Automated merge

* upstream/main: enhancements: add SEP for revision tag support (istio-ecosystem#212) Implement temporary hack to prevent removal of pull secrets added by external controllers (istio-ecosystem#469) Clean up istiod-gateway-controller-istio-system ClusterRole & Binding in primary-remote test (istio-ecosystem#470) Minor updates to Gateway docs (istio-ecosystem#466) Remove RemoteIstio resource (istio-ecosystem#461) Update version reference in docs guide (istio-ecosystem#465) Fixing issue with missing istiod-remote chart when adding new versions (istio-ecosystem#464) # Conflicts: # api/v1alpha1/remoteistio_types.go # bundle/manifests/sailoperator.io_remoteistios.yaml # chart/crds/sailoperator.io_remoteistios.yaml
openshift-service-mesh-bot · Nov 11, 2024 · f1f0ad4 · f1f0ad4
2 parents 88cb7bf + 7bc6182
commit f1f0ad4
Show file tree

Hide file tree

Showing 42 changed files with 541 additions and 1,638 deletions.
diff --git a/PROJECT b/PROJECT
@@ -19,14 +19,6 @@ resources:
   kind: Istio
   path: github.com/istio-ecosystem/sail-operator/api/v1alpha1
   version: v1alpha1
-- api:
-    crdVersion: v1
-    namespaced: false
-  controller: true
-  domain: sailoperator.io
-  kind: RemoteIstio
-  path: github.com/istio-ecosystem/sail-operator/api/v1alpha1
-  version: v1alpha1
 - api:
     crdVersion: v1
     namespaced: false

diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go
@@ -51,10 +51,10 @@ type IstioSpec struct {
 	// +sail:profile
 	// The built-in installation configuration profile to use.
 	// The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-	// Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+	// Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
 	// +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"}
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
-	// +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable
+	// +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;remote;stable
 	Profile string `json:"profile,omitempty"`
 
 	// Namespace to which the Istio components should be installed. Note that this field is immutable.
@@ -227,6 +227,9 @@ const (
 	// IstioReasonIstiodNotReady indicates that the control plane is fully reconciled, but istiod is not ready.
 	IstioReasonIstiodNotReady IstioConditionReason = "IstiodNotReady"
 
+	// IstioReasonRemoteIstiodNotReady indicates that the control plane is fully reconciled, but the remote istiod is not ready.
+	IstioReasonRemoteIstiodNotReady IstioConditionReason = "RemoteIstiodNotReady"
+
 	// IstioReasonReadinessCheckFailed indicates that readiness could not be ascertained.
 	IstioReasonReadinessCheckFailed IstioConditionReason = "ReadinessCheckFailed"
 )

diff --git a/api/v1alpha1/istiocni_types.go b/api/v1alpha1/istiocni_types.go
@@ -37,10 +37,10 @@ type IstioCNISpec struct {
 	// +sail:profile
 	// The built-in installation configuration profile to use.
 	// The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-	// Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+	// Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
 	// +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"}
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
-	// +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable
+	// +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;remote;stable
 	Profile string `json:"profile,omitempty"`
 
 	// Namespace to which the Istio CNI component should be installed.

diff --git a/api/v1alpha1/istiorevision_types.go b/api/v1alpha1/istiorevision_types.go
@@ -28,11 +28,6 @@ const (
 // IstioRevisionSpec defines the desired state of IstioRevision
 // +kubebuilder:validation:XValidation:rule="self.values.global.istioNamespace == self.__namespace__",message="spec.values.global.istioNamespace must match spec.namespace"
 type IstioRevisionSpec struct {
-	// Type indicates whether this revision represents a local or a remote control plane installation.
-	// +kubebuilder:default=Local
-	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
-	Type IstioRevisionType `json:"type"`
-
 	// +sail:version
 	// Defines the version of Istio to install.
 	// Must be one of: v1.23.2.
@@ -178,16 +173,6 @@ const (
 	IstioRevisionReasonHealthy IstioRevisionConditionReason = "Healthy"
 )
 
-type IstioRevisionType string
-
-const (
-	// IstioRevisionTypeLocal indicates that the revision represents a local control plane installation.
-	IstioRevisionTypeLocal IstioRevisionType = "Local"
-
-	// IstioRevisionTypeRemote indicates that the revision represents a remote control plane installation.
-	IstioRevisionTypeRemote IstioRevisionType = "Remote"
-)
-
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope=Cluster,shortName=istiorev,categories=istio-io
 // +kubebuilder:subresource:status

diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml
@@ -70,7 +70,7 @@ spec:
                 description: |-
                   The built-in installation configuration profile to use.
                   The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-                  Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+                  Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
                 enum:
                 - ambient
                 - default
@@ -79,6 +79,7 @@ spec:
                 - openshift-ambient
                 - openshift
                 - preview
+                - remote
                 - stable
                 type: string
               values:

diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml
@@ -78,14 +78,6 @@ spec:
                 x-kubernetes-validations:
                 - message: Value is immutable
                   rule: self == oldSelf
-              type:
-                default: Local
-                description: Type indicates whether this revision represents a local
-                  or a remote control plane installation.
-                type: string
-                x-kubernetes-validations:
-                - message: Value is immutable
-                  rule: self == oldSelf
               values:
                 description: Defines the values to be passed to the Helm charts when
                   installing Istio.
@@ -9386,7 +9378,6 @@ spec:
                 type: string
             required:
             - namespace
-            - type
             - version
             type: object
             x-kubernetes-validations:

diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml
@@ -95,7 +95,7 @@ spec:
                 description: |-
                   The built-in installation configuration profile to use.
                   The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-                  Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+                  Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
                 enum:
                 - ambient
                 - default
@@ -104,6 +104,7 @@ spec:
                 - openshift-ambient
                 - openshift
                 - preview
+                - remote
                 - stable
                 type: string
               updateStrategy:

diff --git a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml
@@ -34,7 +34,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: OpenShift Optional, Integration & Delivery, Networking, Security
     containerImage: quay.io/maistra-dev/sail-operator:3.0-latest
-    createdAt: "2024-10-23T21:09:47Z"
+    createdAt: "2024-11-11T15:10:56Z"
     description: The OpenShift Service Mesh Operator enables you to install, configure,
       and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service
       Mesh is based on the open source Istio project.
@@ -133,6 +133,9 @@ spec:
     - kind: WorkloadGroup
       name: workloadgroups.networking.istio.io
       version: v1beta1
+    - kind: RemoteIstio
+      name: remoteistios.sailoperator.io
+      version: v1alpha1
     - kind: AuthorizationPolicy
       name: authorizationpolicies.security.istio.io
       version: v1
@@ -178,7 +181,7 @@ spec:
       - description: |-
           The built-in installation configuration profile to use.
           The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-          Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+          Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
         displayName: Profile
         path: profile
         x-descriptors:
@@ -276,7 +279,7 @@ spec:
       - description: |-
           The built-in installation configuration profile to use.
           The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-          Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+          Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
         displayName: Profile
         path: profile
         x-descriptors:
@@ -290,75 +293,6 @@ spec:
         displayName: Helm Values
         path: values
       version: v1alpha1
-    - description: |-
-        RemoteIstio represents a remote Istio Service Mesh deployment consisting of one or more
-        remote control plane instances (represented by one or more IstioRevision objects).
-      displayName: Remote Istio
-      kind: RemoteIstio
-      name: remoteistios.sailoperator.io
-      specDescriptors:
-      - description: "Type of strategy to use. Can be \"InPlace\" or \"RevisionBased\".
-          When the \"InPlace\" strategy\nis used, the existing Istio control plane
-          is updated in-place. The workloads therefore\ndon't need to be moved from
-          one control plane instance to another. When the \"RevisionBased\"\nstrategy
-          is used, a new Istio control plane instance is created for every change
-          to the\nIstio.spec.version field. The old control plane remains in place
-          until all workloads have\nbeen moved to the new control plane instance.\n\n\nThe
-          \"InPlace\" strategy is the default.\tTODO: change default to \"RevisionBased\""
-        displayName: Type
-        path: updateStrategy.type
-        x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:select:InPlace
-        - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased
-      - description: |-
-          Defines the version of Istio to install.
-          Must be one of: v1.23.2.
-        displayName: Istio Version
-        path: version
-        x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General
-        - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2
-      - description: |-
-          Defines how many seconds the operator should wait before removing a non-active revision after all
-          the workloads have stopped using it. You may want to set this value on the order of minutes.
-          The minimum is 0 and the default value is 30.
-        displayName: Inactive Revision Deletion Grace Period (seconds)
-        path: updateStrategy.inactiveRevisionDeletionGracePeriodSeconds
-        x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:number
-      - description: |-
-          Defines whether the workloads should be moved from one control plane instance to another
-          automatically. If updateWorkloads is true, the operator moves the workloads from the old
-          control plane instance to the new one after the new control plane is ready.
-          If updateWorkloads is false, the user must move the workloads manually by updating the
-          istio.io/rev labels on the namespace and/or the pods.
-          Defaults to false.
-        displayName: Update Workloads Automatically
-        path: updateStrategy.updateWorkloads
-        x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
-      - description: Namespace to which the Istio components should be installed.
-        displayName: Namespace
-        path: namespace
-        x-descriptors:
-        - urn:alm:descriptor:io.kubernetes:Namespace
-      - description: |-
-          The built-in installation configuration profile to use.
-          The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-          Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
-        displayName: Profile
-        path: profile
-        x-descriptors:
-        - urn:alm:descriptor:com.tectonic.ui:hidden
-      - description: Defines the update strategy to use when the version in the RemoteIstio
-          CR is updated.
-        displayName: Update Strategy
-        path: updateStrategy
-      - description: Defines the values to be passed to the Helm charts when installing
-          Istio.
-        displayName: Helm Values
-        path: values
-      version: v1alpha1
   description: |-
     Red Hat OpenShift Service Mesh is a platform that provides behavioral insight and operational control over a service mesh, providing a uniform way to connect, secure, and monitor microservice applications.
 

diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml
@@ -70,7 +70,7 @@ spec:
                 description: |-
                   The built-in installation configuration profile to use.
                   The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-                  Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+                  Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
                 enum:
                 - ambient
                 - default
@@ -79,6 +79,7 @@ spec:
                 - openshift-ambient
                 - openshift
                 - preview
+                - remote
                 - stable
                 type: string
               values:

diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml
@@ -78,14 +78,6 @@ spec:
                 x-kubernetes-validations:
                 - message: Value is immutable
                   rule: self == oldSelf
-              type:
-                default: Local
-                description: Type indicates whether this revision represents a local
-                  or a remote control plane installation.
-                type: string
-                x-kubernetes-validations:
-                - message: Value is immutable
-                  rule: self == oldSelf
               values:
                 description: Defines the values to be passed to the Helm charts when
                   installing Istio.
@@ -9386,7 +9378,6 @@ spec:
                 type: string
             required:
             - namespace
-            - type
             - version
             type: object
             x-kubernetes-validations:

diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml
@@ -95,7 +95,7 @@ spec:
                 description: |-
                   The built-in installation configuration profile to use.
                   The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-                  Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+                  Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
                 enum:
                 - ambient
                 - default
@@ -104,6 +104,7 @@ spec:
                 - openshift-ambient
                 - openshift
                 - preview
+                - remote
                 - stable
                 type: string
               updateStrategy:

diff --git a/chart/samples/remoteistio-sample.yaml b/chart/samples/remoteistio-sample.yaml
diff --git a/cmd/main.go b/cmd/main.go
@@ -23,7 +23,6 @@ import (
 	"github.com/istio-ecosystem/sail-operator/controllers/istio"
 	"github.com/istio-ecosystem/sail-operator/controllers/istiocni"
 	"github.com/istio-ecosystem/sail-operator/controllers/istiorevision"
-	"github.com/istio-ecosystem/sail-operator/controllers/remoteistio"
 	"github.com/istio-ecosystem/sail-operator/controllers/webhook"
 	"github.com/istio-ecosystem/sail-operator/pkg/config"
 	"github.com/istio-ecosystem/sail-operator/pkg/enqueuelogger"
@@ -144,13 +143,6 @@ func main() {
 		os.Exit(1)
 	}
 
-	err = remoteistio.NewReconciler(reconcilerCfg, mgr.GetClient(), mgr.GetScheme()).
-		SetupWithManager(mgr)
-	if err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "RemoteIstio")
-		os.Exit(1)
-	}
-
 	err = istiorevision.NewReconciler(reconcilerCfg, mgr.GetClient(), mgr.GetScheme(), chartManager).
 		SetupWithManager(mgr)
 	if err != nil {

diff --git a/controllers/istio/istio_controller.go b/controllers/istio/istio_controller.go
@@ -115,7 +115,6 @@ func (r *Reconciler) reconcileActiveRevision(ctx context.Context, istio *v1alpha
 
 	return revision.CreateOrUpdate(ctx, r.Client,
 		getActiveRevisionName(istio),
-		v1alpha1.IstioRevisionTypeLocal,
 		istio.Spec.Version, istio.Spec.Namespace, values,
 		metav1.OwnerReference{
 			APIVersion:         v1alpha1.GroupVersion.String(),
@@ -324,6 +323,8 @@ func convertConditionReason(reason v1alpha1.IstioRevisionConditionReason) v1alph
 		return v1alpha1.IstioReasonReadinessCheckFailed
 	case v1alpha1.IstioRevisionReasonReconcileError:
 		return v1alpha1.IstioReasonReconcileError
+	case v1alpha1.IstioRevisionReasonRemoteIstiodNotReady:
+		return v1alpha1.IstioReasonRemoteIstiodNotReady
 	default:
 		panic(fmt.Sprintf("can't convert IstioRevisionConditionReason: %s", reason))
 	}

diff --git a/controllers/istiocni/istiocni_controller.go b/controllers/istiocni/istiocni_controller.go
@@ -30,6 +30,7 @@ import (
 	"github.com/istio-ecosystem/sail-operator/pkg/helm"
 	"github.com/istio-ecosystem/sail-operator/pkg/istiovalues"
 	"github.com/istio-ecosystem/sail-operator/pkg/kube"
+	"github.com/istio-ecosystem/sail-operator/pkg/predicate"
 	"github.com/istio-ecosystem/sail-operator/pkg/reconciler"
 	"github.com/istio-ecosystem/sail-operator/pkg/validation"
 	appsv1 "k8s.io/api/apps/v1"
@@ -40,6 +41,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -225,7 +227,11 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Watches(&corev1.ConfigMap{}, ownedResourceHandler).
 		Watches(&appsv1.DaemonSet{}, ownedResourceHandler).
 		Watches(&corev1.ResourceQuota{}, ownedResourceHandler).
-		Watches(&corev1.ServiceAccount{}, ownedResourceHandler).
+
+		// We use predicate.IgnoreUpdate() so that we skip the reconciliation when a pull secret is added to the ServiceAccount.
+		// This is necessary so that we don't remove the newly-added secret.
+		// TODO: this is a temporary hack until we implement the correct solution on the Helm-render side
+		Watches(&corev1.ServiceAccount{}, ownedResourceHandler, builder.WithPredicates(predicate.IgnoreUpdate())).
 
 		// TODO: only register NetAttachDef if the CRD is installed (may also need to watch for CRD creation)
 		// Owns(&multusv1.NetworkAttachmentDefinition{}).