I popped this on the Istio forums too but thought might have better luck here. We’re currently using Istio on our AKS Cluster with a Pod Identity binding on our ingress gateways and we’re looking to move this across to using Azure Workload Identity instead.
In the Pod Identity setup, the overlays>patches>path is used as below to add a label to the Pod spec of the gateway Deployment:
overlays:
- apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
patches:
- path: spec.template.metadata.labels.aadpodidbinding
value: managed_identity_name_here
MORE_VALUES_BELOW
This works as expected and we get a label applied to the Pods that are part of the Deployment as aadpodidbinding=managed_identity_name_here.
In order to move to Workload Identity we’re wanting to set this as azure.workload.identity/use=true and therefore edited the config as below:
overlays:
- apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
patches:
- path: spec.template.metadata.labels.azure.workload.identity/use
value: true
MORE_VALUES_BELOW
This doesn’t appear to work at all when then trying to apply the change to the Cluster using Helm. We can see the updated value in the Helm Chart but it never actually reaches the Deployment/Pod.
However, if we use the below it does update the Deployment/Pod:
- path: spec.template.metadata.labels.azure
value: true
It seems that it doesn't like going beyond the first dot for the label prefix? So it's possible to add a label like:
- path: spec.template.metadata.labels.rubbish
value: someValue
but not:
- path: spec.template.metadata.labels.rubbish.extended
value: someValue
I’ve been looking at the Istio documentation (Ref 1, Ref 2) and I’m guessing I’m just not wrapping my head around something as to how to format the path for the new label that’s required. I've also seen the posts on here that are similar but it's not clicked for me looking at those (Post 1, Post 2).
If anyone has any advice it’d be greatly appreciated!
Thanks for taking the time to look at this.
Through some further trial and error and looking at the Istio Operator logs I've found the answer to this now as below:
- path: spec.template.metadata.labels.azure\.workload\.identity/use
value: "true"
Any dots after the first value need escaping for the Istio Operator's RegEx to accept the value and has now successfully labelled the ingress gateway Pod via the Deployment Pod spec:
Labels: app=istio-ingressgateway
azure.workload.identity/use=true
Which is definitely working as expected as the Pods now have the Azure Workload Identity variables injected (AZURE_CLIENT_ID, AZURE_TENANT_ID,AZURE_FEDERATED_TOKEN_FILE,AZURE_AUTHORITY_HOST).
Hope this helps someone else if they encounter similar!