Istio Gateway default imagePullPolicy not set correctly
The istio gateway Helm logic in umbrella contains a section of code to populate the imagePullPolicy and imagePullSecrets for gateways that do not explicitly set it.
If you Helm template with the example custom gateway values without any specified imagePullSecrets/imagePullPolicy:
istioGateway:
values:
gateways:
custom:
# This does not get passed to the gateway-api chart.
# Instead, a `Secret` is created called for each certificate listed
# in the gateway namespace composed of these values
gatewayCerts:
- name: custom-cert
tls:
cert: ...
key: ...
ca: ...
# These values are used to configure the `Gateway` CR we
# create in the istio-gateway chart.
gateway:
servers:
- hosts:
- "*.example.com"
port:
name: http
number: 8080
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- "*.example.com"
port:
name: https
number: 8443
protocol: HTTPS
tls:
credentialName: custom-cert # this should match the <name> property in the list of certs under <gatewayCerts> to select the right secret
mode: SIMPLE
# Everything under upstream gets passed through our istio-gateway chart
# to the istio-maintained istio/gateway chart
upstream:
labels:
istio: ingressgateway # we require this to be one of `ingressgateway` or `egressgateway`You can see it ends up attaching it to the root of the values instead of nested under upstream.
# Source: bigbang/templates/istio-gateway/values.yaml
apiVersion: v1
kind: Secret
metadata:
name: release-name-istio-custom-gateway-values
namespace: default
type: generic
stringData:
common: ""
defaults: 'upstream: {}'
overlays: |
gateway:
servers:
- hosts:
- '*.example.com'
port:
name: http
number: 8080
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- '*.example.com'
port:
name: https
number: 8443
protocol: HTTPS
tls:
credentialName: custom-cert
mode: SIMPLE
gatewayCerts:
- name: custom-cert
tls:
ca: '...'
cert: '...'
key: '...'
imagePullPolicy: Always
imagePullSecrets:
- name: private-registry
upstream:
labels:
istio: ingressgateway