search

DoD-Platform-One / bigbang

BigBang the product
https://repo1.dso.mil/big-bang/bigbang
Apache License 2.0
153 stars 67 forks source link

istio-system namespace label mismatch #46

Closed p1-repo-sync-bot[bot] closed 2 months ago

p1-repo-sync-bot[bot] commented 4 months ago

Version

2.20.0

Overview

The istio-system namespace is created with a mismatched name label (istio-controlplane).

Subsequently, the Istio network policies in subcharts (ex: Nexus) use a label selector for a namespace name that doesn't exist.

This can cause confusion when attempting to deploy a subchart independently of umbrella Bigbang as one might do for development or a very narrow production environment -- really, anywhere that Istio is installed separately from Bigbang.

Proposed Solution(s)

Unifying the name and labeling of the istio-system namespace by changing the name, or the label would improve system clarity. Though, it's worth noting that changing the label would also mean changing the label selector in almost every downstream Istio ingress/egress network policy. Changing the name is also likely to cause some confusion in the near-term, but is probably the simplest option.

A potential alternative (and my preferred approach) would be to expose the label selector name in each subchart as an input value (something like .Values.istio.controlplane-namespace) to be templated in the policy. This could be implemented gradually by making the default value in each subchart istio-controlplane. Doing so would allow us to leave the namespace's name and label unchanged while still enabling flexibility for independent subchart deployments.

p1-repo-sync-bot[bot] commented 2 months ago

kylegalloway-seed commented:

After discussion with @chris.oconnell , the following was decided on:

The solution of updating this label is the preferred path, since (1) it is much simpler and easy for upgrades and (2) we don't support user deployments of istio, so we don't need to support user label matching for istio.

p1-repo-sync-bot[bot] commented 2 months ago

Issue 'istio-system namespace label mismatch' closed from GitLab side

p1-repo-sync-bot[bot] commented 2 months ago

kylegalloway-seed commented:

Closing this issue after discussion with the team. This is a large amount of work, without much payoff. It would cause MRs across bigbang and several sub-packages. However, is currently operational without issue.

p1-repo-sync-bot[bot] commented 2 months ago

michaelmartin commented:

app.kubernetes.io/name is a recommended label which defines "The name of the Application" (https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/) While it often does match the namespace name, it doesn't need to.

For BB, the value for this label is set to istio-controlplane -- I would guess this was chosen because istio's architecture defines two main parts -- the "control plane" and the "data plane" .

Nexus (and others charts) istio selectors don't select on the name of a namespace, they select based on a label on the namespace:

    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: istio-controlplane

All namespaces with the label app.kubernetes.io/name: istio-controlplane will match .

The provides the flexibility of allowing users to install istio into any namespace ... as long as that namespace has the label app.kubernetes.io/name: istio-controlplane, the defined selectors will work as expected.

I also see that istio allows installing multiple control-planes into a single cluster by using different namespaces. Using the label-name istio-controlplane makes sense in this case, since we've split istio across multiple namespaces--not all contained in a single,default istio-system namespace.

Hopefully that helps.