UNCLASSIFIED - NO CUI

Skip to content

Replace "istio-controlplane" with "istio-system" in chart/templates/bigbang/network-policies/allow-istiod-egress.yaml

Bug

Description

I've been test-deploying BigBang with istio-gateway and noticed the NetworkPolicy of allow-istiod-egress contains the default namespace target being istio-controlplane instead of "istio-system" which should be the default namespace of istiod.

Although I see the option of setting the value of the namespace, even when I set the namespace value, I still see "istio-controlplane" instead of "istio-system", even though bigbang's helper template explicitly states otherwise.

Name:         allow-passthrough-ingressgateway-istiod-egress
Namespace:    istio-gateway
Created on:   2025-07-10 17:52:43 +0000 UTC
Labels:       app.kubernetes.io/managed-by=Helm
              helm.toolkit.fluxcd.io/name=passthrough-ingressgateway
              helm.toolkit.fluxcd.io/namespace=quartz
Annotations:  helm.sh/resource-policy: keep
              meta.helm.sh/release-name: passthrough-ingressgateway
              meta.helm.sh/release-namespace: istio-gateway
Spec:
  PodSelector:     app=passthrough-ingressgateway,istio=ingressgateway
  Not affecting ingress traffic
  Allowing egress traffic:
    To Port: 15012/TCP
    To Port: 15014/TCP
    To:
      NamespaceSelector: app.kubernetes.io/name=istio-controlplane
      PodSelector: app=istiod
  Policy Types: Egress

I've even tried to disable networkPolicies, but for reasons still unknown, the network policies still get created. I've also tried to add additionalPolicies, but they don't get created.

Long story short, istio-gateway's network policies still need some fixing because they may be blocking the gateways' connections to istiod and not allowing their Helm releases to finish installing, according to the gateways' deployment logs:

2025-07-10T19:55:30.215205Z     error   citadelclient   failed to sign CSR: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp: lookup istiod.istio-system.svc: i/o timeout"
2025-07-10T19:55:30.215534Z     info    citadelclient   recreated connection
2025-07-10T19:55:30.215597Z     error   cache   resource:default failed to sign: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp: lookup istiod.istio-system.svc: i/o timeout"
2025-07-10T19:55:30.215606Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp: lookup istiod.istio-system.svc: i/o timeout"

BigBang Version

3.2.0

UNCLASSIFIED - NO CUI