Enable Istio for OSS (#4536)

radixo · web-flow · commit 7382e0cf8370 · 2026-03-13T13:18:57.000-07:00
* Enable Istio for OSS

* Fix duplicated import
diff --git a/hack/gen-versions/calico.go.tpl b/hack/gen-versions/calico.go.tpl
@@ -237,6 +237,42 @@ var (
 		variant:   calicoVariant,
 	}
 {{- end }}
+{{ with index .Components "istio-pilot" }}
+	ComponentCalicoIstioPilot = Component{
+		Version:   "{{ .Version }}",
+		Image:     "{{ .Image }}",
+		Registry:  "{{ .Registry }}",
+		imagePath: "{{ .ImagePath }}",
+		variant:   calicoVariant,
+	}
+{{- end }}
+{{ with index .Components "istio-install-cni" }}
+	ComponentCalicoIstioInstallCNI = Component{
+		Version:   "{{ .Version }}",
+		Image:     "{{ .Image }}",
+		Registry:  "{{ .Registry }}",
+		imagePath: "{{ .ImagePath }}",
+		variant:   calicoVariant,
+	}
+{{- end }}
+{{ with index .Components "istio-ztunnel" }}
+	ComponentCalicoIstioZTunnel = Component{
+		Version:   "{{ .Version }}",
+		Image:     "{{ .Image }}",
+		Registry:  "{{ .Registry }}",
+		imagePath: "{{ .ImagePath }}",
+		variant:   calicoVariant,
+	}
+{{- end }}
+{{ with index .Components "istio-proxyv2" }}
+	ComponentCalicoIstioProxyv2 = Component{
+		Version:   "{{ .Version }}",
+		Image:     "{{ .Image }}",
+		Registry:  "{{ .Registry }}",
+		imagePath: "{{ .ImagePath }}",
+		variant:   calicoVariant,
+	}
+{{- end }}
 {{ with index .Components.webhooks }}
 	ComponentCalicoWebhooks = Component{
 		Version:   "{{ .Version }}",
@@ -273,6 +309,10 @@ var (
 		ComponentCalicoEnvoyProxy,
 		ComponentCalicoEnvoyRatelimit,
 		ComponentCalicoGuardian,
+		ComponentCalicoIstioPilot,
+		ComponentCalicoIstioInstallCNI,
+		ComponentCalicoIstioZTunnel,
+		ComponentCalicoIstioProxyv2,
 		ComponentCalicoWebhooks,
 	}
 )
diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl
@@ -490,31 +490,31 @@ var (
 	}
 {{- end }}
 {{ with index .Components "istio-pilot" }}
-	ComponentCalicoIstioPilot = Component{
+	ComponentIstioPilot = Component{
 		Version:  "{{ .Version }}",
 		Image:    "{{ .Image }}",
 		Registry: "{{ .Registry }}",
 		variant:  enterpriseVariant,
 	}
 {{- end }}
 {{ with index .Components "istio-install-cni" }}
-	ComponentCalicoIstioInstallCNI = Component{
+	ComponentIstioInstallCNI = Component{
 		Version:  "{{ .Version }}",
 		Image:    "{{ .Image }}",
 		Registry: "{{ .Registry }}",
 		variant:  enterpriseVariant,
 	}
 {{- end }}
 {{ with index .Components "istio-ztunnel" }}
-	ComponentCalicoIstioZTunnel = Component{
+	ComponentIstioZTunnel = Component{
 		Version:  "{{ .Version }}",
 		Image:    "{{ .Image }}",
 		Registry: "{{ .Registry }}",
 		variant:  enterpriseVariant,
 	}
 {{- end }}
 {{ with index .Components "istio-proxyv2" }}
-	ComponentCalicoIstioProxyv2 = Component{
+	ComponentIstioProxyv2 = Component{
 		Version:  "{{ .Version }}",
 		Image:    "{{ .Image }}",
 		Registry: "{{ .Registry }}",
@@ -583,10 +583,10 @@ var (
 		ComponentGatewayAPIEnvoyGateway,
 		ComponentGatewayAPIEnvoyProxy,
 		ComponentGatewayAPIEnvoyRatelimit,
-		ComponentCalicoIstioPilot,
-		ComponentCalicoIstioInstallCNI,
-		ComponentCalicoIstioZTunnel,
-		ComponentCalicoIstioProxyv2,
+		ComponentIstioPilot,
+		ComponentIstioInstallCNI,
+		ComponentIstioZTunnel,
+		ComponentIstioProxyv2,
 		ComponentTigeraWebhooks,
 	}
 )
diff --git a/pkg/components/calico.go b/pkg/components/calico.go
@@ -220,6 +220,38 @@ var (
 		variant:   calicoVariant,
 	}
 
+	ComponentCalicoIstioPilot = Component{
+		Version:   "master",
+		Image:     "istio-pilot",
+		Registry:  "",
+		imagePath: "",
+		variant:   calicoVariant,
+	}
+
+	ComponentCalicoIstioInstallCNI = Component{
+		Version:   "master",
+		Image:     "istio-install-cni",
+		Registry:  "",
+		imagePath: "",
+		variant:   calicoVariant,
+	}
+
+	ComponentCalicoIstioZTunnel = Component{
+		Version:   "master",
+		Image:     "istio-ztunnel",
+		Registry:  "",
+		imagePath: "",
+		variant:   calicoVariant,
+	}
+
+	ComponentCalicoIstioProxyv2 = Component{
+		Version:   "master",
+		Image:     "istio-proxyv2",
+		Registry:  "",
+		imagePath: "",
+		variant:   calicoVariant,
+	}
+
 	ComponentCalicoWebhooks = Component{
 		Version:   "master",
 		Image:     "webhooks",
@@ -254,6 +286,10 @@ var (
 		ComponentCalicoEnvoyProxy,
 		ComponentCalicoEnvoyRatelimit,
 		ComponentCalicoGuardian,
+		ComponentCalicoIstioPilot,
+		ComponentCalicoIstioInstallCNI,
+		ComponentCalicoIstioZTunnel,
+		ComponentCalicoIstioProxyv2,
 		ComponentCalicoWebhooks,
 	}
 )
diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go
@@ -436,28 +436,28 @@ var (
 		variant:   enterpriseVariant,
 	}
 
-	ComponentCalicoIstioPilot = Component{
+	ComponentIstioPilot = Component{
 		Version:  "master",
 		Image:    "istio-pilot",
 		Registry: "",
 		variant:  enterpriseVariant,
 	}
 
-	ComponentCalicoIstioInstallCNI = Component{
+	ComponentIstioInstallCNI = Component{
 		Version:  "master",
 		Image:    "istio-install-cni",
 		Registry: "",
 		variant:  enterpriseVariant,
 	}
 
-	ComponentCalicoIstioZTunnel = Component{
+	ComponentIstioZTunnel = Component{
 		Version:  "master",
 		Image:    "istio-ztunnel",
 		Registry: "",
 		variant:  enterpriseVariant,
 	}
 
-	ComponentCalicoIstioProxyv2 = Component{
+	ComponentIstioProxyv2 = Component{
 		Version:  "master",
 		Image:    "istio-proxyv2",
 		Registry: "",
@@ -524,10 +524,10 @@ var (
 		ComponentGatewayAPIEnvoyGateway,
 		ComponentGatewayAPIEnvoyProxy,
 		ComponentGatewayAPIEnvoyRatelimit,
-		ComponentCalicoIstioPilot,
-		ComponentCalicoIstioInstallCNI,
-		ComponentCalicoIstioZTunnel,
-		ComponentCalicoIstioProxyv2,
+		ComponentIstioPilot,
+		ComponentIstioInstallCNI,
+		ComponentIstioZTunnel,
+		ComponentIstioProxyv2,
 		ComponentTigeraWebhooks,
 	}
 )
diff --git a/pkg/controller/istio/istio_controller.go b/pkg/controller/istio/istio_controller.go
@@ -59,11 +59,6 @@ var (
 // Start Watches within the Add function for any resources that this controller creates or monitors. This will trigger
 // calls to Reconcile() when an instance of one of the watched resources is modified.
 func Add(mgr manager.Manager, opts options.ControllerOptions) error {
-	if !opts.EnterpriseCRDExists {
-		log.V(1).Info("Enterprise CRDs not found. Skipping Istio controller.")
-		return nil
-	}
-
 	r := newReconciler(mgr, opts)
 
 	c, err := ctrlruntime.NewController("istio-controller", mgr, controller.Options{Reconciler: r})
diff --git a/pkg/controller/istio/istio_controller_test.go b/pkg/controller/istio/istio_controller_test.go
@@ -698,6 +698,90 @@ var _ = Describe("Istio controller tests", func() {
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "calico-master",
 				},
+				Spec: operatorv1.ImageSetSpec{
+					Images: []operatorv1.Image{
+						{Image: "calico/istio-pilot", Digest: "sha256:pilot123"},
+						{Image: "calico/istio-install-cni", Digest: "sha256:cni123"},
+						{Image: "calico/istio-ztunnel", Digest: "sha256:ztunnel123"},
+						{Image: "calico/istio-proxyv2", Digest: "sha256:proxyv2123"},
+					},
+				},
+			}
+			Expect(cli.Create(ctx, imageSet)).NotTo(HaveOccurred())
+
+			r := &ReconcileIstio{
+				Client:   cli,
+				scheme:   scheme,
+				provider: operatorv1.ProviderNone,
+				status:   mockStatus,
+			}
+
+			_, err := r.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: "default"}})
+			Expect(err).ShouldNot(HaveOccurred())
+
+			// Verify Istiod Deployment uses ImageSet digest
+			istiodDeploy := &appsv1.Deployment{}
+			Expect(cli.Get(ctx, types.NamespacedName{Name: istio.IstioIstiodDeploymentName, Namespace: istio.IstioNamespace}, istiodDeploy)).NotTo(HaveOccurred())
+			Expect(istiodDeploy.Spec.Template.Spec.Containers).NotTo(BeEmpty())
+			// Verify the pilot container image uses the digest from ImageSet
+			Expect(istiodDeploy.Spec.Template.Spec.Containers[0].Image).To(ContainSubstring("@sha256:pilot123"))
+
+			// Verify CNI DaemonSet uses ImageSet digest
+			cniDaemonSet := &appsv1.DaemonSet{}
+			Expect(cli.Get(ctx, types.NamespacedName{Name: istio.IstioCNIDaemonSetName, Namespace: istio.IstioNamespace}, cniDaemonSet)).NotTo(HaveOccurred())
+			Expect(cniDaemonSet.Spec.Template.Spec.Containers).NotTo(BeEmpty())
+			// Verify the install-cni container image uses the digest from ImageSet
+			Expect(cniDaemonSet.Spec.Template.Spec.Containers[0].Image).To(ContainSubstring("@sha256:cni123"))
+
+			// Verify Ztunnel DaemonSet uses ImageSet digest
+			ztunnelDaemonSet := &appsv1.DaemonSet{}
+			Expect(cli.Get(ctx, types.NamespacedName{Name: istio.IstioZTunnelDaemonSetName, Namespace: istio.IstioNamespace}, ztunnelDaemonSet)).NotTo(HaveOccurred())
+			Expect(ztunnelDaemonSet.Spec.Template.Spec.Containers).NotTo(BeEmpty())
+			// Verify the ztunnel container image uses the digest from ImageSet
+			Expect(ztunnelDaemonSet.Spec.Template.Spec.Containers[0].Image).To(ContainSubstring("@sha256:ztunnel123"))
+		})
+
+		It("should create expected Istio resources for Enterprise variant", func() {
+			installation.Spec.Variant = operatorv1.TigeraSecureEnterprise
+			installation.Status.Variant = operatorv1.TigeraSecureEnterprise
+			Expect(cli.Update(ctx, installation)).NotTo(HaveOccurred())
+
+			r := &ReconcileIstio{
+				Client:   cli,
+				scheme:   scheme,
+				provider: operatorv1.ProviderNone,
+				status:   mockStatus,
+			}
+
+			_, err := r.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: "default"}})
+			Expect(err).ShouldNot(HaveOccurred())
+
+			// Verify Istiod Deployment was created
+			istiodDeploy := &appsv1.Deployment{}
+			Expect(cli.Get(ctx, types.NamespacedName{Name: istio.IstioIstiodDeploymentName, Namespace: istio.IstioNamespace}, istiodDeploy)).NotTo(HaveOccurred())
+
+			// Verify Istio CNI DaemonSet was created
+			cniDaemonSet := &appsv1.DaemonSet{}
+			Expect(cli.Get(ctx, types.NamespacedName{Name: istio.IstioCNIDaemonSetName, Namespace: istio.IstioNamespace}, cniDaemonSet)).NotTo(HaveOccurred())
+
+			// Verify Istio Ztunnel DaemonSet was created
+			ztunnelDaemonSet := &appsv1.DaemonSet{}
+			Expect(cli.Get(ctx, types.NamespacedName{Name: istio.IstioZTunnelDaemonSetName, Namespace: istio.IstioNamespace}, ztunnelDaemonSet)).NotTo(HaveOccurred())
+
+			// Verify status was marked ready
+			mockStatus.AssertCalled(GinkgoT(), "ClearDegraded")
+		})
+
+		It("should handle ImageSet application for Enterprise variant", func() {
+			installation.Spec.Variant = operatorv1.TigeraSecureEnterprise
+			installation.Status.Variant = operatorv1.TigeraSecureEnterprise
+			Expect(cli.Update(ctx, installation)).NotTo(HaveOccurred())
+
+			// Create ImageSet with all required Istio images for Enterprise
+			imageSet := &operatorv1.ImageSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "enterprise-master",
+				},
 				Spec: operatorv1.ImageSetSpec{
 					Images: []operatorv1.Image{
 						{Image: "tigera/istio-pilot", Digest: "sha256:pilot123"},
@@ -723,21 +807,18 @@ var _ = Describe("Istio controller tests", func() {
 			istiodDeploy := &appsv1.Deployment{}
 			Expect(cli.Get(ctx, types.NamespacedName{Name: istio.IstioIstiodDeploymentName, Namespace: istio.IstioNamespace}, istiodDeploy)).NotTo(HaveOccurred())
 			Expect(istiodDeploy.Spec.Template.Spec.Containers).NotTo(BeEmpty())
-			// Verify the pilot container image uses the digest from ImageSet
 			Expect(istiodDeploy.Spec.Template.Spec.Containers[0].Image).To(ContainSubstring("@sha256:pilot123"))
 
 			// Verify CNI DaemonSet uses ImageSet digest
 			cniDaemonSet := &appsv1.DaemonSet{}
 			Expect(cli.Get(ctx, types.NamespacedName{Name: istio.IstioCNIDaemonSetName, Namespace: istio.IstioNamespace}, cniDaemonSet)).NotTo(HaveOccurred())
 			Expect(cniDaemonSet.Spec.Template.Spec.Containers).NotTo(BeEmpty())
-			// Verify the install-cni container image uses the digest from ImageSet
 			Expect(cniDaemonSet.Spec.Template.Spec.Containers[0].Image).To(ContainSubstring("@sha256:cni123"))
 
 			// Verify Ztunnel DaemonSet uses ImageSet digest
 			ztunnelDaemonSet := &appsv1.DaemonSet{}
 			Expect(cli.Get(ctx, types.NamespacedName{Name: istio.IstioZTunnelDaemonSetName, Namespace: istio.IstioNamespace}, ztunnelDaemonSet)).NotTo(HaveOccurred())
 			Expect(ztunnelDaemonSet.Spec.Template.Spec.Containers).NotTo(BeEmpty())
-			// Verify the ztunnel container image uses the digest from ImageSet
 			Expect(ztunnelDaemonSet.Spec.Template.Spec.Containers[0].Image).To(ContainSubstring("@sha256:ztunnel123"))
 		})
 	})
diff --git a/pkg/imports/crds/crds.go b/pkg/imports/crds/crds.go
@@ -53,7 +53,7 @@ var (
 )
 
 func init() {
-	calicoCRDNames := []string{"installation", "apiserver", "gatewayapi", "imageset", "tigerastatus", "whisker", "goldmane", "managementclusterconnection"}
+	calicoCRDNames := []string{"installation", "apiserver", "gatewayapi", "imageset", "tigerastatus", "whisker", "goldmane", "managementclusterconnection", "istio"}
 	calicoOprtrCRDsRe = regexp.MustCompile(fmt.Sprintf("(%s)", strings.Join(calicoCRDNames, "|")))
 }
 
diff --git a/pkg/render/istio/istio.go b/pkg/render/istio/istio.go
@@ -185,21 +185,40 @@ func (c *IstioComponent) ResolveImages(is *operatorv1.ImageSet) error {
 	path := c.cfg.Installation.ImagePath
 	prefix := c.cfg.Installation.ImagePrefix
 
-	c.IstioPilotImage, err = components.GetReference(components.ComponentCalicoIstioPilot, reg, path, prefix, is)
-	if err != nil {
-		return err
-	}
-	c.IstioInstallCNIImage, err = components.GetReference(components.ComponentCalicoIstioInstallCNI, reg, path, prefix, is)
-	if err != nil {
-		return err
-	}
-	c.IstioZTunnelImage, err = components.GetReference(components.ComponentCalicoIstioZTunnel, reg, path, prefix, is)
-	if err != nil {
-		return err
-	}
-	c.IstioProxyv2Image, err = components.GetReference(components.ComponentCalicoIstioProxyv2, reg, path, prefix, is)
-	if err != nil {
-		return err
+	if c.cfg.Installation.Variant == operatorv1.TigeraSecureEnterprise {
+		c.IstioPilotImage, err = components.GetReference(components.ComponentIstioPilot, reg, path, prefix, is)
+		if err != nil {
+			return err
+		}
+		c.IstioInstallCNIImage, err = components.GetReference(components.ComponentIstioInstallCNI, reg, path, prefix, is)
+		if err != nil {
+			return err
+		}
+		c.IstioZTunnelImage, err = components.GetReference(components.ComponentIstioZTunnel, reg, path, prefix, is)
+		if err != nil {
+			return err
+		}
+		c.IstioProxyv2Image, err = components.GetReference(components.ComponentIstioProxyv2, reg, path, prefix, is)
+		if err != nil {
+			return err
+		}
+	} else {
+		c.IstioPilotImage, err = components.GetReference(components.ComponentCalicoIstioPilot, reg, path, prefix, is)
+		if err != nil {
+			return err
+		}
+		c.IstioInstallCNIImage, err = components.GetReference(components.ComponentCalicoIstioInstallCNI, reg, path, prefix, is)
+		if err != nil {
+			return err
+		}
+		c.IstioZTunnelImage, err = components.GetReference(components.ComponentCalicoIstioZTunnel, reg, path, prefix, is)
+		if err != nil {
+			return err
+		}
+		c.IstioProxyv2Image, err = components.GetReference(components.ComponentCalicoIstioProxyv2, reg, path, prefix, is)
+		if err != nil {
+			return err
+		}
 	}
 
 	if err = c.patchImages(); err != nil {
diff --git a/pkg/render/istio/istio_test.go b/pkg/render/istio/istio_test.go

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ var (`
`53`	`53`	`)`
`54`	`54`
`55`	`55`	`func init() {`
`56`		`- calicoCRDNames := []string{"installation", "apiserver", "gatewayapi", "imageset", "tigerastatus", "whisker", "goldmane", "managementclusterconnection"}`
	`56`	`+ calicoCRDNames := []string{"installation", "apiserver", "gatewayapi", "imageset", "tigerastatus", "whisker", "goldmane", "managementclusterconnection", "istio"}`
`57`	`57`	`calicoOprtrCRDsRe = regexp.MustCompile(fmt.Sprintf("(%s)", strings.Join(calicoCRDNames, "\|")))`
`58`	`58`	`}`
`59`	`59`