Skip to main content

Istio Route Customization (Alpha)

Alpha Feature

Route customization is an alpha feature for operators and platform teams who need fine-grained control over how Signadot modifies Istio VirtualService routes. Most users do not need this capability. Standard Istio routing handles the common cases automatically.

Requires Operator v1.3.0+.

Overview

When Signadot generates routes in Istio VirtualServices for sandbox traffic, it uses sensible defaults. However, some environments require customization of these generated routes, for example, adding custom headers, setting timeouts, or modifying retry policies. Route customization patches are specified via VirtualService annotations, giving mesh owners control over how sandbox routes behave. The patch can be used to mask certain fields in baseline VirtualService configuration that you would like the operator to not incorporate into the Signadot derived routes.

Configuration

The following annotation is supported:

AnnotationFormat
istio.signadot.com/json-patchJSON Patch array (RFC 6902)

JSON Patch Format

The istio.signadot.com/json-patch annotation accepts a JSON Patch array. Each operation specifies op, path, and value, and is applied to every Signadot-generated HTTPRoute:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-svc
  namespace: ns-1
  annotations:
    istio.signadot.com/json-patch: |
      [
        {"op": "add", "path": "/timeout", "value": "30s"},
        {"op": "add", "path": "/retries", "value": {"attempts": 3, "perTryTimeout": "2s"}}
      ]
spec:
  hosts:
  - my-svc.ns-1.svc.cluster.local
  http:
  - name: default
    route:
    - destination:
        host: my-svc.ns-1.svc.cluster.local

The path field uses JSON Pointer syntax relative to the HTTPRoute object.

Examples

Adding Request Headers

istio.signadot.com/json-patch: |
  [{"op": "add", "path": "/route/0/headers/request/set", "value": {"x-routed-by": "signadot"}}]

Setting Timeouts

istio.signadot.com/json-patch: |
  [{"op": "add", "path": "/timeout", "value": "60s"}]

Configuring Retry Policy

istio.signadot.com/json-patch: |
  [{"op": "add", "path": "/retries", "value": {"attempts": 3, "perTryTimeout": "10s", "retryOn": "connect-failure,refused-stream,unavailable"}}]

Debugging

To verify patches were applied, inspect the VirtualService:

kubectl get virtualservice my-svc -n ns-1 -o yaml

Signadot-generated routes have the prefix signadot-operator-.

Common issues:

  • JSON Patch path errors: Paths must exist or use appropriate operations (add for new fields, replace for existing).

Limitations

  • Annotation values are subject to Kubernetes size limits (256KB total)