istio icon indicating copy to clipboard operation
istio copied to clipboard
verified publisher icon istio

custom bootstrap is not applied to ingress gateway

Open akamac opened this issue 1 year ago • 4 comments

Is this the right place to submit this?

  • [X] This is not a security vulnerability or a crashing bug
  • [X] This is not a question about how to use Istio

Bug Description

Custom bootstrap, provided via annotation, is not applied to ingress gateway, because it is not supported in the gateway injection template.

Given that bootstrap patching via EnvoyFilter no longer works in 1.21, this is quite critical.

Version

client version: 1.21.0
control plane version: 1.21.1
data plane version: 1.21.1 (3 proxies)

Additional Information

No response

akamac avatar Apr 10 '24 12:04 akamac

fwiw you could manually add it to the deployment in the short term. It's just an env var and volume mount.

That being said, consistency here probably makes sense

howardjohn avatar Apr 10 '24 14:04 howardjohn

fwiw you could manually add it to the deployment in the short term. It's just an env var and volume mount.

That being said, consistency here probably makes sense

Yep, I've ended up adding the custom injection template for gw that does support bootstrap override. The PR is trivial, but needs some tests I guess.

akamac avatar Apr 10 '24 16:04 akamac

Similar to https://github.com/istio/istio/issues/28302 with a workaround documented in https://istio.io/latest/news/security/istio-security-2020-007/#mitigation

StianOvrevage avatar Jun 12 '24 10:06 StianOvrevage

fwiw you could manually add it to the deployment in the short term. It's just an env var and volume mount.

That being said, consistency here probably makes sense

We are hitting a similar issue and it is blocking our upgrade to 1.21 as we need to customize histogram metric buckets. Is there any more detail on the volume mount / env var required?

We are trying to get upgraded to 1.21 before 1.20 goes out of support in July.

Ended up figuring this out here is a workaround for those using istio-operator. 1: Create configmap

apiVersion: v1
kind: ConfigMap
metadata:
  name: istio-custom-bootstrap-config
data:
  custom_bootstrap.json: |
    YOUR_CONFIG_HERE

2: Add an overlay to your ingress gateway configs:

overlays:
- name: gateway-name
  kind: Deployment
  patches:
    - path: spec.template.spec.containers[0].env[100]
      value: |
        name: ISTIO_BOOTSTRAP_OVERRIDE
        value: /etc/istio/custom-bootstrap/custom_bootstrap.json
    - path: spec.template.spec.containers[0].volumeMounts[100]
      value: |
        mountPath: /etc/istio/custom-bootstrap
        name: custom-bootstrap-volume
        readOnly: true
    - path: spec.template.spec.volumes[100]
      value: |
        configMap:
          name: istio-custom-bootstrap-config
          defaultMode: 420
          optional: false
        name: custom-bootstrap-volume

ben-childs-docusign avatar Jun 27 '24 18:06 ben-childs-docusign

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2024-04-10. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

istio-policy-bot avatar Jul 25 '24 05:07 istio-policy-bot