectl --context="${CTX_CLUSTER3}" get node e2e-cluster-3-control-plane -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'):6443"
fi

# enable endpoint discovery
bin/istioctl x create-remote-secret \
--context="${CTX_CLUSTER1}" \
-n istio-system \
--name=cluster1 ${CLUSTER_1_ADDITIONAL_OPTS} |
--name=cluster1 "${CLUSTER_1_ADDITIONAL_OPTS}" |
kubectl apply -f - --context="${CTX_CLUSTER2}"

bin/istioctl x create-remote-secret \
--context="${CTX_CLUSTER1}" \
-n istio-system \
--name=cluster1 ${CLUSTER_1_ADDITIONAL_OPTS} |
--name=cluster1 "${CLUSTER_1_ADDITIONAL_OPTS}" |
kubectl apply -f - --context="${CTX_CLUSTER3}"

bin/istioctl x create-remote-secret \
--context="${CTX_CLUSTER2}" \
-n istio-system \
--name=cluster2 ${CLUSTER_2_ADDITIONAL_OPTS} |
--name=cluster2 "${CLUSTER_2_ADDITIONAL_OPTS}" |
kubectl apply -f - --context="${CTX_CLUSTER1}"

bin/istioctl x create-remote-secret \
--context="${CTX_CLUSTER2}" \
-n istio-system \
--name=cluster2 ${CLUSTER_2_ADDITIONAL_OPTS} |
--name=cluster2 "${CLUSTER_2_ADDITIONAL_OPTS}" |
kubectl apply -f - --context="${CTX_CLUSTER3}"

bin/istioctl x create-remote-secret \
--context="${CTX_CLUSTER3}" \
-n istio-system \
--name=cluster3 ${CLUSTER_3_ADDITIONAL_OPTS} |
--name=cluster3 "${CLUSTER_3_ADDITIONAL_OPTS}" |
kubectl apply -f - --context="${CTX_CLUSTER1}"

bin/istioctl x create-remote-secret \
--context="${CTX_CLUSTER3}" \
-n istio-system \
--name=cluster3 ${CLUSTER_3_ADDITIONAL_OPTS} |
--name=cluster3 "${CLUSTER_3_ADDITIONAL_OPTS}" |
kubectl apply -f - --context="${CTX_CLUSTER2}"
# disable namespace injection explicitly for istio-system namespace
kubectl --context="${CTX_CLUSTER1}" label namespace istio-system istio-injection=disabled
Expand Down
6 changes: 3 additions & 3 deletions multi_cluster/tools/install_istio_central.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@

set -eux

export VERSION=${VERSION:-1.14.2}
export VERSION=${VERSION:-1.27.1}

export CTX_CLUSTER=${CTX_CLUSTER:-e2e.operator.mongokubernetes.com}

source multi_cluster/tools/download_istio.sh
cd istio-${VERSION}
cd istio-"${VERSION}"

bin/istioctl x uninstall --context="${CTX_CLUSTER}" --purge --skip-confirmation
bin/istioctl install --context="${CTX_CLUSTER}" --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation
bin/istioctl install --context="${CTX_CLUSTER}" --set components.cni.enabled=true --set profile=default --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --skip-confirmation
2 changes: 1 addition & 1 deletion ...itectures/setup-multi-cluster/ra-03-setup-istio/code_snippets/ra-03_0040_install_istio.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
CTX_CLUSTER1=${K8S_CLUSTER_0_CONTEXT_NAME} \
CTX_CLUSTER2=${K8S_CLUSTER_1_CONTEXT_NAME} \
CTX_CLUSTER3=${K8S_CLUSTER_2_CONTEXT_NAME} \
ISTIO_VERSION="1.20.2" \
ISTIO_VERSION="1.27.1" \
./install_istio_separate_network.sh
21 changes: 17 additions & 4 deletions public/architectures/setup-multi-cluster/ra-03-setup-istio/install_istio_separate_network.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

set -eux

export ISTIO_VERSION=${ISTIO_VERSION:-1.20.2}
export ISTIO_VERSION=${ISTIO_VERSION:-1.27.1}

if [[ ! -d istio-${ISTIO_VERSION} ]]; then
# download Istio under the path
Expand Down Expand Up @@ -80,6 +80,10 @@ cat <<EOF > cluster1.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
cni:
namespace: istio-system
enabled: true
meshConfig:
defaultConfig:
terminationDrainDuration: 30s
Expand All @@ -93,7 +97,8 @@ spec:
clusterName: cluster1
network: network1
EOF
bin/istioctl install --context="${CTX_CLUSTER1}" -f cluster1.yaml -y
bin/istioctl install --context="${CTX_CLUSTER1}" --set components.cni.enabled=true -f cluster1.yaml -y

samples/multicluster/gen-eastwest-gateway.sh \
--mesh mesh1 --cluster cluster1 --network network1 | \
bin/istioctl --context="${CTX_CLUSTER1}" install -y -f -
Expand All @@ -116,6 +121,10 @@ cat <<EOF > cluster2.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
cni:
namespace: istio-system
enabled: true
meshConfig:
defaultConfig:
terminationDrainDuration: 30s
Expand All @@ -130,7 +139,7 @@ spec:
network: network2
EOF

bin/istioctl install --context="${CTX_CLUSTER2}" -f cluster2.yaml -y
bin/istioctl install --context="${CTX_CLUSTER2}" --set components.cni.enabled=true -f cluster2.yaml -y

samples/multicluster/gen-eastwest-gateway.sh \
--mesh mesh1 --cluster cluster2 --network network2 | \
Expand All @@ -150,6 +159,10 @@ cat <<EOF > cluster3.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
cni:
namespace: istio-system
enabled: true
meshConfig:
defaultConfig:
terminationDrainDuration: 30s
Expand All @@ -164,7 +177,7 @@ spec:
network: network3
EOF

bin/istioctl install --context="${CTX_CLUSTER3}" -f cluster3.yaml -y
bin/istioctl install --context="${CTX_CLUSTER3}" --set components.cni.enabled=true -f cluster3.yaml -y

samples/multicluster/gen-eastwest-gateway.sh \
--mesh mesh1 --cluster cluster3 --network network3 | \
Expand Down
Loading