Skip to main content
Version: 0.9.x

WorkloadEntry Annotations

List of annotations on a WorkloadEntry resource supported by the tctl x sidecar-bootstrap command.

Usage example

apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
  name: my-vm
  namespace: my-namespace
  annotations:
    sidecar-bootstrap.istio.io/ssh-user: istio-proxy
    sidecar-bootstrap.istio.io/proxy-config-dir: /etc/istio-proxy
    sidecar-bootstrap.istio.io/proxy-instance-ip: 10.0.0.1

    sidecar.istio.io/logLevel: debug
    sidecar.istio.io/componentLogLevel: upstream:info,config:trace
    sidecar.istio.io/statsInclusionRegexps: .* # enable all Envoy metrics
    proxy.istio.io/config: |
      concurrency: 3
spec:
  ...

Standard Istio annotations

proxy.istio.io/config

Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig.

sidecar.istio.io/interceptionMode

Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY).

sidecar.istio.io/proxyImage

Specifies the Docker image to be used by the Envoy sidecar.

sidecar.istio.io/logLevel

Specifies the log level for Envoy.

sidecar.istio.io/componentLogLevel

Specifies the component log level for Envoy.

sidecar.istio.io/statsInclusionPrefixes

Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.

sidecar.istio.io/statsInclusionSuffixes

Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.

sidecar.istio.io/statsInclusionRegexps

Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.

Annotations specific to tctl x sidecar-bootstrap command

sidecar-bootstrap.istio.io/k8s-ca-root-cert-configmap

Name of the Kubernetes config map that holds root certs of a k8s CA and, if applicable, OpenShift Service CA.

ConfigMap should include the following keys:

  • ca.crt - (mandatory) root certs of a k8s CA
  • service-ca.crt - (optional) root certs of an OpenShift Service CA

By default, config map is considered undefined and thus the only way to find out the root certs of a k8s CA and, if applicable, OpenShift Service CA is 1) either to read a k8s Secret with a ServiceAccountToken, which among other things holds the root certs of a k8s CA and, if applicable, OpenShift Service CA 2) or to read the root certs of a k8s CA from the /var/run/secrets/kubernetes.io/serviceaccount/ca.crt file, which is auto-mounted into Pods by k8s, and, if applicable, root certs of an OpenShift Service CA from the /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt

sidecar-bootstrap.istio.io/mesh-expansion-configmap

Name of the Kubernetes config map that holds configuration intended for those Istio Proxies that expand the mesh.

ConfigMap should include the following keys:

This configuration is applied on top of mesh-wide default ProxyConfig, but prior to the workload-specific ProxyConfig from proxy.istio.io/config annotation on a WorkloadEntry.

By default, config map is considered undefined and thus expansion proxies will have the same configuration as the regular ones.

sidecar-bootstrap.istio.io/ssh-host

IP address or DNS name of the machine represented by this WorkloadEntry to use instead of WorkloadEntry.Address for SSH connections initiated by the sidecar-bootstrap command.

This setting is intended for those scenarios where sidecar-bootstrap command will be run on a machine without direct connectivity to the WorkloadEntry.Address. E.g., one might set WorkloadEntry.Address to the Internal IP of a VM and set value of this annotation to the External IP of that VM.

By default, value of WorkloadEntry.Address is assumed.

sidecar-bootstrap.istio.io/ssh-port

Port of the SSH server on the machine represented by this WorkloadEntry to use for SSH connections initiated by the sidecar-bootstrap command.

By default, "22" is assumed.

sidecar-bootstrap.istio.io/ssh-user

User on the machine represented by this WorkloadEntry to use for SSH connections initiated by the sidecar-bootstrap command.

Make sure that user has enough permissions to create the config dir and to run Docker container without sudo.

By default, a user running sidecar-bootstrap command is assumed.

sidecar-bootstrap.istio.io/scp-path

Path to the scp binary on the machine represented by this WorkloadEntry to use in SSH connections initiated by the sidecar-bootstrap command.

By default, "/usr/bin/scp" is assumed.

sidecar-bootstrap.istio.io/proxy-config-dir

Directory on the machine represented by this WorkloadEntry where sidecar-bootstrap command should copy bootstrap bundle to.

By default, "/tmp/istio-proxy" is assumed (the most reliable default value for out-of-the-box experience).

sidecar-bootstrap.istio.io/proxy-image-hub

Hub with Istio Proxy images that the machine represented by this WorkloadEntry should pull from instead of the mesh-wide hub.

By default, mesh-wide hub is assumed.

sidecar-bootstrap.istio.io/proxy-container-name

Name for a container with Istio Proxy.

If you need to run multiple Istio Proxy containers on the same machine, make sure each of them has a unique name.

By default, "istio-proxy" is assumed.

sidecar-bootstrap.istio.io/proxy-instance-ip

IP address of the machine represented by this WorkloadEntry that Istio Proxy should bind inbound listeners to.

This setting is intended for those scenarios where Istio Proxy cannot bind to the IP address specified in the WorkloadEntry.Address (e.g., on AWS EC2 where a VM can only bind the private IP but not the public one).

By default, WorkloadEntry.Address is assumed.