AKO on Istio
Overview
AKO can be deployed in an Istio environment. Currently, strict mTLS is supported in ClusterIP mode. This article explains the steps to deploy AKO on Istio and verify the deloyment.
Note: This feature is currently under Tech Preview.
Deploying and Verifying AKO Deployment on Istio
To deploy AKO, follow the steps given below:
- Set the flag
istioEnabledto True in values.yaml to allow AKO to work in an Istio environment. - Verify istio sidecar injection is enabled and working:
kubectl logs ako-0 -n avi-system -c istio-proxy - Verify the
istio-secretsecret is created in the AKO namespace with cert-chain, key and root-cert data populated. These correspond to the workload and CA certificates.kubectl describe secret istio-secret -n <AKOnamesapce> - Verify the PKI profile using
pkiprofile istio-pki-<clustername>-<AKOnamespace>and sslkeyandcertificationistio-workload-<clustername>-<AKOnamespace>are created on the Controller.
Service Name for AKO
AKO and the NSX Advanced Load Balancer Service Engines use a service name based on the AKO service account and AKO namespace such as cluster.local/ns/<AKOnamespace>/sa/<AKOServiceAccount>.
For example, cluster.local/ns/avi-system/sa/ako-sa
This service name should be used when updating the auth policy CRD for Istio.
Caveat
- AKO prioritizes the Istio
pkiprofileover any other PKI profile reference added usinghttprule.
Troubleshooting
-
Sidecar injection for AKO is not working
Workaround: Try enabling injection for the ako namespace. For example,kubectl label namespace avi-system istio-injection=enabled --overwrite. -
istio-secretis not created
Workaround: Check AKO cluster role has permissions to create or update secrets in the AKO namespace.
Document Revision History
| Date | Change Summary |
|---|---|
| September 29, 2022 | Created the article for AKO on Istio |