Resources being installed outside of the user defined resources that breaks up the installation

[steve-fraser]

I am installing Istio using pctl add where I am installing the Istio Operator and a Gateway service.

The Istio Operator gets installed into the user-defined namespace space, but the Istio Operator installs all of the required objects, egress and ingress Gateways in the istio-system namespace.

---
# Source: istio-operator/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: istio-operator
  name: istio-operator
spec:
  replicas: 1
  selector:
    matchLabels:
      name: istio-operator
  template:
    metadata:
      labels:
        name: istio-operator
    spec:
      serviceAccountName: istio-operator
      containers:
        - name: istio-operator
          image: docker.io/istio/operator:1.11.2
          command:
          - operator
          - server
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 1337
            runAsUser: 1337
            runAsNonRoot: true
          imagePullPolicy: IfNotPresent
          resources:
            limits:
              cpu: 200m
              memory: 256Mi
            requests:
              cpu: 50m
              memory: 128Mi
          env:
            - name: WATCH_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LEADER_ELECTION_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: OPERATOR_NAME
              value: "istio-operator"
            - name: WAIT_FOR_RESOURCES_TIMEOUT
              value: "300s"
            - name: REVISION
              value: ""

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: public-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"

These manifests create an interesting installation breakup that is non-standard.

[aclevername]

thanks for opening the issue @steve-fraser . So the problem is that the thing your deploying then creates resources itself, in a different namespace. I'm not actually sure what the problem is :thinking: ? Or rather what would you want profiles to do differently :smile: ? Thanks!

[steve-fraser]

@aclevername a standard installation normally keeps everything in istio-system. I think that would be the thought to be able to keep everything in that namespace separately from the rest of the installation

[aclevername]

@aclevername a standard installation normally keeps everything in istio-system. I think that would be the thought to be able to keep everything in that namespace separately from the rest of the installation

I'm still slightly confused though, what would you want pctl to do differently? Its correctly deploying the istio operator, what that operator then goes onto install is out of our control? Sorry if I'm missing something obvious :smile:

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 5 days with no activity.