OSSM-10865: set trustBundleName in Istio global values

[skriss]

Sets trustBundleName in order to customize the
name of the configmap containing the CA cert so
it doesn't clash with a standalone OSSM instance.

Follow-up to #1243.

[openshift-ci-robot]

@skriss: This pull request references OSSM-10865 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

In response to this:

Sets trustBundleName in order to customize the
name of the configmap containing the CA cert so
it doesn't clash with a standalone OSSM instance.

Follow-up to #1243.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[skriss]

cc @aslakknutsen

[openshift-ci]

Hi @skriss. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rikatz]

as a suggestion for the unit test, instead of relying on the variable value, rely on the real expected value (like line 70 where you explicit set "openshift-ingress") so in case something change on this controller.OpenShiftGatewayCARootCertName we know it will also break on the expected behavior.

As a side question: does setting this on an existing environment breaks something? Do we need to test any kind of upgrade? If this TrustBundleName is set on an existing environment, will it trigger a new reconciliation on the Istio resource that we need to be careful off?

[skriss]

As a side question: does setting this on an existing environment breaks something? Do we need to test any kind of upgrade? If this TrustBundleName is set on an existing environment, will it trigger a new reconciliation on the Istio resource that we need to be careful off?

It's not expected to break anything; it will just configure istiod to write out the root cert in a new ConfigMap with the custom name (only within namespaces with Gateways). This will help avoid conflicts with any standalone OSSM installations that would be using the default name for the root cert ConfigMap.

cc @aslakknutsen - any hidden upgrade risks we're not thinking of?

[aslakknutsen]

Sorry missed this.

I believe as @skriss states that we'll just get a new ConfigMap. I suppose it's an open question if we should try to clean up the old one or not as it'll be left in place. We don't really support Mesh in the same namespace as a Gateway at the moment so I believe it's relatively safe to delete them. Even if someone have configured mesh and gateway for the same namespace it wouldn't technically work as it would be flipping between the certs of the two control planes.

[Miciah]

@aslakknutsen, if we merge this PR now, do we make the problem of cleaning up the old configmaps more difficult?

I think we have discussed the problem of cleaning up old configmaps, and we might have decided that it is too risky, and that we should tell the user to do the cleanup manually, if desired. However, I am not sure where that decision was recorded, if my memory is even correct. Maybe @dgn remembers?

[aslakknutsen]

@Miciah Noting comes to mind. But I think we managed to set the PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY flag(41d7add#diff-a2d0fb9a1cce5ecf91b0fd80716edfb3b48bad924cc6f365dbb93d72d82f8956R100-R105) which would imply that the CM in question actually has a special label just for this case ;)

https://github.com/openshift-service-mesh/istio/blob/release-1.27/pilot/pkg/config/kube/gateway/gateway_ca_controller.go#L51C2-L51C16

The "openshift.io/mesh": "true" only exist on our created CMs.

[dgn]

Yes that is what I remember as well-- let's not attempt an automatic cleanup.

[rikatz]

/ok-to-test

[skriss]

/retest

[Miciah]

/assign

[Miciah]

Thanks!

/lgtm

[Miciah]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[skriss]

/retest

[rikatz]

The test failure on e2e-aws-pre-release-ossm is being verified at https://issues.redhat.com/browse/OCPBUGS-65939

[rikatz]

/cc @rhamini3 @lihongan @ShudiLi @melvinjoseph86

for QE

[lihongan]

Hi @skriss I run pre-merge test with the PR and seems the configmap is still there after gateway is delete, is that expected ?

$ oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0-2025-11-25-074233-test-ci-ln-8xrmrj2-latest   True        False         68m     Cluster version is 4.21.0-0-2025-11-25-074233-test-ci-ln-8xrmrj2-latest

// after creating gatewayclass
$ oc get istio openshift-gateway -oyaml
<......>
spec:
  namespace: openshift-ingress
  updateStrategy:
    type: InPlace
  values:
    global:
      defaultPodDisruptionBudget:
        enabled: false
      istioNamespace: openshift-ingress
      priorityClassName: system-cluster-critical
      trustBundleName: openshift-gw-ca-root-cert                         <--------------

// after creating gateway
$ oc -n openshift-ingress get configmap openshift-gw-ca-root-cert
NAME                        DATA   AGE
openshift-gw-ca-root-cert   1      10m

//note: the configmap is still there after all gateway are deleted

[skriss]

Hi @skriss I run pre-merge test with the PR and seems the configmap is still there after gateway is delete, is that expected ?

Yeah, AFAIK this is expected, there's no code to delete the configmaps on Gateway deletion.

[lihongan]

Thank you for your confirming @skriss

/verified by @lihongan

[openshift-ci-robot]

@lihongan: This PR has been marked as verified by @lihongan.

In response to this:

Thank you for your confirming @skriss

/verified by @lihongan

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[lihongan]

/retest

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b62dd27 and 2 for PR HEAD 056f80f in total

[lihongan]

/retest-required

[openshift-ci]

@skriss: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-serial-1of2	056f80f	link	true	/test e2e-aws-ovn-serial-1of2
ci/prow/e2e-aws-pre-release-ossm	056f80f	link	false	/test e2e-aws-pre-release-ossm

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.