Add sidecar initializer option to customize injected sidecar per deployment

[ayj]

cc @costinm

It would be great to customize the sidecar tag (or full path) using annotations. For example to pick a debug image of sidecar for a job that needs debugging (ideally the full path of the sidecar should be specified ). Or a job may use a specialized sidecar. Or many other use cases

For example, customizing the injected sidecar image per deployment would look something like the following. The initializer would look for this annotation during injection and override the default sidecar image. The initializer may need additional policy to allow/disallow such customization to avoid undesirable proxy bypass.

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    options.sidecar.istio.io/proxy_image: "docker.io/ayj/my_debug_proxy_image:e6ebaa8
  name: my-deployment 
# etc ... 

[costinm]

Thanks, that would be perfect. Same for the initializer, and maybe the initializer options.
As mentioned in a separate PR, I am evaluating using the sidecar image for initialization as well,
i.e. have both the iptables script and envoy.

Is this style of annotation names the standard ( a.b.c/d ) ? Maybe a bit shorter ?
sidecar.istio.io/proxy_image, or istio.io/sidecar_image ?

[ayj]

#1062 should address the initializer configuration.

Which PR did you reference initialization? Were you thinking of using the same sidecar template for non-k8s VM deployments?

This style seems somewhat consistent with k8s ingress annotations which are defined
here. sidecar.istio.io/proxy_image would work though I think the extra options category further clarified how that annotation was used, e.g. policy vs. status vs. options.

[saumoh]

@costinm, which pr are you using for using the initializer for influencing the deployment/pod iptables configuration.
cc @vadimeisenbergibm @elevran

[ayj]

@saumoh was going to take a look at this issue, but I wasn't able to assign it to them. Is assignment restricted to org members?

[kyessenov]

@geeknoid must be some administrative setting: we seem to unable to assign to non-org members

[geeknoid]

I think you can only assign issues to team members, or people that have been explicitly added as collaborators.

[gyliu513]

I think that we are already able to customize the images for both init and proxy at here https://github.com/istio/pilot/blob/master/test/integration/testdata/initializer-configmap.yaml.tmpl#L13-L14 , can this one be closed?

[ayj]

This issue is to allow per-deployment overrides whereas the Initializer ConfigMap applies globally.

[gyliu513]

@ayj Ah, I see, thanks, update the summary a bit to reflect the real case here.

[kyessenov]

Issue moved to istio/istio #1418 via ZenHub