Skip to content

fix: emit correct Istio pod labels for ambient mode#1266

Merged
fantapsody merged 2 commits intomasterfrom
fix/ambient-mode-pod-labels
Mar 11, 2026
Merged

fix: emit correct Istio pod labels for ambient mode#1266
fantapsody merged 2 commits intomasterfrom
fix/ambient-mode-pod-labels

Conversation

@fantapsody
Copy link
Contributor

@fantapsody fantapsody commented Mar 11, 2026
edited
Loading

Summary

Two fixes for Istio ambient mode support in sn-platform-slim:

1. Emit correct pod labels for ambient mode (_helpers.tpl)

  • When istio.dataplaneMode is "ambient", the pulsar.template.labels helper now emits istio.io/dataplane-mode: "ambient" instead of the default sidecar.istio.io/inject: "true"
  • Prevents sidecar injection for pods that should use Istio ambient mesh (ztunnel)
  • Fixes both operator-managed components (where the Helm label conflicted with the operator's CRD-driven label) and Helm-only components (toolset, function-worker, grafana, console, etc.)

2. Decouple broker Istio mesh enrollment from ingress config (broker-cluster.yaml)

  • Split the broker's spec.istio conditional so base settings (enabled, dataplaneMode, mtls) only require istio.enabled, while the gateway block additionally requires ingress.broker.enabled
  • Previously the entire spec.istio was gated behind both conditions, so users couldn't enable mesh enrollment without also enabling broker ingress
  • This was inconsistent with ZK, BK, and Proxy templates which only check istio.enabled

The existing istio.labels custom override still takes highest precedence, preserving backward compatibility.

Test plan

  • helm template verified correct label output for all three modes: ambient, sidecar (default), sidecar (explicit)
  • helm template verified broker CRD outputs correct spec.istio with and without ingress.broker.enabled
  • E2E tested on minikube with Istio ambient profile: all pods 1/1 (no sidecars), correct istio.io/dataplane-mode: ambient labels, produce/consume verified
  • Verify no regression for existing sidecar-mode deployments

🤖 Generated with Claude Code

@fantapsody @claude
fix: emit correct Istio pod labels for ambient mode
c01306f 
When istio.dataplaneMode is set to "ambient", the pulsar.template.labels
helper now emits istio.io/dataplane-mode: "ambient" instead of the default
sidecar.istio.io/inject: "true". This prevents sidecar injection for pods
that should be enrolled in Istio ambient mesh via ztunnel.

Without this fix, pods in ambient mode get both labels and sidecar injection
takes precedence, resulting in 2/2 containers instead of 1/1.

This affects both operator-managed components (broker, bookie, zk, proxy)
where the Helm label conflicts with the operator's CRD-driven label, and
Helm-only components (toolset, function-worker, grafana, console, etc.)
that rely entirely on the Helm template for mesh enrollment.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fantapsody fantapsody requested review from a team as code owners March 11, 2026 04:32
@github-actions
Copy link

github-actions bot commented Mar 11, 2026

@fantapsody:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@github-actions github-actions bot added the doc-info-missing This pr needs to mark a document option in description label Mar 11, 2026
@fantapsody @claude
fix: decouple broker Istio mesh enrollment from ingress config
6dca486 
Split the broker's spec.istio conditional so that base Istio settings
(enabled, dataplaneMode, mtls) only require istio.enabled, while the
gateway block additionally requires ingress.broker.enabled.

Previously the entire spec.istio block was gated behind both conditions,
meaning users couldn't enable Istio mesh enrollment (e.g. ambient mode)
without also enabling broker ingress. This was inconsistent with ZK, BK,
and Proxy templates which only check istio.enabled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
maxsxu
maxsxu approved these changes Mar 11, 2026
View reviewed changes
Copy link
Member

@maxsxu maxsxu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Review

Summary of Changes

This PR addresses an issue where Istio configurations for the broker were previously coupled with the ingress.broker.enabled flag.

  • It correctly decouples the istio configuration block from the ingress requirement, ensuring that Istio settings (such as dataplaneMode and mtls.mode) can be applied regardless of whether the broker ingress gateway is enabled.
  • The PR also adds the istio.io/dataplane-mode: "ambient" label to pods when the dataplane mode is set to "ambient".

Review

The changes look good and correctly resolve the configuration dependency issue. The logic for applying the ambient label and conditionally rendering the Istio gateway block is sound.

Approving the PR.

@fantapsody fantapsody merged commit b4ca3e4 into master Mar 11, 2026
2 checks passed
@fantapsody fantapsody deleted the fix/ambient-mode-pod-labels branch March 11, 2026 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuteng tuteng tuteng approved these changes

@maxsxu maxsxu maxsxu approved these changes

@labuladong labuladong labuladong approved these changes

Assignees

@fantapsody fantapsody

Labels

doc-info-missing This pr needs to mark a document option in description

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fantapsody @tuteng @maxsxu @labuladong