Merge pull request openshift-service-mesh#164 from openshift-service-mesh-bot/none-main-merge_upstream_main-38a843ce

Automator: merge upstream changes to openshift-service-mesh/sail-operator@main

Author: openshift-merge-bot[bot]

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90",
+  "image": "gcr.io/istio-testing/build-tools:master-3d91e3d29bd1057b14995647d90cbf85e043eba6",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

.github/workflows/update-deps.yaml

@@ -23,7 +23,7 @@ jobs:
   update-deps:
     runs-on: ubuntu-latest
     container:
-      image: gcr.io/istio-testing/build-tools:master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90
+      image: gcr.io/istio-testing/build-tools:master-3d91e3d29bd1057b14995647d90cbf85e043eba6
       options: --entrypoint ''
 
     steps:

Makefile.core.mk

@@ -309,7 +309,7 @@ deploy: verify-kubeconfig helm ## Deploy controller to an existing cluster.
 	$(HELM) template chart chart $(HELM_TEMPL_DEF_FLAGS) --set image='$(IMAGE)' --namespace $(NAMESPACE) | kubectl apply --server-side=true -f -
 
 .PHONY: deploy-yaml
-deploy-yaml: verify-kubeconfig helm ## Output YAML manifests used by `deploy`.
+deploy-yaml: helm ## Output YAML manifests used by `deploy`.
 	$(HELM) template chart chart $(HELM_TEMPL_DEF_FLAGS) --set image='$(IMAGE)' --namespace $(NAMESPACE)
 
 .PHONY: deploy-openshift # TODO: remove this target and use deploy-olm instead (when we fix the internal registry TLS issues when using operator-sdk run bundle)
@@ -319,7 +319,7 @@ deploy-openshift: verify-kubeconfig helm ## Deploy controller to an existing OCP
 	$(HELM) template chart chart $(HELM_TEMPL_DEF_FLAGS) --set image='$(IMAGE)' --namespace $(NAMESPACE) --set platform="openshift" | kubectl apply --server-side=true -f -
 
 .PHONY: deploy-yaml-openshift
-deploy-yaml-openshift: verify-kubeconfig helm ## Output YAML manifests used by `deploy-openshift`.
+deploy-yaml-openshift: helm ## Output YAML manifests used by `deploy-openshift`.
 	$(HELM) template chart chart $(HELM_TEMPL_DEF_FLAGS) --set image='$(IMAGE)' --namespace $(NAMESPACE) --set platform="openshift"
 
 .PHONY: deploy-olm
@@ -468,12 +468,12 @@ OPM ?= $(LOCALBIN)/opm
 ISTIOCTL ?= $(LOCALBIN)/istioctl
 
 ## Tool Versions
-OPERATOR_SDK_VERSION ?= v1.37.0
-HELM_VERSION ?= v3.16.2
-CONTROLLER_TOOLS_VERSION ?= v0.16.4
-OPM_VERSION ?= v1.47.0
-OLM_VERSION ?= 0.28.0
-GITLEAKS_VERSION ?= v8.21.1
+OPERATOR_SDK_VERSION ?= v1.38.0
+HELM_VERSION ?= v3.16.3
+CONTROLLER_TOOLS_VERSION ?= v0.16.5
+OPM_VERSION ?= v1.48.0
+OLM_VERSION ?= v0.30.0
+GITLEAKS_VERSION ?= v8.21.2
 ISTIOCTL_VERSION ?= 1.23.0
 
 # GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not

PROJECT

@@ -24,15 +24,15 @@ resources:
     namespaced: false
   controller: true
   domain: sailoperator.io
-  kind: RemoteIstio
+  kind: IstioRevision
   path: github.com/istio-ecosystem/sail-operator/api/v1alpha1
   version: v1alpha1
 - api:
     crdVersion: v1
     namespaced: false
   controller: true
   domain: sailoperator.io
-  kind: IstioRevision
+  kind: IstioRevisionTag
   path: github.com/istio-ecosystem/sail-operator/api/v1alpha1
   version: v1alpha1
 - api:
@@ -43,4 +43,12 @@ resources:
   kind: IstioCNI
   path: github.com/istio-ecosystem/sail-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: false
+  controller: true
+  domain: sailoperator.io
+  kind: ZTunnel
+  path: github.com/istio-ecosystem/sail-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"

api/v1alpha1/istio_types.go

@@ -51,10 +51,10 @@ type IstioSpec struct {
 	// +sail:profile
 	// The built-in installation configuration profile to use.
 	// The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-	// Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+	// Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
 	// +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"}
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
-	// +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable
+	// +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;remote;stable
 	Profile string `json:"profile,omitempty"`
 
 	// Namespace to which the Istio components should be installed. Note that this field is immutable.
@@ -227,6 +227,9 @@ const (
 	// IstioReasonIstiodNotReady indicates that the control plane is fully reconciled, but istiod is not ready.
 	IstioReasonIstiodNotReady IstioConditionReason = "IstiodNotReady"
 
+	// IstioReasonRemoteIstiodNotReady indicates that the control plane is fully reconciled, but the remote istiod is not ready.
+	IstioReasonRemoteIstiodNotReady IstioConditionReason = "RemoteIstiodNotReady"
+
 	// IstioReasonReadinessCheckFailed indicates that readiness could not be ascertained.
 	IstioReasonReadinessCheckFailed IstioConditionReason = "ReadinessCheckFailed"
 )

api/v1alpha1/istiocni_types.go

@@ -37,10 +37,10 @@ type IstioCNISpec struct {
 	// +sail:profile
 	// The built-in installation configuration profile to use.
 	// The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-	// Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable.
+	// Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, remote, stable.
 	// +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"}
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
-	// +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable
+	// +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;remote;stable
 	Profile string `json:"profile,omitempty"`
 
 	// Namespace to which the Istio CNI component should be installed.

api/v1alpha1/istiorevision_types.go

@@ -28,11 +28,6 @@ const (
 // IstioRevisionSpec defines the desired state of IstioRevision
 // +kubebuilder:validation:XValidation:rule="self.values.global.istioNamespace == self.__namespace__",message="spec.values.global.istioNamespace must match spec.namespace"
 type IstioRevisionSpec struct {
-	// Type indicates whether this revision represents a local or a remote control plane installation.
-	// +kubebuilder:default=Local
-	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
-	Type IstioRevisionType `json:"type"`
-
 	// +sail:version
 	// Defines the version of Istio to install.
 	// Must be one of: v1.23.2.
@@ -178,16 +173,6 @@ const (
 	IstioRevisionReasonHealthy IstioRevisionConditionReason = "Healthy"
 )
 
-type IstioRevisionType string
-
-const (
-	// IstioRevisionTypeLocal indicates that the revision represents a local control plane installation.
-	IstioRevisionTypeLocal IstioRevisionType = "Local"
-
-	// IstioRevisionTypeRemote indicates that the revision represents a remote control plane installation.
-	IstioRevisionTypeRemote IstioRevisionType = "Remote"
-)
-
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope=Cluster,shortName=istiorev,categories=istio-io
 // +kubebuilder:subresource:status

api/v1alpha1/istiorevisiontags_types.go

@@ -0,0 +1,204 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1alpha1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	IstioRevisionTagKind = "IstioRevisionTag"
+	DefaultRevisionTag   = "default"
+)
+
+// IstioRevisionTagSpec defines the desired state of IstioRevisionTag
+type IstioRevisionTagSpec struct {
+	// +kubebuilder:validation:Required
+	TargetRef IstioRevisionTagTargetReference `json:"targetRef"`
+}
+
+// IstioRevisionTagTargetReference can reference either Istio or IstioRevision objects in the cluster.
+type IstioRevisionTagTargetReference struct {
+	// Kind is the kind of the target resource.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Required
+	Kind string `json:"kind"`
+
+	// Name is the name of the target resource.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+}
+
+// IstioRevisionStatus defines the observed state of IstioRevision
+type IstioRevisionTagStatus struct {
+	// ObservedGeneration is the most recent generation observed for this
+	// IstioRevisionTag object. It corresponds to the object's generation, which is
+	// updated on mutation by the API Server. The information in the status
+	// pertains to this particular generation of the object.
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Represents the latest available observations of the object's current state.
+	Conditions []IstioRevisionTagCondition `json:"conditions,omitempty"`
+
+	// Reports the current state of the object.
+	State IstioRevisionTagConditionReason `json:"state,omitempty"`
+
+	// IstiodNamespace stores the namespace of the corresponding Istiod instance
+	IstiodNamespace string `json:"istiodNamespace"`
+
+	// IstioRevision stores the name of the referenced IstioRevision
+	IstioRevision string `json:"istioRevision"`
+}
+
+// GetCondition returns the condition of the specified type
+func (s *IstioRevisionTagStatus) GetCondition(conditionType IstioRevisionTagConditionType) IstioRevisionTagCondition {
+	if s != nil {
+		for i := range s.Conditions {
+			if s.Conditions[i].Type == conditionType {
+				return s.Conditions[i]
+			}
+		}
+	}
+	return IstioRevisionTagCondition{Type: conditionType, Status: metav1.ConditionUnknown}
+}
+
+// SetCondition sets a specific condition in the list of conditions
+func (s *IstioRevisionTagStatus) SetCondition(condition IstioRevisionTagCondition) {
+	var now time.Time
+	if testTime == nil {
+		now = time.Now()
+	} else {
+		now = *testTime
+	}
+
+	// The lastTransitionTime only gets serialized out to the second.  This can
+	// break update skipping, as the time in the resource returned from the client
+	// may not match the time in our cached status during a reconcile.  We truncate
+	// here to save any problems down the line.
+	lastTransitionTime := metav1.NewTime(now.Truncate(time.Second))
+
+	for i, prevCondition := range s.Conditions {
+		if prevCondition.Type == condition.Type {
+			if prevCondition.Status != condition.Status {
+				condition.LastTransitionTime = lastTransitionTime
+			} else {
+				condition.LastTransitionTime = prevCondition.LastTransitionTime
+			}
+			s.Conditions[i] = condition
+			return
+		}
+	}
+
+	// If the condition does not exist, initialize the lastTransitionTime
+	condition.LastTransitionTime = lastTransitionTime
+	s.Conditions = append(s.Conditions, condition)
+}
+
+// IstioRevisionCondition represents a specific observation of the IstioRevision object's state.
+type IstioRevisionTagCondition struct {
+	// The type of this condition.
+	Type IstioRevisionTagConditionType `json:"type,omitempty"`
+
+	// The status of this condition. Can be True, False or Unknown.
+	Status metav1.ConditionStatus `json:"status,omitempty"`
+
+	// Unique, single-word, CamelCase reason for the condition's last transition.
+	Reason IstioRevisionTagConditionReason `json:"reason,omitempty"`
+
+	// Human-readable message indicating details about the last transition.
+	Message string `json:"message,omitempty"`
+
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+}
+
+// IstioRevisionConditionType represents the type of the condition.  Condition stages are:
+// Installed, Reconciled, Ready
+type IstioRevisionTagConditionType string
+
+// IstioRevisionConditionReason represents a short message indicating how the condition came
+// to be in its present state.
+type IstioRevisionTagConditionReason string
+
+const (
+	// IstioRevisionConditionReconciled signifies whether the controller has
+	// successfully reconciled the resources defined through the CR.
+	IstioRevisionTagConditionReconciled IstioRevisionTagConditionType = "Reconciled"
+
+	// IstioRevisionTagNameAlreadyExists indicates that the a revision with the same name as the IstioRevisionTag already exists.
+	IstioRevisionTagReasonNameAlreadyExists IstioRevisionTagConditionReason = "NameAlreadyExists"
+
+	// IstioRevisionTagReasonReferenceNotFound indicates that the resource referenced by the tag's TargetRef was not found
+	IstioRevisionTagReasonReferenceNotFound IstioRevisionTagConditionReason = "RefNotFound"
+
+	// IstioRevisionReasonReconcileError indicates that the reconciliation of the resource has failed, but will be retried.
+	IstioRevisionTagReasonReconcileError IstioRevisionTagConditionReason = "ReconcileError"
+)
+
+const (
+	// IstioRevisionConditionInUse signifies whether any workload is configured to use the revision.
+	IstioRevisionTagConditionInUse IstioRevisionTagConditionType = "InUse"
+
+	// IstioRevisionReasonReferencedByWorkloads indicates that the revision is referenced by at least one pod or namespace.
+	IstioRevisionTagReasonReferencedByWorkloads IstioRevisionTagConditionReason = "ReferencedByWorkloads"
+
+	// IstioRevisionReasonNotReferenced indicates that the revision is not referenced by any pod or namespace.
+	IstioRevisionTagReasonNotReferenced IstioRevisionTagConditionReason = "NotReferencedByAnything"
+
+	// IstioRevisionReasonUsageCheckFailed indicates that the operator could not check whether any workloads use the revision.
+	IstioRevisionTagReasonUsageCheckFailed IstioRevisionTagConditionReason = "UsageCheckFailed"
+)
+
+const (
+	// IstioRevisionTagReasonHealthy indicates that the revision tag has been successfully reconciled and is in use.
+	IstioRevisionTagReasonHealthy IstioRevisionTagConditionReason = "Healthy"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,shortName=istiorevtag,categories=istio-io
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of this object."
+// +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.conditions[?(@.type==\"InUse\")].status",description="Whether the tag is being used by workloads."
+// +kubebuilder:printcolumn:name="Revision",type="string",JSONPath=".status.istioRevision",description="The IstioRevision this object is referencing."
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object"
+
+// IstioRevisionTag references a Istio or IstioRevision object and serves as an alias for sidecar injection.
+type IstioRevisionTag struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   IstioRevisionTagSpec   `json:"spec,omitempty"`
+	Status IstioRevisionTagStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// IstioRevisionList contains a list of IstioRevision
+type IstioRevisionTagList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []IstioRevisionTag `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&IstioRevisionTag{}, &IstioRevisionTagList{})
+}