Skip to content

fix(operator): propagate spec labels to pod templates#198

Merged
onutc merged 1 commit intomainfrom
fix-runtime-policy-pod-template-labels
Apr 2, 2026
Merged

fix(operator): propagate spec labels to pod templates#198
onutc merged 1 commit intomainfrom
fix-runtime-policy-pod-template-labels

Conversation

@onutc
Copy link
Copy Markdown
Member

@onutc onutc commented Apr 2, 2026

TL;DR

This fixes a deployment bug where runtime-policy labels were only applied to the Deployment object and not to the pod template. That broke sidecar-based runtimes like tcdev because Istio never saw the injection label.

Summary

  • propagate spec.labels onto deployment.spec.template.metadata.labels
  • keep runtime-policy labels out of the deployment selector
  • add a regression test covering pod-template label propagation

Review focus

  • whether spec.labels should always propagate to workload pods
  • whether preserving the selector boundary is sufficient for upgrade safety

Test plan

  • go test ./controllers/...
  • verify a real staging tcdev-github instance gets sidecar.istio.io/inject=true on the pod template
  • verify the staging pod receives an Istio sidecar and reaches Ready

@onutc onutc merged commit 293cb3e into main Apr 2, 2026
7 checks passed
@onutc onutc deleted the fix-runtime-policy-pod-template-labels branch April 2, 2026 16:04
@gitrank-connector
Copy link
Copy Markdown

gitrank-connector bot commented Apr 2, 2026

⭐ GitRank PR Analysis

Score: 50 points

Metric Value
Component Other (1× multiplier)
Severity P1 - High (50 base pts)
Final Score 50 × 1 = 50

Eligibility Checks

Check Status
Issue/Bug Fix
Fix Implementation
PR Documented
Tests
Lines Within Limit

Impact Summary

The PR fixes a critical deployment bug where spec.labels (including Istio sidecar injection labels) were not propagated to pod templates, causing sidecars to fail injection. The fix adds label propagation to pod templates while maintaining selector boundary integrity for upgrade safety. A comprehensive regression test validates the fix and prevents future regressions.

Analysis Details

Component Classification: This PR affects the operator controller logic for Kubernetes deployment reconciliation. Since no specific component multiplier exists for operator/controller changes, OTHER (1x) is the appropriate classification.

Severity Justification: This is a P1 (High) severity bug fix. The issue prevented sidecar injection labels from reaching pod templates, breaking sidecar-based runtimes like tcdev entirely. This is a major functional impact affecting service deployment and observability infrastructure, though not a complete service outage.

Eligibility Notes: This PR qualifies on all eligibility criteria: it fixes a reported functional bug in business logic (sidecar injection failure), the implementation correctly propagates labels as described, documentation is clear with test plan, and tests are included and required. The change modifies core reconciliation logic affecting pod scheduling and service mesh integration, making tests mandatory.

Analyzed by GitRank 🤖

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@onutc