Ben Leggett

> We should test and document a process for draining a node, and upgrading the ztunnel only on drained nodes, which prevents traffic disruptions for pods that gracefully drain their...

ztunnel side of the same issue: https://github.com/istio/ztunnel/issues/1049 @JayKaku thanks for volunteering - could you hold off a bit? We are still discussing how we want to approach this.

5/15 WG consensus was that we do want to add codecoverage, but not CI gates for it. @JayKaku I updated the issue with what we're looking for - if you...

FWIW branch code coverage can help us identify tests we _don't_ need as well: https://github.com/istio/istio/pull/51192#pullrequestreview-2077958297

It is not safe to install the same daemonset 2x in k8s as a general rule - that's why it's a daemonset (arguably). > Fortunately helm will not install because...

> Istioctl or helm template doesn't have those problems... Agreed, that's our special problem :D > It's more complex - for example in GKE we auto install in kube-system, and...

Not against doing this as we need to support blue/green node pool upgrades, but wouldn't we want to do this with taints+tolerations, rather than affinity?

> We should have affinity just for consistency. Taints are for a different thing AFAIK - we can use the nodeSelector plus affinity. Consistency with what? Both ztunnel and istio-cni...

> I think taint is a good strategy for some cases. Not sure it works for everyone - we want pods to still be assigned to the node ( without...

> We are looping outside of GetPodIfAmbient for the pod to show up, but if it fails we panic. We want to instead get an error. I assume you mean...