If your app is running in an Istio mesh, you can turn on sandbox routing using
Istio by setting the
istio.enabled helm value to
true during the
installation of the operator. This will cause the Signadot Operator to manage
routes in the Istio VirtualService for each service that is opted into Signadot.
If you don't already have a VirtualService defined, you
just need to create a basic one with a default route. For example, here is a
basic VirtualService for a Service called
my-svc in namespace
- name: default
Signadot will then add and remove routes in the VirtualService as needed to configure sandbox routing.
When Istio VirtualServices are managed by some CI/CD tool such as Argo or FluxCD, some care is required to ensure that those systems accept the changes that Signadot applies to VirtualServices. To accomodate this, Signadot's controllers maintain the following contract with VirtualServices:
- The name of any HTTPRoute added by Signadot in a VirtualService will have the
- If the VirtualService contains the annotation
istio.signadot.com/ignore: "true", then Signadot will not manipulate that VirtualService (>=v0.14.0).
- The helm values
istio.additionalAnnotationswill be added to any VirtualService which contains modifications generated by Signadot 1 (>=v0.14.0).
When a Istio VirtualServices that matches a Sandboxed workload has a non-empty
gateway in its spec that does not include
mesh, the routing associated with
that VirtualService will only be effective when serving ingress traffic and will
not work for intra-cluster traffic. As a result, when a sandbox refers to such a
VirtualService, the status of the sandbox will reflect that the routing is not
Ready 2. Checking Gateways was first introduced in v0.14.0.
For more information on VirtualServices gateway field, see the Istio docs.
- However, if
istio.signadot.com/ignore, then that particular annotation key is not added. This prevents looping between conditions 2 and 3 of the contract.↩
- There is one exception to this, which is that the routing may be considered ready if it is setup with the Signadot sidecar for the relevant workload.↩