Subsequently, the Istio network policies in subcharts (ex: Nexus) use a label selector for a namespace name that doesn't exist.
This can cause confusion when attempting to deploy a subchart independently of umbrella Bigbang as one might do for development or a very narrow production environment -- really, anywhere that Istio is installed separately from Bigbang.
Proposed Solution(s)
Unifying the name and labeling of the istio-system namespace by changing the name, or the label would improve system clarity. Though, it's worth noting that changing the label would also mean changing the label selector in almost every downstream Istio ingress/egress network policy. Changing the name is also likely to cause some confusion in the near-term, but is probably the simplest option.
A potential alternative (and my preferred approach) would be to expose the label selector name in each subchart as an input value (something like .Values.istio.controlplane-namespace) to be templated in the policy. This could be implemented gradually by making the default value in each subchart istio-controlplane. Doing so would allow us to leave the namespace's name and label unchanged while still enabling flexibility for independent subchart deployments.
Version
2.20.0Overview
The
istio-systemnamespace is created with a mismatched name label (istio-controlplane).Subsequently, the Istio network policies in subcharts (ex: Nexus) use a label selector for a namespace name that doesn't exist.
This can cause confusion when attempting to deploy a subchart independently of umbrella Bigbang as one might do for development or a very narrow production environment -- really, anywhere that Istio is installed separately from Bigbang.
Proposed Solution(s)
Unifying the name and labeling of the
istio-systemnamespace by changing the name, or the label would improve system clarity. Though, it's worth noting that changing the label would also mean changing the label selector in almost every downstream Istio ingress/egress network policy. Changing the name is also likely to cause some confusion in the near-term, but is probably the simplest option.A potential alternative (and my preferred approach) would be to expose the label selector name in each subchart as an input value (something like
.Values.istio.controlplane-namespace) to be templated in the policy. This could be implemented gradually by making the default value in each subchartistio-controlplane. Doing so would allow us to leave the namespace's name and label unchanged while still enabling flexibility for independent subchart deployments.