Trying to set istio-injection to disabled doesn't work as expected
The initial discovery of this problem resulted from trying to disable istio injection in gitlab-runner, but when digging in we found multiple discrepancies. When trying to set istio injection to disabled, we were confused by the fact that the default was already disabled as visible in the values, even though the running cluster had istio injection enabled:
istio:
# Toggle istio integration
enabled: false
injection: disabled
Even after updating the values in our overrides, this didn't appear to change anything for istio injection in our cluster.
The actual helm code sets it to enabled by default. When trying to override with our own custom values, we similarly noticed that it would stay enabled. Istio settings are confusing because the templates are looking for them within the top level .Values.addons., and the defaults all get set to true because the fallback values are enabled. This adds to the confusion, because all of the settings per app in their respective values.yaml show istio is disabled and injection is disabled. The way these are templated is also inconsistent where some just use dig and others use a more comprehensive ternary.
Both of the following get set to enabled because the default values aren't set in the bigbang values.yaml
Anchore namespace.yaml in Big Bang code:
{{ ternary "enabled" "disabled" (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.addons.anchore) "enabled")) }}
and
Gitlab-runner namespace.yaml in Big Bang code:
{{ dig "istio" "injection" "enabled" .Values.addons.gitlabRunner }}
Both fallback to enabled because .Values.addons.<app>.istio isn't defined for any of the applications. The ternary also evaluates to true (enabled) because the dig falls back to "enabled" since the istio key doesn't exist under .Values.addons.anchore so we get "enabled" == "enabled" making eq
true, and istio is enabled by default so the and
evaluates to true.
Since the expected templating with the current defaults and values locations seems misleading and can be confusing to setup:
- the default values should be "enabled" for istio and injection to match the default configuration applied to these apps
- these values should either be moved under each app in the bigbang values.yaml or these checks for the values should be updated to use the one from app's values.yaml
- the method for getting values (using a ternary or just a dig) should be consistent for all of the apps