Refine Helm Charts: Add missing namespaces.

[yusuoh]

No description provided.

[codecov]

Codecov Report

Merging #4606 into master will decrease coverage by 4%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #4606    +/-   ##
=======================================
- Coverage      75%     72%    -3%     
=======================================
  Files         297     295     -2     
  Lines       24742   25217   +475     
=======================================
- Hits        18524   18099   -425     
- Misses       5453    6359   +906     
+ Partials      765     759     -6

Impacted Files	Coverage Δ
...olarwinds/internal/papertrail/papertrail_logger.go	62% <0%> (-18%)	⬇️
mixer/adapter/prometheus/prometheus.go	89% <0%> (-11%)	⬇️
pilot/pkg/config/kube/ingress/status.go	19% <0%> (-5%)	⬇️
mixer/adapter/redisquota/redisquota.go	86% <0%> (-3%)	⬇️
mixer/adapter/servicecontrol/testhelper.go	72% <0%> (-2%)	⬇️
pilot/pkg/model/egress_rules.go	95% <0%> (-2%)	⬇️
pilot/pkg/model/authentication.go	75% <0%> (-1%)	⬇️
mixer/adapter/fluentd/fluentd.go	76% <0%> (-1%)	⬇️
mixer/adapter/circonus/circonus.go	70% <0%> (-1%)	⬇️
mixer/adapter/rbac/rbacStore.go	84% <0%> (ø)	⬇️
... and 41 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 57d4d60...c1da740. Read the comment docs.

[costinm]

Can we generate files under $OUT and not in the source tree ?

[costinm]

Adding more people - I don't think we have tiller tests - or if it works with tiller.

We need to keep it working for both

[sdake]

@costin the helm charts worked with tiller a few weeks ago. I'll test this PR later tonight against tiller - I've got a few errands to run. I don't think there is harm in hard-coding the namespaces, although typically with helm -n argument is used to specify the namespace (and is automatically set in that condition IIRC). I could be wrong on th eabove - the helm charts went through a large refactor.

I'll report back this evening. otherwise lgtm

[mandarjog]

Why do we need namespace embedded in the artifacts ?
kubectl -n < > apply
or helm -n work just fine ..

What is the helm best practice here?

[yusuoh]

This change is to make sure that the generated yamls from Istio release are correct (i.e. user can use kubectl apply -f istio.yaml without specifying namespaces). Currently some of them are tagged with namespaces and some are not. The kubectl -n and helm -n should still work as before.

It is not breaking the e2e tests only because those test are always using kubectl -n to set up the environment.

[yusuoh]

Btw, it seems that helm install -n and Helm template -n have different behavior. The previous one will tag all resources with correct namespace while the later won't unless you specifiy {{.Release.Namespace}} explicitly.

[yusuoh]

There is a related issue in Helm: helm/helm#3553

[costinm]

I think we should follow Helm practices - if it means 'kubectl apply -n istio-system' - it's fine with me.

If helm recommends including the namespace in template - good with me as well.

[yusuoh]

It seems that a new file is added by previous PR #4001 (install/kubernetes/helm/istio/templates/namespace.yaml), which broke the helm install. Because helm -n is trying to create namespace which already exits.

istio$ helm install install/kubernetes/helm/istio --namespace=istio-system
Error: release dangling-buffalo failed: namespaces "istio-system" already exists

After I deleted that file, it passes with this PR. However, we need to find a way to generate yaml from templates correctly.

[yusuoh]

Fixed the above namespace issue in #4612 by moving the namespace file out of helm chart.

[sdake]

Apologies I failed to test this PR last night. Sounds like you gave it a spin with Tiller though @yusuoh. I think Helm best practice is to use -n to override namespaces.

CCing @jascott1 who is a helm core and can answer the best practice question.

[jascott1]

Having a Namespace manifest is currently problematic with Helm as you have discovered. Just using --namespace is more idiomatic.

[yusuoh]

@jascott1 This PR is not adding the namespace manifest but only to specify the metata.namespace field in k8s resources. Do you think it is OK to do that?

[andraxylia]

This namespaces are part of the RBAC rules, so this fix is required. We cannot simply get a yaml file and apply it with -n to a namespace.

[jascott1]

@yusuoh Yes there is no problem with that approach afaik.

[jascott1]

BTW I corrected my above post, just for clarity its --namespace for namespace and -n is release name.

[costinm]

/lgtm

[istio-testing]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: costinm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• install/OWNERS [costinm]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[istio-merge-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[istio-merge-robot]

Automatic merge from submit-queue.