AKO can be deployed in an Istio environment. Currently, strict mTLS is supported in ClusterIP mode. This section explains the steps to deploy AKO on Istio and verify the deployment.
This feature is currently under Tech Preview.
Deploying and Verifying AKO Deployment on Istio
To deploy AKO, follow the steps given below:
Set the flag
istioEnabled
toTrue
in values.yaml to allow AKO to work in an Istio environment.Verify istio sidecar injection is enabled and working:
kubectl logs ako-0 -n avi-system -c istio-proxy
Verify the
istio-secret
secret is created in the AKO namespace with cert-chain, key and root-cert data populated. These correspond to the workload and CA certificates.kubectl describe secret istio-secret -n <AKOnamesapce>
Verify the PKI profile using
pkiprofile istio-pki-<clustername>-<AKOnamespace>
andsslkeyandcertification istio-workload-<clustername>-<AKOnamespace>
are created on the Controller.
Service Name for AKO
AKO and the NSX Advanced Load Balancer Service Engines use a service name based on the AKO service account and AKO namespace such as cluster.local/ns/<AKOnamespace>/sa/<AKOServiceAccount>
.
For example, cluster.local/ns/avi-system/sa/ako-sa
This service name must be used when updating the auth policy CRD for Istio.
Caveat
AKO prioritizes the Istio pkiprofile over any other PKI profile reference added using httprule
.
AKO works only with L7.
Troubleshooting
Issue |
Workaround |
---|---|
Sidecar injection for AKO is not working |
Try enabling injection for the ako namespace. For example, |
|
Check AKO cluster role has permissions to create or update secrets in the AKO namespace. |