IstioOperator and sidecar autoinjection

Question

How to enable sidecar injection using IstioOperator? This is my config and it is not enough for that.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: control-plane-1-9-4
  namespace: istio-system
spec:
  components:
    base:
      enabled: true
    pilot:
      enabled: true
  profile: default
  revision: 1-9-4
  values:
    global:
      proxy:
        autoInject: enabled

Answer 1

The issue is related to revision parameter usage during installation istioctl operator init --revision 1-9-4

If --revision is used then NS should look like:

apiVersion: v1
kind: Namespace
metadata:
  labels:
    istio.io/rev: 1-9-4
  name: default

Issue report: https://github.com/istio/istio/issues/32746

Answer 2

Auto injection is enabled by default.

$ kubectl get configmap istio-sidecar-injector -n istio-system -o yaml | head -6
apiVersion: v1
data:
  config: |-
    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
    defaultTemplates: [sidecar]
    policy: enabled

You can disable this by setting the value to disabled.

  values:
    global:
      proxy:
        autoInject: disabled

Now the istio-injection=enabled label on the namespace will be ignored. You have to manually set the sidecar annotation in the apps manifest:

      annotations:
        sidecar.istio.io/inject: "true"

More on the topic in the docs

I guess what you are trying to do is to enable auto injection on any namespace by default. That's not possible.