[Question] GitOps (FluxCD), HelmRepisitory, HelmRelease - code works in one namespace but doesn't in the other

[macpak]

Describe scenario I've enabled GitOps for a repository that contains HelmRepository/HelmRelease for instaling Istio. GitOps is enabled in flux-system namespace, Cluster wide.

In my repo, under /istio/system I've 2 files:

• istio.yaml

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
  name: istio
  namespace: istio-system
  labels:
    app.kubernetes.io/part-of: istio
spec:
  interval: 1m0s
  url: https://istio-release.storage.googleapis.com/charts
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: istio-base
  namespace: istio-system
  labels:
    app.kubernetes.io/part-of: istio
spec:
  chart:
    spec:
      version: "1.14"
      chart: base
      sourceRef:
        kind: HelmRepository
        name: istio
        namespace: istio-system
  interval: 1m0s

• namespace.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: istio-system

There's also a kustomization that looks like:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: istio-system
  namespace: flux-system
spec:
  interval: 10m0s
  path: ./istio/system
  prune: true
  wait: true
  sourceRef:
    kind: GitRepository
    name: istio

When I create a GitOps configuration in AKS, I also create a new kustomization that points to the kustomization file above. This configuration above doesn't work, no helms are installed + the istio kustomization is stuck in running health checks with a timeout. However, when I change istio-system to flux-system namespace, everything works ok. I thought that it may be related to RBAC, but checked and it seems all ClusterRoleBindings are added.

Question What's wrong with the configuration above ? Why it does work in flux-system and doesn't in istio-system ?

[ghost]

Action required from @Azure/aks-pm

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[joshuadmatthews]

There is a multi-tenancy flag for the flux extension that you can turn off to allow cross namespace operations. Not sure if that’s the issue here but worth a try. https://github.com/fluxcd/flux2/issues/3182

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[SebSa]

Did you figure any of this out in the end?

[unique-dominik]

This fixed it for me today https://github.com/fluxcd/flux2/issues/3182#issuecomment-1275152211

[ghost]

Issue needing attention of @Azure/aks-leads

[ghost]

Issue needing attention of @Azure/aks-leads

[SebSa]

Toggling the Multi tenancy enforce flag worked for me too.

[ghost]

Issue needing attention of @Azure/aks-leads

[RooMaiku]

@macpak Did any of the proposed fixes in this thread work for you?

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service[bot]]

Issue needing attention of @Azure/aks-leads