From ad09db58dc092b6d0c39025e7a172ebf187ddc02 Mon Sep 17 00:00:00 2001 From: Federico Maleh Date: Mon, 1 Jun 2026 12:02:39 -0300 Subject: [PATCH 1/2] feat(istio): expose istio_ingressgateway_replicas to guarantee HA for node drains --- infrastructure/commons/istio/main.tf | 16 +++++++++++++++- infrastructure/commons/istio/variables.tf | 11 +++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/infrastructure/commons/istio/main.tf b/infrastructure/commons/istio/main.tf index 3f8c27c5..e330fd0a 100644 --- a/infrastructure/commons/istio/main.tf +++ b/infrastructure/commons/istio/main.tf @@ -88,5 +88,19 @@ resource "helm_release" "istio_ingressgateway" { values = [local.helm_values] - + # Enforce HA on istio-ingressgateway. Same class of bug as istiod: the + # gateway chart ships a default PDB with minAvailable=1, and the HPA is + # enabled with autoscaling.minReplicas=1, so a single-replica install + # blocks every node rolling update with PodEvictionFailure. Setting both + # replicaCount and autoscaling.minReplicas locks in the floor. + set = [ + { + name = "replicaCount" + value = var.istio_ingressgateway_replicas + }, + { + name = "autoscaling.minReplicas" + value = var.istio_ingressgateway_replicas + }, + ] } diff --git a/infrastructure/commons/istio/variables.tf b/infrastructure/commons/istio/variables.tf index cc29466b..87b6b1fc 100644 --- a/infrastructure/commons/istio/variables.tf +++ b/infrastructure/commons/istio/variables.tf @@ -31,6 +31,17 @@ variable "istiod_replicas" { } } +variable "istio_ingressgateway_replicas" { + description = "Number of istio-ingressgateway replicas. Set to 2+ to avoid PDB blocking node drains. Applied to both replicaCount and autoscaling.minReplicas to prevent the HPA from scaling back to 1. The Istio gateway Helm chart installs the gateway with a default PodDisruptionBudget (minAvailable=1), so a single replica blocks node rolling updates with PodEvictionFailure — same class of bug as the istiod single-replica issue." + type = number + default = 2 + + validation { + condition = var.istio_ingressgateway_replicas >= 1 + error_message = "istio_ingressgateway_replicas must be at least 1." + } +} + ############################################################################### # SERVICE CONFIGURATION ############################################################################### From ac841566f5056170a967988dcab3168d7e403363 Mon Sep 17 00:00:00 2001 From: Federico Maleh Date: Mon, 1 Jun 2026 12:12:17 -0300 Subject: [PATCH 2/2] chore(istio): drop verbose comment on ingressgateway HA set block --- infrastructure/commons/istio/main.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/infrastructure/commons/istio/main.tf b/infrastructure/commons/istio/main.tf index e330fd0a..f3858e12 100644 --- a/infrastructure/commons/istio/main.tf +++ b/infrastructure/commons/istio/main.tf @@ -88,11 +88,6 @@ resource "helm_release" "istio_ingressgateway" { values = [local.helm_values] - # Enforce HA on istio-ingressgateway. Same class of bug as istiod: the - # gateway chart ships a default PDB with minAvailable=1, and the HPA is - # enabled with autoscaling.minReplicas=1, so a single-replica install - # blocks every node rolling update with PodEvictionFailure. Setting both - # replicaCount and autoscaling.minReplicas locks in the floor. set = [ { name = "replicaCount"