Good afternoon all,
Hoping someone here might have advice on a similar scenario. We’re currently using Istio on our AKS Cluster with a Pod Identity binding on our ingress gateways and we’re looking to move this across to using Azure Workload Identity instead.
In the Pod Identity setup, the overlays>patches>path is used as below to add a label to the Pod spec of the gateway Deployment.
overlays:
- apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
patches:
- path: spec.template.metadata.labels.aadpodidbinding
value: managed_identity_name_here
MORE_VALUES_BELOW
This works as expected and we get a label applied to the Pods that are part of the Deployment as aadpodidbinding=managed_identity_name_here.
In order to move to Workload Identity we’re wanting to set this as azure.workload.identity/use=true and therefore edited the config as below:
overlays:
- apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
patches:
- path: spec.template.metadata.labels.azure.workload.identity/use
value: true
MORE_VALUES_BELOW
This doesn’t appear to work at all when then trying to apply the change to the Cluster using Helm. We can see the updated value in the Helm Chart but it never actually reaches the Deployment/Pod.
However, if we use the below it does update the Deployment/Pod:
- path: spec.template.metadata.labels.azure
value: true
I’ve been looking at the Istio documentation (Ref 1, Ref 2) and I’m guessing I’m just not wrapping my head around something as to how to should format the path for the new label that’s required.
If anyone has any advice or even just knows that we can’t do what we want to this way it’d be greatly appreciated! 
Thanks for taking the time to read my mini essay whatever happens.