[BUG] Add Environment variables using secretKeyRef

[EduardoFer]

Describe the Feature Request

I'm trying to add environment variables from a secret, but I have not been able to do it. I'm using istio 1.22.0

Tests

I performed three test scenarios to understand what was wrong.

Test A

I added the environment variable as described in the IstioOperator documentation.

...
egressGateways:
  - name: istio-egressgateway-basicauth
    enabled: true
    label:
      authorization: basicauth
    k8s:
      env:
        - name: USERNAME
          valueFrom:
            secretKeyRef:
              localObjectReference:
                name: basicauth-connect
              key: USERNAME
        - name: PASSWORD
          valueFrom:
            secretKeyRef:
              localObjectReference:
                name: basicauth-connect
              key: PASSWORD
      hpaSpec:
        minReplicas: 2

When I applied it, the following error was returned:

This will install the Istio 1.22.0 "default" profile (with components: Istio core, Istiod, Ingress gateways, and Egress gateways) into the cluster. Proceed? (y/N) y
✔ Istio core installed                                                                                                                                                          
✔ Istiod installed                                                                                                                                                              
✘ Egress gateways encountered an error: failed to update resource with server-side apply for obj Deployment/istio-system/istio-egressgateway-basicauth: failed to create typed patch object (istio-system/istio-egressgateway-basicauth; apps/v1, Kind=Deployment): errors:
  .spec.template.spec.containers[name="istio-proxy"].env[name="USERNAME"].valueFrom.secretKeyRef.localObjectReference: field not declared in schema
  .spec.template.spec.containers[name="istio-proxy"].env[name="PASSWORD"].valueFrom.secretKeyRef.localObjectReference: field not declared in schema
✔ Ingress gateways installed                                                                                                                                                    
- Pruning removed resources  

It appears that the field localObjectReference is not expected.

Test B

In this test, I applied a secret in the same way it is referenced in a deployment (no localObjectReference):

...
egressGateways:
  - name: istio-egressgateway-basicauth
    enabled: true
    label:
      authorization: basicauth
    k8s:
      env:
        - name: USERNAME
          valueFrom:
            secretKeyRef:
              name: basicauth-connect
              key: USERNAME
        - name: PASSWORD
          valueFrom:
            secretKeyRef:
              name: basicauth-connect
              key: PASSWORD
      hpaSpec:
        minReplicas: 2

The following error was returned:

Error: generate config: error unmarshaling JSON: while decoding JSON: unknown field "name" in istio.operator.v1alpha1.SecretKeySelector

So it doesn't expect the field name (as described in the documentation).

Test C

In this test, I applied the secret without the name:

...
egressGateways:
  - name: istio-egressgateway-basicauth
    enabled: true
    label:
      authorization: basicauth
    k8s:
      env:
        - name: USERNAME
          valueFrom:
            secretKeyRef:
              key: USERNAME
        - name: PASSWORD
          valueFrom:
            secretKeyRef:
              key: PASSWORD

The following error was returned:

This will install the Istio 1.22.0 "default" profile (with components: Istio core, Istiod, Ingress gateways, and Egress gateways) into the cluster. Proceed? (y/N) y
✔ Istio core installed                                                                                                                                                          
✔ Istiod installed                                                                                                                                                              
✘ Egress gateways encountered an error: failed to update resource with server-side apply for obj Deployment/istio-system/istio-egressgateway-basicauth: Deployment.apps "istio-egressgateway-basicauth" is invalid: [spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name: Invalid value: "": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), spec.template.spec.containers[0].env[1].valueFrom.secretKeyRef.name: Invalid value: "": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')]
✔ Ingress gateways installed                                                                                                                                                    
- Pruning removed resources 

So this requires the field name

Conclusion

The test results gave contradictory results. It either asks for the field name or not. I believe that while applying, the validation is done against schemas that require different structures, which makes this feature impossible to use.

Please confirm that this is a real issue and fix it. :)

Thanks Eduardo Fernandes

Affected Product Area (please put an X in all that apply):

[ ] Ambient
[x] Docs
[ ] Dual Stack
[x] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected Features (please put an X in all that apply):

[ ] Multi-Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

[ihmabreu]

waiting for it 👍

[EduardoFer]

Does anyone need any further details?