How to ensure istio sidecar for running before other containers

You may get Connection Refused error if you enable sidecar on your application container. And it's before sidecar is not up and running. However, the iptable has been modified in isto init-container. You egress request will be routed to sidecar even if sidecar is not ready.

To fix this issue, since Istio 1.7, Istio introduce a new configuration "holdApplicationUntilProxyStarts".

Added config option values.global.proxy.holdApplicationUntilProxyStarts, which causes the sidecar injector to inject the sidecar at the start of the pod’s container list and configures it to block the start of all other containers until the proxy is ready. This option is disabled by default. (Issue #11130)

Helm values

You can enable this configuration globally by adding "values.global.proxy.holdApplicationUntilProxyStarts" in your helm installation.

Kubernetes Annotations

Or you can use annotation for pod level configuration.

Add below annotation in your pods, jobs, deployments, or StatefulSet:

metadata:
  annotations:
    proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }'