Custom istio-agent template¶
A custom istio-agent template is a modified version of the standard Istio sidecar container configuration used to facilitate specific integrations, such as connecting external Certificate Authorities (CAs) like SPIRE to the mesh^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md].
Deployment mechanism¶
To utilize a custom template, it must first be defined within an Istio installation configuration profile^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]. Once Istio is installed with this profile, the custom agent is injected into application workloads.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]
The deployment process typically involves two steps^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]:
1. Applying the modified workload manifest (e.g., sleep-spire.yaml).
2. The injection process (either automatic or manual via istioctl kube-inject) applying the custom template defined in the configuration profile.
SPIRE integration¶
In the context of integrating [[spire|SPIRE]] with Envoy's Secret Discovery Service (SDS) API, the custom istio-agent template is necessary to ensure the workload receives an identity issued by SPIRE rather than the default Istio CA^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md].
A successful integration can be verified by inspecting the TLS certificate presented by the workload using istioctl proxy-config secret and checking that the issuer field corresponds to the external CA^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md].
Related concepts¶
Sources¶
^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__security__spire__README.md]