Automated merge

* upstream/main:
  Make lint-watches ignore ValidatingAdmissionPolicy(Binding) (istio-ecosystem#71)
  Ensure CI highlights failure in lint-watches.sh (istio-ecosystem#70)
  Update SetDefaultEventuallyTimeout for e2e test (istio-ecosystem#69)
  Automator: Update dependencies in istio-ecosystem/sail-operator@main (istio-ecosystem#66)
  Ensure control plane is deployed immediately when the target namespace is created (istio-ecosystem#65)
  Use INFO level to log missing namespace in IstioRevision/IstioCNI (istio-ecosystem#64)

Signed-off-by: openshift-service-mesh-bot <>

# Conflicts:
#	bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml

bundle/manifests/operator.istio.io_istiocnis.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   creationTimestamp: null
   name: istiocnis.operator.istio.io
 spec:

bundle/manifests/operator.istio.io_istiorevisions.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   creationTimestamp: null
   name: istiorevisions.operator.istio.io
 spec:

bundle/manifests/operator.istio.io_istios.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   creationTimestamp: null
   name: istios.operator.istio.io
 spec:

bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml

@@ -34,7 +34,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: OpenShift Optional, Integration & Delivery, Networking, Security
     containerImage: quay.io/maistra-dev/sail-operator:3.0-latest
-    createdAt: "2024-04-19T07:45:59Z"
+    createdAt: "2024-04-23T11:53:36Z"
     description: The OpenShift Service Mesh Operator enables you to install, configure,
       and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service
       Mesh is based on the open source Istio project.

chart/crds/operator.istio.io_istiocnis.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: istiocnis.operator.istio.io
 spec:
   group: operator.istio.io

chart/crds/operator.istio.io_istiorevisions.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: istiorevisions.operator.istio.io
 spec:
   group: operator.istio.io

chart/crds/operator.istio.io_istios.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: istios.operator.istio.io
 spec:
   group: operator.istio.io

chart/values.yaml

@@ -17,7 +17,7 @@ csv:
     This version of the operator supports the following Istio versions:
 
     - v1.21.0
-    - latest (bf9fd612)
+    - latest (3112392b)
 
     [See this page](https://github.com/istio-ecosystem/sail-operator/blob/pre-main/bundle/README.md) for instructions on how to use it.
   support: Community based

controllers/istiocni/istiocni_controller.go

@@ -36,6 +36,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
@@ -92,12 +93,7 @@ func NewReconciler(
 func (r *Reconciler) Reconcile(ctx context.Context, cni *v1alpha1.IstioCNI) (ctrl.Result, error) {
 	log := logf.FromContext(ctx)
 
-	if err := validateIstioCNI(cni); err != nil {
-		return ctrl.Result{}, err
-	}
-
-	log.Info("Installing components")
-	reconcileErr := r.installHelmChart(ctx, cni)
+	reconcileErr := r.doReconcile(ctx, cni)
 
 	log.Info("Reconciliation done. Updating status.")
 	statusErr := r.updateStatus(ctx, cni, reconcileErr)
@@ -109,13 +105,30 @@ func (r *Reconciler) Finalize(ctx context.Context, cni *v1alpha1.IstioCNI) error
 	return r.uninstallHelmChart(ctx, cni)
 }
 
-func validateIstioCNI(cni *v1alpha1.IstioCNI) error {
+func (r *Reconciler) doReconcile(ctx context.Context, cni *v1alpha1.IstioCNI) error {
+	log := logf.FromContext(ctx)
+	if err := r.validateIstioCNI(ctx, cni); err != nil {
+		return err
+	}
+
+	log.Info("Installing Helm chart")
+	return r.installHelmChart(ctx, cni)
+}
+
+func (r *Reconciler) validateIstioCNI(ctx context.Context, cni *v1alpha1.IstioCNI) error {
 	if cni.Spec.Version == "" {
 		return reconciler.NewValidationError("spec.version not set")
 	}
 	if cni.Spec.Namespace == "" {
 		return reconciler.NewValidationError("spec.namespace not set")
 	}
+
+	if err := r.Client.Get(ctx, types.NamespacedName{Name: cni.Spec.Namespace}, &corev1.Namespace{}); err != nil {
+		if apierrors.IsNotFound(err) {
+			return reconciler.NewValidationError(fmt.Sprintf("namespace %q doesn't exist", cni.Spec.Namespace))
+		}
+		return err
+	}
 	return nil
 }
 

controllers/istiorevision/istiorevision_controller.go

@@ -100,30 +100,42 @@ func NewReconciler(client client.Client, scheme *runtime.Scheme, resourceDir str
 func (r *Reconciler) Reconcile(ctx context.Context, rev *v1alpha1.IstioRevision) (ctrl.Result, error) {
 	log := logf.FromContext(ctx)
 
-	if err := validateIstioRevision(rev); err != nil {
-		return ctrl.Result{}, err
-	}
-
-	log.Info("Installing components")
-	reconcileErr := r.installHelmCharts(ctx, rev)
+	reconcileErr := r.doReconcile(ctx, rev)
 
 	log.Info("Reconciliation done. Updating status.")
 	statusErr := r.updateStatus(ctx, rev, reconcileErr)
 
 	return ctrl.Result{}, errors.Join(reconcileErr, statusErr)
 }
 
+func (r *Reconciler) doReconcile(ctx context.Context, rev *v1alpha1.IstioRevision) error {
+	log := logf.FromContext(ctx)
+	if err := r.validateIstioRevision(ctx, rev); err != nil {
+		return err
+	}
+
+	log.Info("Installing Helm chart")
+	return r.installHelmCharts(ctx, rev)
+}
+
 func (r *Reconciler) Finalize(ctx context.Context, rev *v1alpha1.IstioRevision) error {
 	return r.uninstallHelmCharts(ctx, rev)
 }
 
-func validateIstioRevision(rev *v1alpha1.IstioRevision) error {
+func (r *Reconciler) validateIstioRevision(ctx context.Context, rev *v1alpha1.IstioRevision) error {
 	if rev.Spec.Version == "" {
 		return reconciler.NewValidationError("spec.version not set")
 	}
 	if rev.Spec.Namespace == "" {
 		return reconciler.NewValidationError("spec.namespace not set")
 	}
+	if err := r.Client.Get(ctx, types.NamespacedName{Name: rev.Spec.Namespace}, &corev1.Namespace{}); err != nil {
+		if apierrors.IsNotFound(err) {
+			return reconciler.NewValidationError(fmt.Sprintf("namespace %q doesn't exist", rev.Spec.Namespace))
+		}
+		return err
+	}
+
 	if rev.Spec.Values == nil {
 		return reconciler.NewValidationError("spec.values not set")
 	}
@@ -175,8 +187,12 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	// ownedResourceHandler handles resources that are owned by the IstioRevision CR
 	ownedResourceHandler := handler.EnqueueRequestForOwner(r.Scheme, r.RESTMapper(), &v1alpha1.IstioRevision{}, handler.OnlyControllerOwner())
 
-	// nsHandler handles namespaces that reference the IstioRevision CR via the istio.io/rev or istio-injection labels.
-	// The handler triggers the reconciliation of the referenced IstioRevision CR so that its InUse condition is updated.
+	// nsHandler triggers reconciliation in two cases:
+	// - when a namespace that is referenced in IstioRevision.spec.namespace is
+	//   created, so that the control plane is installed immediately.
+	// - when a namespace that references the IstioRevision CR via the istio.io/rev
+	//   or istio-injection labels is updated, so that the InUse condition of
+	//   the IstioRevision CR is updated.
 	nsHandler := handler.EnqueueRequestsFromMapFunc(r.mapNamespaceToReconcileRequest)
 
 	// podHandler handles pods that reference the IstioRevision CR via the istio.io/rev or sidecar.istio.io/inject labels.
@@ -220,6 +236,8 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 			ownedResourceHandler,
 			builder.WithPredicates(validatingWebhookConfigPredicate{})).
 
+		// +lint-watches:ignore: ValidatingAdmissionPolicy (TODO: fix this when CI supports golang 1.22 and k8s 1.30)
+		// +lint-watches:ignore: ValidatingAdmissionPolicyBinding (TODO: fix this when CI supports golang 1.22 and k8s 1.30)
 		// +lint-watches:ignore: CustomResourceDefinition (prevents `make lint-watches` from bugging us about CRDs)
 		Complete(reconciler.NewStandardReconcilerWithFinalizer(r.Client, &v1alpha1.IstioRevision{}, r.Reconcile, r.Finalize, constants.FinalizerName))
 }
@@ -421,11 +439,27 @@ func istiodDeploymentKey(rev *v1alpha1.IstioRevision) client.ObjectKey {
 }
 
 func (r *Reconciler) mapNamespaceToReconcileRequest(ctx context.Context, ns client.Object) []reconcile.Request {
+	log := logf.FromContext(ctx)
+	var requests []reconcile.Request
+
+	// Check if any IstioRevision references this namespace in .spec.namespace
+	revList := v1alpha1.IstioRevisionList{}
+	if err := r.Client.List(ctx, &revList); err != nil {
+		log.Error(err, "failed to list IstioRevisions")
+		return nil
+	}
+	for _, rev := range revList.Items {
+		if rev.Spec.Namespace == ns.GetName() {
+			requests = append(requests, reconcile.Request{NamespacedName: types.NamespacedName{Name: rev.Name}})
+		}
+	}
+
+	// Check if the namespace references an IstioRevision in its labels
 	revision := getReferencedRevisionFromNamespace(ns.GetLabels())
 	if revision != "" {
-		return []reconcile.Request{{NamespacedName: types.NamespacedName{Name: revision}}}
+		requests = append(requests, reconcile.Request{NamespacedName: types.NamespacedName{Name: revision}})
 	}
-	return nil
+	return requests
 }
 
 func (r *Reconciler) mapPodToReconcileRequest(ctx context.Context, pod client.Object) []reconcile.Request {

hack/lint-watches.sh

@@ -47,7 +47,7 @@ check_watches() {
 
     # Print missing lines, if any
     if [[ ${#missing_kinds[@]} -gt 0 ]]; then
-        printf "The following kinds aren't watched in %s:\n" "$controllerPath"
+        printf "FAIL: The following kinds aren't watched in %s:\n" "$controllerPath"
         for line in "${missing_kinds[@]}"; do
             printf "  - %s\n" "$line"
         done

pkg/kube/key.go

@@ -0,0 +1,27 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kube
+
+import "sigs.k8s.io/controller-runtime/pkg/client"
+
+// key returns the client.ObjectKey for the given name and namespace. If no namespace is provided, it returns a key cluster scoped
+func Key(name string, namespace ...string) client.ObjectKey {
+	if len(namespace) > 1 {
+		panic("you can only provide one namespace")
+	} else if len(namespace) == 1 {
+		return client.ObjectKey{Name: name, Namespace: namespace[0]}
+	}
+	return client.ObjectKey{Name: name}
+}

resources/latest/charts/base/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
-appVersion: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+appVersion: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d
 description: Helm chart for deploying Istio cluster resources and CRDs
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
 - istio
 name: base
 sources:
 - https://github.com/istio/istio
-version: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+version: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d

resources/latest/charts/cni/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+appVersion: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d
 description: Helm chart for istio-cni components
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -8,4 +8,4 @@ keywords:
 name: cni
 sources:
 - https://github.com/istio/istio/tree/master/cni
-version: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+version: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d

resources/latest/charts/cni/values.yaml

@@ -110,7 +110,7 @@ defaults:
     hub: gcr.io/istio-testing
 
     # Default tag for Istio images.
-    tag: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+    tag: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d
 
     # Variant of the image to use.
     # Currently supported are: [debug, distroless]

resources/latest/charts/gateway/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+appVersion: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d
 description: Helm chart for deploying Istio gateways
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ name: gateway
 sources:
 - https://github.com/istio/istio
 type: application
-version: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+version: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d

resources/latest/charts/istiod/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+appVersion: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d
 description: Helm chart for istio control plane
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ keywords:
 name: istiod
 sources:
 - https://github.com/istio/istio
-version: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+version: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d

resources/latest/charts/istiod/files/kube-gateway.yaml

@@ -138,7 +138,7 @@ spec:
       {{- end }}
       {{- if .Values.global.proxy.lifecycle }}
         lifecycle:
-          {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
       {{- end }}
         env:
         - name: PILOT_CERT_PROVIDER

resources/latest/charts/istiod/values.yaml

@@ -231,7 +231,7 @@ defaults:
     # Dev builds from prow are on gcr.io
     hub: gcr.io/istio-testing
     # Default tag for Istio images.
-    tag: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+    tag: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d
     # Variant of the image to use.
     # Currently supported are: [debug, distroless]
     variant: ""

resources/latest/charts/ztunnel/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+appVersion: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d
 description: Helm chart for istio ztunnel components
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -8,4 +8,4 @@ keywords:
 name: ztunnel
 sources:
 - https://github.com/istio/istio
-version: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+version: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d

resources/latest/charts/ztunnel/values.yaml

@@ -2,7 +2,7 @@ defaults:
   # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
   hub: gcr.io/istio-testing
   # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
-  tag: 1.22-alpha.bf9fd6127f5bebf2f0024362f3c687849f390749
+  tag: 1.22-alpha.3112392b96748f15315150044244f0052a2f730d
   # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
   variant: ""