From c01306ff4fbe16c225f91ac570c23dfc555848f0 Mon Sep 17 00:00:00 2001 From: Yang Yang Date: Tue, 10 Mar 2026 21:31:44 -0700 Subject: [PATCH 1/2] fix: emit correct Istio pod labels for ambient mode When istio.dataplaneMode is set to "ambient", the pulsar.template.labels helper now emits istio.io/dataplane-mode: "ambient" instead of the default sidecar.istio.io/inject: "true". This prevents sidecar injection for pods that should be enrolled in Istio ambient mesh via ztunnel. Without this fix, pods in ambient mode get both labels and sidecar injection takes precedence, resulting in 2/2 containers instead of 1/1. This affects both operator-managed components (broker, bookie, zk, proxy) where the Helm label conflicts with the operator's CRD-driven label, and Helm-only components (toolset, function-worker, grafana, console, etc.) that rely entirely on the Helm template for mesh enrollment. Co-Authored-By: Claude Opus 4.6 --- charts/sn-platform-slim/templates/_helpers.tpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/sn-platform-slim/templates/_helpers.tpl b/charts/sn-platform-slim/templates/_helpers.tpl index 20dd6d44e..55ed3faa2 100644 --- a/charts/sn-platform-slim/templates/_helpers.tpl +++ b/charts/sn-platform-slim/templates/_helpers.tpl @@ -71,6 +71,8 @@ cluster: {{ template "pulsar.fullname" . }} {{- if .Values.istio.enabled }} {{- if .Values.istio.labels }} {{ toYaml .Values.istio.labels }} +{{- else if eq (default "" .Values.istio.dataplaneMode) "ambient" }} +istio.io/dataplane-mode: "ambient" {{- else }} sidecar.istio.io/inject: "true" {{- end }} From 6dca48674ffbf23b12c06b08cb8561659b64d8b0 Mon Sep 17 00:00:00 2001 From: Yang Yang Date: Tue, 10 Mar 2026 21:53:41 -0700 Subject: [PATCH 2/2] fix: decouple broker Istio mesh enrollment from ingress config Split the broker's spec.istio conditional so that base Istio settings (enabled, dataplaneMode, mtls) only require istio.enabled, while the gateway block additionally requires ingress.broker.enabled. Previously the entire spec.istio block was gated behind both conditions, meaning users couldn't enable Istio mesh enrollment (e.g. ambient mode) without also enabling broker ingress. This was inconsistent with ZK, BK, and Proxy templates which only check istio.enabled. Co-Authored-By: Claude Opus 4.6 --- charts/sn-platform-slim/templates/broker/broker-cluster.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/sn-platform-slim/templates/broker/broker-cluster.yaml b/charts/sn-platform-slim/templates/broker/broker-cluster.yaml index af40c2207..cfe06fa4c 100644 --- a/charts/sn-platform-slim/templates/broker/broker-cluster.yaml +++ b/charts/sn-platform-slim/templates/broker/broker-cluster.yaml @@ -167,7 +167,7 @@ spec: certSecretName: "{{ template "pulsar.broker.tls.secret.name" . }}" trustCertsEnabled: {{ .Values.tls.broker.trustCertsEnabled }} {{- end }} - {{- if and .Values.istio.enabled .Values.ingress.broker.enabled }} + {{- if .Values.istio.enabled }} istio: enabled: true {{- if .Values.istio.dataplaneMode }} @@ -177,6 +177,7 @@ spec: mtls: mode: permissive {{- end }} + {{- if .Values.ingress.broker.enabled }} gateway: selector: {{- include "pulsar.istio.gateway.selector" . | indent 8 }} @@ -189,6 +190,7 @@ spec: trustCertsEnabled: {{ .Values.tls.broker.gateway.trustCertsEnabled }} mode: "passthrough" {{- end }} + {{- end }} {{- end }} {{- if and .Values.broker.pulsarBroker.networking .Values.broker.pulsarBroker.networking.podService .Values.broker.pulsarBroker.networking.podService.enabled }} networking: