Bootstrap environment

This is an attempt to summarize the environment created by the sidecar injector and mechanisms for advanced users to customize it. Eventually we should formalize this and make it independent of the Istio or K8S implementations, for example for gRPC or other components with native istio support.

Volumes

In K8S a number of ConfigMaps and Secret are mounted. In non-K8S environments the equivalent directory and files must be configured using a CI/CD system.

• "istio-envoy" - in-memory empty dir, mounted as /etc/istio/proxy. Must be writable by GID=1337.

• All volumes in sidecar.istio.io/userVolume annotation, where key is the name, value is the value of the key. Mounted as sidecar.istio.io/userVolumeMount, using the key.

• "istio-certs", using the optional Secret "istio.SERVICE_ACCOUNT", mounted as /etc/certs/

• "custom-bootstrap-volume" - mounted as configmap named from sidecar.istio.io/bootstrapOverride as /etc/istio/custom-bootstrap/ "custom_bootstrap.json" entry will be merged with the generated bootstrap file, if the file exists, it is passed as "--config-yaml CONTENT", otherwise a warning is generated. A "envoy.yaml.tmpl" entry will be passed as template, allowing users to override the entire template.

• istio-token, projected from 'serviceAccountToken' with audience==trustDomain. If sds.useTrustwortyJwt. Mounted as /var/run/secrets/tokens

• "sds-uds-path" as hostPath /var/run/sds, mounted as /var/run/sds - if sds.enabled

• Optional secret "lightstep.cacert" mounted if proxy.tracer == "lightstep" and tracer.lightstep.cacertPath Path: $GetCacertPath directory TODO: could be mounted automatically in the per-ns configmap, it is not a secret. This should be deprecated and replaced with a consistent mechanism to add volumes and mounts to all pods, nothing specific to lightstep here.

• PROPOSED: istio.default configmap, optional, mounted as /var/lib/istioconfig Can include any other per-namespace settings and overrides.