Istio configuration is defined by a set of multiple objects and object types and is susceptible to operator error or architecture oversight. The GetMesh config-validate command performs validations of the cluster’s current config and yaml manifests that are not applied yet.
The command invokes a series of validations using external sources such as upstream Istio validations, Kiali libraries, and Tetrate Istio Distro custom configuration checks. A combined validation output is then sent to the stdout. Custom configuration validation checks are actively being added all the time.
config-validate command is not limited to Istio versions installed via GetMesh CLI and works well with all Istio distros, upstream and others.
Config validation can be performed against two targets:
- the current cluster config, which might include multiple Istio configuration constructs
- pending manifest yaml files that have not yet been applied to the cluster
The command below checks if applying manifest that are defined in my-app.yaml and another-app.yaml will trigger any validation errors. The command reports the findings based on three sources (Istio upstream, Kiali and native Tetrate Istio Distro) without applying any configuration changes. It prevents unnecessary downtime or the preventable issues to affect production workloads:
# validating a local manifest against the current cluster getmesh config-validate my-app.yaml another-app.yaml
For convenience the command can use all manifests from the specified directory instead of operator using individual filenames. The example below takes all manifests from my-manifest-dir and checks if applying those manifests triggers any validation alerts:
# validating local manifests in a directory against the current cluster in a specific namespace getmesh config-validate -n bookinfo my-manifest-dir/
The validation of the currently implemented configuration is also possible - can be done clusterwise or per namespace leveraging the commands below:
# for all namespaces getmesh config-validate
# for a specific namespace getmesh config-validate -n bookinfo
The output would look similar to:
NAME RESOURCE TYPE ERROR CODE SEVERITY MESSAGE bookinfo-gateway Gateway IST0101 Error Referenced selector not found: "app=nonexisting" bookinfo-gateway Gateway KIA0302 Warning No matching workload found for gateway selector in this namespace The error codes of the found issues are prefixed by 'IST' or 'KIA'. For the detailed explanation, please refer to - https://istio.io/latest/docs/reference/config/analysis/ for 'IST' error codes - https://kiali.io/documentation/latest/validations/ for 'KIA' error codes