helm: add Istio wrapper chart by danish9039 · Pull Request #3478 · kubeflow/community-distribution

danish9039 · 2026-05-25T13:03:49Z

Summary

Adds the first Istio Helm wrapper chart for the Project 5 platform-first Helm work under common/istio/helm, co-located with the Kustomize baseline under common/istio.

The chart is a static Kustomize-parity wrapper for the current Kubeflow Istio install. It follows the resources under common/istio instead of using the upstream Istio Helm charts directly, so the first slice stays aligned with the current Kustomize baseline.

This branch is aligned with the current Istio 1.30.1 manifests.

Supported scenarios

crds: common/istio/istio-crds/base
base: Istio CRDs, namespace NetworkPolicies, CNI, istiod, and ingress gateway
oauth2-proxy: Kubeflow Istio install with oauth2-proxy external auth provider
gke: GKE-specific Istio CNI path behavior
cluster-local-gateway: internal gateway resources for Knative/KServe traffic
kubeflow-istio-resources: Kubeflow gateway and Istio aggregate RBAC
platform-full: oauth2-proxy profile plus cluster-local gateway and Kubeflow Istio resources

Scope update

Move the wrapper chart from experimental/helm/charts/istio to common/istio/helm.
Update YAML lint config so co-located Helm templates under common/*/helm/templates/** are not treated as raw YAML.

Follow-up

Sync script extension for refreshing the static Helm payloads from the regenerated Kustomize baseline will follow separately after the chart location change, so this PR stays focused on co-location and parity proof.

Stacking note

This PR follows:

kubeflow-namespaces -> kubeflow-platform -> cert-manager -> istio

The chart does not render Namespace/istio-system. That namespace is provided by the foundation chart in #3468. Helm release metadata and Istio control-plane workloads are stored in istio-system; Istio CNI resources still run in kube-system.

Install shape

Istio is installed in two Helm steps because Istio custom resources cannot be created until the Istio CRDs exist.

helm install istio ./common/istio/helm \
  --namespace istio-system \
  --values ./common/istio/helm/ci/values-crds.yaml \
  --wait

helm upgrade istio ./common/istio/helm \
  --namespace istio-system \
  --values ./common/istio/helm/ci/values-oauth2-proxy.yaml \
  --wait

For GKE, use ci/values-gke.yaml in the second step.

Validation

helm lint common/istio/helm
./tests/helm_kustomize_compare.sh istio crds
./tests/helm_kustomize_compare.sh istio base
./tests/helm_kustomize_compare.sh istio oauth2-proxy
./tests/helm_kustomize_compare.sh istio gke
./tests/helm_kustomize_compare.sh istio cluster-local-gateway
./tests/helm_kustomize_compare.sh istio kubeflow-istio-resources
./tests/helm_kustomize_compare.sh istio platform-full
./tests/helm_kustomize_compare_all.sh istio

github-actions · 2026-05-25T13:03:58Z

Welcome to the Kubeflow Manifests Repository

Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community.

Before making more PRs:
Please ensure your PR follows our Contributing Guide.
Please also be aware that many components are synchronizes from upstream via the scripts in /scripts.
So in some cases you have to fix the problem in the upstream repositories first, but you can use a PR against kubeflow/manifests to test the platform integration.

Community Resources:

CNCF Slack channels: https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels
Community meetings: https://www.kubeflow.org/docs/about/community/

Thanks again for helping to improve Kubeflow.

Copilot

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR adds an Istio “wrapper” Helm chart (static manifests rendered via Files.Get) and extends the existing Helm-vs-Kustomize comparison tests to cover Istio scenarios.

Changes:

Add istio as a supported component in the helm/kustomize comparison scripts (including “all” runner + help text).
Add an experimental experimental/helm/charts/istio chart with static, Kustomize-generated manifests and CI values presets.
Update manifest comparison keying to include namespaces for Istio resources with repeated names.

Reviewed changes

Copilot reviewed 24 out of 27 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/helm_kustomize_compare_all.sh	Adds `istio` scenarios to the “compare all” test runner and help text.
tests/helm_kustomize_compare.sh	Adds Istio component mapping and supports comparing multiple Kustomize build roots per scenario.
tests/helm_kustomize_compare.py	Adjusts resource keying and CLI validation to support `istio`.
experimental/helm/charts/istio/Chart.yaml	Introduces the Istio wrapper Helm chart metadata.
experimental/helm/charts/istio/README.md	Documents how to install and how CI values map to Kustomize roots.
experimental/helm/charts/istio/values.yaml	Defines default values and feature toggles for which static manifests to render.
experimental/helm/charts/istio/templates/_helpers.tpl	Implements `kubeflow-istio.renderFile` for static-manifest rendering with string substitutions.
experimental/helm/charts/istio/templates/crds.yaml	Conditionally renders the CRD manifest bundle.
experimental/helm/charts/istio/templates/namespace.yaml	Conditionally renders the Istio namespace manifest.
experimental/helm/charts/istio/templates/networkpolicies.yaml	Conditionally renders the Istio namespace NetworkPolicies bundle.
experimental/helm/charts/istio/templates/install-base.yaml	Conditionally renders the base Istio install bundle.
experimental/helm/charts/istio/templates/install-oauth2-proxy.yaml	Conditionally renders the oauth2-proxy overlay install bundle.
experimental/helm/charts/istio/templates/cluster-local-gateway.yaml	Conditionally renders the cluster-local-gateway bundle.
experimental/helm/charts/istio/templates/kubeflow-istio-resources.yaml	Conditionally renders the Kubeflow-specific Istio resources bundle.
experimental/helm/charts/istio/manifests/namespace.yaml	Adds static namespace manifest derived from Kustomize output.
experimental/helm/charts/istio/manifests/networkpolicies.yaml	Adds static network policies derived from Kustomize output.
experimental/helm/charts/istio/manifests/crds.yaml	Adds static CRDs bundle derived from Kustomize output.
experimental/helm/charts/istio/manifests/install-base.yaml	Adds large static base install bundle derived from Kustomize output.
experimental/helm/charts/istio/manifests/install-oauth2-proxy.yaml	Adds static oauth2-proxy overlay install bundle derived from Kustomize output.
experimental/helm/charts/istio/manifests/cluster-local-gateway.yaml	Adds static cluster-local-gateway bundle derived from Kustomize output.
experimental/helm/charts/istio/manifests/kubeflow-istio-resources.yaml	Adds static Kubeflow-specific Istio resources bundle derived from Kustomize output.
experimental/helm/charts/istio/ci/values-crds.yaml	Adds CI preset values for the CRDs-only step.
experimental/helm/charts/istio/ci/values-base.yaml	Adds CI preset values for base (no oauth2-proxy) parity.
experimental/helm/charts/istio/ci/values-oauth2-proxy.yaml	Adds CI preset values for oauth2-proxy overlay parity.
experimental/helm/charts/istio/ci/values-cluster-local-gateway.yaml	Adds CI preset values for cluster-local-gateway parity.
experimental/helm/charts/istio/ci/values-kubeflow-istio-resources.yaml	Adds CI preset values for Kubeflow Istio resources parity.
experimental/helm/charts/istio/ci/values-platform-full.yaml	Adds CI preset values for the full managed Istio slice.

danish9039 · 2026-05-25T15:50:00Z

+for path in $KUSTOMIZE_PATH; do
+    kustomize build "$path" >> "$KUSTOMIZE_OUTPUT"
+    printf "\n---\n" >> "$KUSTOMIZE_OUTPUT"


Fixed by writing YAML separators only between rendered Kustomize roots.

danish9039 · 2026-05-25T15:50:02Z

+for path in $KUSTOMIZE_PATH; do
+    if [ ! -d "$path" ]; then
+        echo "ERROR: Kustomize path does not exist: $path"
+        exit 1
+    fi
+done


Fixed by storing Kustomize roots as newline-delimited values and iterating over a quoted array.

danish9039 · 2026-05-25T15:50:03Z

+{{- $content = replace "- kubeflow/*" (printf "- %s/*" ($root.Values.global.kubeflowNamespace | toString)) $content -}}
+{{- if .oauth2 -}}
+{{- $content = replace "service: oauth2-proxy.oauth2-proxy.svc.cluster.local" (printf "service: %s" ($root.Values.oauth2Proxy.service | toString)) $content -}}
+{{- $content = replace "        port: 80\n      name: oauth2-proxy" (printf "        port: %d\n      name: oauth2-proxy" (int $root.Values.oauth2Proxy.port)) $content -}}


Fixed by replacing the exact multiline port match with a whitespace-tolerant regex replacement.

Copilot

Pull request overview

Copilot reviewed 24 out of 27 changed files in this pull request and generated 5 comments.

danish9039 · 2026-05-31T16:54:47Z

+{{- if .Values.crds.enabled }}
+{{ include "kubeflow-istio.renderFile" (dict "root" . "path" "manifests/crds.yaml") }}
+{{- end }}


Keeping CRDs gated in this chart for now to preserve the documented two-step install; a separate CRD chart can be evaluated as a follow-up if maintainers prefer that lifecycle.

danish9039 · 2026-05-31T16:54:49Z

+{{- $content := $root.Files.Get .path -}}
+{{- $content = replace "istio-system" ($root.Values.global.istioNamespace | toString) $content -}}
+{{- $content = replace "kube-system" ($root.Values.global.kubeSystemNamespace | toString) $content -}}
+{{- $content = replace "namespace: kubeflow\n" (printf "namespace: %s\n" ($root.Values.global.kubeflowNamespace | toString)) $content -}}
+{{- $content = replace "- kubeflow/*" (printf "- %s/*" ($root.Values.global.kubeflowNamespace | toString)) $content -}}


Leaving the helper structure as-is for this slice; substitutions are limited and covered by Helm/Kustomize comparison tests.

danish9039 · 2026-05-31T16:54:43Z

+{{- $content = replace "istio-system" ($root.Values.global.istioNamespace | toString) $content -}}
+{{- $content = replace "kube-system" ($root.Values.global.kubeSystemNamespace | toString) $content -}}
+{{- $content = replace "namespace: kubeflow\n" (printf "namespace: %s\n" ($root.Values.global.kubeflowNamespace | toString)) $content -}}


Added DNS-1123 validation for the namespace values before rendering.

danish9039 · 2026-05-31T16:54:44Z

+cluster-local-gateway:
+  # -- Render the Kubeflow cluster-local gateway resources.
+  enabled: false


Renamed the values key to clusterLocalGateway and updated the CI presets/templates.

danish9039 · 2026-05-31T16:54:45Z

+apiVersion: v1
+kind: ServiceAccount
+metadata:


Added provenance headers to the generated Istio install manifests and kept regeneration commands in the chart README.

juliusvonkohout · 2026-05-25T18:17:48Z

What about the GKE flavor? That is something that has to be confifurable. Think twice about which values we really need.

danish9039 · 2026-06-01T05:48:01Z

Short install/lifecycle note for this Istio chart:

Istio has both CRDs and Istio custom resources such as Gateway, AuthorizationPolicy, and Sidecar. The CRDs must exist before those custom resources can be applied.

Recommended install shape:

helm install istio ./experimental/helm/charts/istio \
  --namespace kubeflow-system \
  --values ./experimental/helm/charts/istio/ci/values-crds.yaml \
  --wait

helm upgrade istio ./experimental/helm/charts/istio \
  --namespace kubeflow-system \
  --values ./experimental/helm/charts/istio/ci/values-gke.yaml \
  --wait

The second step can use one of the supported install profiles:

values-base.yaml
values-oauth2-proxy.yaml
values-gke.yaml

crds is not an Istio flavor. It is only the first lifecycle step.

Already covered in this PR:

base
oauth2-proxy
gke
additive resources: cluster-local-gateway and kubeflow-istio-resources

Remaining Kustomize variants not covered yet:

ambient
ambient-gke
ambient-oauth2-proxy
ambient-oauth2-proxy-gke
insecure
cluster-local-gateway/overlays/m2m-auth

danish9039 · 2026-06-01T05:49:58Z

What about the GKE flavor? That is something that has to be confifurable. Think twice about which values we really need.

Added GKE flavor comment with profile: gke, mapped to common/istio/istio-install/overlays/gke, while keeping CRDs and additive resources as separate gates.

Copilot

Pull request overview

Copilot reviewed 27 out of 31 changed files in this pull request and generated 5 comments.

+{{- $content = replace "istio-system" ($root.Values.global.istioNamespace | toString) $content -}}
+{{- $content = replace "kube-system" ($root.Values.global.kubeSystemNamespace | toString) $content -}}
+{{- $content = replace "namespace: kubeflow\n" (printf "namespace: %s\n" ($root.Values.global.kubeflowNamespace | toString)) $content -}}
+{{- $content = replace "- kubeflow/*" (printf "- %s/*" ($root.Values.global.kubeflowNamespace | toString)) $content -}}


+{{- if and .Values.install.enabled (eq .Values.profile "gke") }}
+{{ include "kubeflow-istio.renderFile" (dict "root" . "path" "manifests/install-gke.yaml" "oauth2" true) }}
+{{- end }}


+spec:
+  ports:
+  - name: status-port
+    port: 15020
+    targetPort: 15020
+  - name: http2
+    port: 80
+    targetPort: 8080


+        readinessProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP


+{{ include "kubeflow-istio.validateNamespace" (dict "name" "global.istioNamespace" "value" .Values.global.istioNamespace) }}
+{{ include "kubeflow-istio.validateNamespace" (dict "name" "global.kubeflowNamespace" "value" .Values.global.kubeflowNamespace) }}
+{{ include "kubeflow-istio.validateNamespace" (dict "name" "global.kubeSystemNamespace" "value" .Values.global.kubeSystemNamespace) }}


danish9039 · 2026-06-06T16:09:09Z

@dhanishaphadate

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

danish9039 · 2026-06-07T23:22:35Z

Rebased on latest master and regenerated the Istio Helm static manifests against Istio 1.30.1; local helm lint and ./tests/helm_kustomize_compare_all.sh istio pass.

Copilot

Pull request overview

Copilot reviewed 27 out of 31 changed files in this pull request and generated 3 comments.

+{{- if .Values.crds.enabled }}
+{{ include "kubeflow-istio.renderFile" (dict "root" . "path" "manifests/crds.yaml") }}
+{{- end }}


+{{- $content := $root.Files.Get .path -}}
+{{- $content = replace "istio-system" ($root.Values.global.istioNamespace | toString) $content -}}
+{{- $content = replace "kube-system" ($root.Values.global.kubeSystemNamespace | toString) $content -}}
+{{- $content = regexReplaceAll "(?m)^([[:space:]]*namespace: )kubeflow$" $content (printf "${1}%s" ($root.Values.global.kubeflowNamespace | toString)) -}}


+def should_compare_manifest(manifest: Dict, component: str, scenario: str) -> bool:
+    """Select the resource subset owned by a comparison scenario."""
+    if component == "istio" and manifest.get("kind") == "Namespace":
+        return False
+
+    return True


Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

google-oss-prow · 2026-06-15T03:56:01Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

Copilot AI review requested due to automatic review settings May 25, 2026 13:03

google-oss-prow Bot added the do-not-merge/work-in-progress label May 25, 2026

google-oss-prow Bot requested review from juliusvonkohout and tarekabouzeid May 25, 2026 13:03

google-oss-prow Bot added the size/XXL label May 25, 2026

This was referenced May 25, 2026

helm: add oauth2-proxy wrapper chart #3479

Open

helm: add Dex wrapper chart #3480

Open

Copilot AI reviewed May 25, 2026

View reviewed changes

danish9039 mentioned this pull request May 25, 2026

helm: synCHRONIZE kserve models web app chart #3481

Merged

3 tasks

danish9039 force-pushed the gsoc/istio-wrapper-chart branch from dbbba3a to 8c0de67 Compare May 25, 2026 15:44

danish9039 requested a review from Copilot May 25, 2026 15:55

Copilot AI reviewed May 25, 2026

View reviewed changes

danish9039 force-pushed the gsoc/istio-wrapper-chart branch from b364b03 to 9984842 Compare May 26, 2026 19:38

danish9039 marked this pull request as ready for review June 1, 2026 05:51

google-oss-prow Bot removed the do-not-merge/work-in-progress label Jun 1, 2026

google-oss-prow Bot requested a review from kimwnasptd June 1, 2026 05:51

danish9039 requested a review from Copilot June 1, 2026 06:47

Copilot AI reviewed Jun 1, 2026

View reviewed changes

danish9039 added 7 commits June 8, 2026 04:34

Add Istio Helm wrapper chart

c7afc9e

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

Add Kubeflow Istio gateway resources

f9cd97d

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

istio: sync Helm chart with Istio 1.30.0

3c045cc

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

helm: harden istio comparison rendering

b87bbf3

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

helm: add istio gke profile

e54cd40

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

test: rerun istio ci

9f44bd7

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

helm: address istio review comments

6ae7628

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

danish9039 added 3 commits June 8, 2026 04:34

helm: address istio review comments

78872e9

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

helm: use foundation-owned istio namespace

a3d843d

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

helm: synchronize istio chart with 1.30.1

a2454f9

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

danish9039 force-pushed the gsoc/istio-wrapper-chart branch from fd75836 to a2454f9 Compare June 7, 2026 23:18

danish9039 requested a review from Copilot June 7, 2026 23:44

Copilot AI reviewed Jun 7, 2026

View reviewed changes

danish9039 added 2 commits June 9, 2026 16:59

helm: fix istio namespace names

4064108

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

helm: move istio chart to common/istio/helm

6d6071f

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

ci: ignore Helm templates in YAML lint

59c49ec

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>

Conversation

danish9039 commented May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Supported scenarios

Scope update

Follow-up

Stacking note

Install shape

Validation

Uh oh!

github-actions Bot commented May 25, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

juliusvonkohout commented May 25, 2026

Uh oh!

danish9039 commented Jun 1, 2026

Uh oh!

danish9039 commented Jun 1, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

danish9039 commented Jun 6, 2026

Uh oh!

danish9039 commented Jun 7, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

google-oss-prow Bot commented Jun 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

danish9039 commented May 25, 2026 •

edited

Loading