Ztunnel Helm chart appears to not support multiple releases due to fixed ServiceAccount name/ownership #1633
Description
We’re attempting to deploy multiple Ztunnel releases into the same cluster, which the chart seems to suggest is supported. For example, templates reference release-based naming such as: name: {{ include "ztunnel.release-name" . }}.
However, when installing a second release, Helm fails with an ownership/annotation conflict on the ServiceAccount:
Error: Unable to continue with install: ServiceAccount "ztunnel" in namespace "istio-system" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "ztunnel-general-node-group": current value is "ztunnel"
In this case, "ztunnel-general-node-group" is the Helm release name of the second installation.
This suggests that at least some resources (e.g., ServiceAccount) are named statically ("ztunnel") rather than being release-scoped.
Expected behavior:
All names and ownership annotations should be release-scoped so multiple Ztunnel releases can coexist in the same namespace.
Context:
We need to run at least two separate Ztunnel installations in the same cluster because our nodes have very different traffic profiles:
- One node group is almost idle and requires minimal Ztunnel resources.
- Other node groups are traffic-heavy and require significantly more Ztunnel resources.