From e281f77e3c427d4d8debf40c96a79af93fd2fded Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Tue, 19 Sep 2023 16:19:42 -0400
Subject: [PATCH] fix: Use namespace resource to share across `istio` charts to
 avoid conflicts (#1768)

---
 patterns/istio/README.md |  6 ++++++
 patterns/istio/main.tf   | 44 +++++++++++++++++++++++-----------------
 2 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/patterns/istio/README.md b/patterns/istio/README.md
index 9c7433c5b7..6d69ad81be 100644
--- a/patterns/istio/README.md
+++ b/patterns/istio/README.md
@@ -16,6 +16,12 @@ concepts.
 
 See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started/#prerequisites) for the prerequisites and steps to deploy this pattern.
 
+Once the resources have been provisioned, you will need to replace the `istio-ingress` pods due to a [`istiod` dependency issue](https://github.com/istio/istio/issues/35789). Use the following command to perform a rolling restart of the `istio-ingress` pods:
+
+```sh
+kubectl rollout restart deployment istio-ingress -n istio-ingress
+```
+
 ### Observability Add-ons
 
 Use the following code snippet to add the Istio Observability Add-ons on the EKS
diff --git a/patterns/istio/main.tf b/patterns/istio/main.tf
index b9e4ba1da1..76a38c8ac9 100644
--- a/patterns/istio/main.tf
+++ b/patterns/istio/main.tf
@@ -58,6 +58,14 @@ module "eks" {
   cluster_version                = "1.27"
   cluster_endpoint_public_access = true
 
+  cluster_addons = {
+    coredns    = {}
+    kube-proxy = {}
+    vpc-cni = {
+      preserve = true
+    }
+  }
+
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
 
@@ -67,7 +75,7 @@ module "eks" {
 
       min_size     = 1
       max_size     = 5
-      desired_size = 3 # When < 3, the coredns add-on ends up in a degraded state
+      desired_size = 2
     }
   }
 
@@ -99,6 +107,12 @@ module "eks" {
 # EKS Blueprints Addons
 ################################################################################
 
+resource "kubernetes_namespace_v1" "istio_system" {
+  metadata {
+    name = "istio-system"
+  }
+}
+
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
   version = "~> 1.0"
@@ -108,32 +122,24 @@ module "eks_blueprints_addons" {
   cluster_version   = module.eks.cluster_version
   oidc_provider_arn = module.eks.oidc_provider_arn
 
-  eks_addons = {
-    coredns    = {}
-    vpc-cni    = {}
-    kube-proxy = {}
-  }
-
   # This is required to expose Istio Ingress Gateway
   enable_aws_load_balancer_controller = true
 
   helm_releases = {
     istio-base = {
-      chart            = "base"
-      version          = local.istio_chart_version
-      repository       = local.istio_chart_url
-      name             = "istio-base"
-      namespace        = "istio-system"
-      create_namespace = true
+      chart      = "base"
+      version    = local.istio_chart_version
+      repository = local.istio_chart_url
+      name       = "istio-base"
+      namespace  = kubernetes_namespace_v1.istio_system.metadata[0].name
     }
 
     istiod = {
-      chart            = "istiod"
-      version          = local.istio_chart_version
-      repository       = local.istio_chart_url
-      name             = "istiod"
-      namespace        = "istio-system"
-      create_namespace = false
+      chart      = "istiod"
+      version    = local.istio_chart_version
+      repository = local.istio_chart_url
+      name       = "istiod"
+      namespace  = kubernetes_namespace_v1.istio_system.metadata[0].name
 
       set = [
         {