Merge pull request openshift-service-mesh#44 from openshift-service-m…

…esh-bot/none-main-merge_upstream_main-38a843ce

Automator: merge upstream changes to openshift-service-mesh/sail-operator@main

README.md

@@ -1,14 +1,18 @@
 # Sail-operator
 
-This project is an operator that can be used to manage the installation of an [Istio](https://istio.io) control plane.
+The Sail-operator manages the lifecycle of your [Istio](https://istio.io) control plane. It provides custom resources for you to deploy and manage your control plane components.
+
+## User Documentation
+This document aims to provide an overview of the project and some information for contributors. For information on how to use the operator, take a look at the [User Documentation](docs/README.md).
 
 ## Table of Contents
+
+- [How it works](#how-it-works)
 - [Getting Started](#getting-started)
     - [Deploying the operator](#deploying-the-operator)
     - [Deploying the Istio Control Plane](#deploying-the-istio-control-plane)
-    - [Deploying the Istio CNI plugin](#deploying-the-istio-cni-plugin)
     - [Undeploying the operator](#undeploying-the-operator)
-    - [How it works](#how-it-works)
+- [Development](#undeploying-the-operator)
     - [Repository Setup](#repository-setup)
     - [Test It Out](#test-it-out)
     - [Modifying the API definitions](#modifying-the-api-definitions)
@@ -18,12 +22,66 @@ This project is an operator that can be used to manage the installation of an [I
 - [Community Support and Contributing](#community-support-and-contributing)
 - [Issue management](#issue-management)
 
+## How it works
+
+You manage your controlplane through an `Istio` resource.
+
+```yaml
+apiVersion: operator.istio.io/v1alpha1
+kind: Istio
+metadata:
+  name: example
+spec:
+  namespace: istio-system
+  version: v1.22.0
+```
+
+When you create an `Istio` resource, the sail operator then creates an `IstioRevision` that represents a control plane deployment.
+
+```yaml
+apiVersion: operator.istio.io/v1alpha1
+kind: IstioRevision
+metadata:
+  name: example
+  ...
+spec:
+  namespace: istio-system
+  version: v1.22.0
+status:
+  ...
+  state: Healthy
+```
+
+You can customize your controlplane installation through the `Istio` resource using Istio's `Helm` configuration values:
+
+```yaml
+apiVersion: operator.istio.io/v1alpha1
+kind: Istio
+metadata:
+  name: example
+spec:
+  version: v1.20.0
+  values:
+    global:
+      mtls:
+        enabled: true
+      trustDomainAliases:
+      - example.net
+    meshConfig:
+      trustDomain: example.com
+      trustDomainAliases:
+      - example.net
+```
+
 ## Getting Started
+
 You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.
 **Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).
 
 ### Deploying the operator
+
 Deploy the operator to the cluster:
+
 ```sh
 make deploy
 ```
@@ -37,7 +95,8 @@ make deploy-olm
 Make sure that the `HUB` and `TAG` environment variables point to your container image repository and that the repository is publicly accessible.
 
 ### Deploying the Istio Control Plane
-Create an instance of the Istio resource to install the Istio Control Plane. 
+
+Create an instance of the `Istio` resource to install the Istio Control Plane.
 
 Use the `istio-sample-kubernetes.yaml` file on vanilla Kubernetes:
 
@@ -55,27 +114,34 @@ kubectl get ns istio-system || kubectl create ns istio-system
 kubectl apply -f chart/samples/istio-sample-openshift.yaml
 ```
 
-### Deploying the Istio CNI plugin
-On OpenShift, you must also deploy the Istio CNI plugin by creating an instance of the IstioCNI resource:
+On OpenShift, you must also deploy the Istio CNI plugin by creating an instance of the `IstioCNI` resource:
 
 ```sh
 kubectl apply -f chart/samples/istiocni-sample.yaml
 ```
 
+View your controlplane:
+
+```sh
+kubectl get istio default
+```
+
 ### Undeploying the operator
 Undeploy the operator from the cluster:
 
 ```sh
 make undeploy
 ```
 
-### How it works
+## Development
+
 This project aims to follow the Kubernetes [Operator pattern](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/).
 
 It uses [Controllers](https://kubernetes.io/docs/concepts/architecture/controller/),
 which provide a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster.
 
 ### Repository Setup
+
 We're using [gitleaks](https://github.com/gitleaks/gitleaks) to scan the repository for secrets. After cloning, please enable the pre-commit hook by running `make git-hook`. This will make sure that `gitleaks` scans your contributions before you push them to GitHub, avoiding any potential secret leaks.
 
 ```sh
@@ -85,6 +151,7 @@ make git-hook
 You will also need to sign off your commits to this repository. This can be done by adding the `-s` flag to your `git commit` command. If you want to automate that for this repository, take a look at `.git/hooks/prepare-commit-msg.sample`, it contains an example to do just that.
 
 ### Test It Out
+
 1. Install the CRDs into the cluster:
 
 ```sh
@@ -100,6 +167,7 @@ make run
 **NOTE:** You can also run this in one step by running: `make install run`
 
 ### Modifying the API definitions
+
 If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
 
 ```sh
@@ -111,11 +179,13 @@ make manifests
 More information can be found via the [Kubebuilder Documentation](https://book.kubebuilder.io/introduction.html)
 
 ### Writing Tests
+
 Please try to keep business logic in separate packages that can be independently tested wherever possible, especially if you can avoid the usage of Kubernetes clients. It greatly simplifies testing if we don't need to use envtest everywhere.
 
 E2E and integration tests should use the ginkgo-style BDD testing method, an example can be found in [`tests/integration/api/istio_test.go`](https://github.com/istio-ecosystem/sail-operator/blob/main/tests/integration/api/istio_test.go) for the test code and suite setup in [`tests/integration/api/suite_test.go`](https://github.com/istio-ecosystem/sail-operator/blob/main/tests/integration/api/suite_test.go). Unit tests should use standard golang xUnit-style tests (see [`pkg/kube/finalizers_test.go`](https://github.com/istio-ecosystem/sail-operator/blob/main/pkg/kube/finalizers_test.go) for an example).
 
 ### Integration Tests
+
 Please check the specific instructions for the integration tests in the [integration](https://github.com/istio-ecosystem/sail-operator/blob/main/tests/integration/README.md) directory.
 
 To run the integration tests, you can use the following command:
@@ -125,6 +195,7 @@ make test.integration
 ```
 
 ### End-to-End Tests
+
 Please check the specific instructions for the end-to-end tests in the [e2e](https://github.com/istio-ecosystem/sail-operator/blob/main/tests/e2e/README.md) directory.
 
 To run the end-to-end tests, you can use the following command:

bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml

@@ -34,7 +34,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: OpenShift Optional, Integration & Delivery, Networking, Security
     containerImage: quay.io/maistra-dev/sail-operator:3.0.0-tp-latest
-    createdAt: "2024-05-29T00:12:19Z"
+    createdAt: "2024-05-30T21:08:45Z"
     description: The OpenShift Service Mesh Operator enables you to install, configure,
       and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service
       Mesh is based on the open source Istio project.

chart/values.yaml

@@ -19,7 +19,7 @@ csv:
     - v1.22.0
     - v1.21.2
     - v1.21.0
-    - latest (ddfb9f10)
+    - latest (99c8da36)
 
     [See this page](https://github.com/istio-ecosystem/sail-operator/blob/pre-main/bundle/README.md) for instructions on how to use it.
   support: Community based

docs/README.md

@@ -0,0 +1,25 @@
+[Return to Project Root](../)
+
+# User Documentation
+tbd
+
+## Concepts
+tbd
+
+## Getting Started
+tbd
+
+## Gateways
+tbd
+
+## Multicluster
+tbd
+
+## Examples
+tbd
+
+## Observability Integrations
+tbd
+
+## Uninstalling
+tbd

resources/latest/charts/base/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+appVersion: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e
 description: Helm chart for deploying Istio cluster resources and CRDs
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
 - istio
 name: base
 sources:
 - https://github.com/istio/istio
-version: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+version: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e

resources/latest/charts/cni/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+appVersion: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e
 description: Helm chart for istio-cni components
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -8,4 +8,4 @@ keywords:
 name: cni
 sources:
 - https://github.com/istio/istio
-version: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+version: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e

resources/latest/charts/cni/values.yaml

@@ -112,7 +112,7 @@ defaults:
     hub: gcr.io/istio-testing
 
     # Default tag for Istio images.
-    tag: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+    tag: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e
 
     # Variant of the image to use.
     # Currently supported are: [debug, distroless]

resources/latest/charts/gateway/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+appVersion: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e
 description: Helm chart for deploying Istio gateways
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ name: gateway
 sources:
 - https://github.com/istio/istio
 type: application
-version: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+version: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e

resources/latest/charts/istiod/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+appVersion: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e
 description: Helm chart for istio control plane
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ keywords:
 name: istiod
 sources:
 - https://github.com/istio/istio
-version: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+version: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e

resources/latest/charts/istiod/files/waypoint.yaml

@@ -212,7 +212,10 @@ spec:
         securityContext:
           privileged: false
           runAsGroup: 1337
-          runAsUser: 0
+          runAsUser: 1337
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
           capabilities:
             drop:
             - ALL

resources/latest/charts/istiod/values.yaml

@@ -234,7 +234,7 @@ defaults:
     # Dev builds from prow are on gcr.io
     hub: gcr.io/istio-testing
     # Default tag for Istio images.
-    tag: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+    tag: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e
     # Variant of the image to use.
     # Currently supported are: [debug, distroless]
     variant: ""

resources/latest/charts/ztunnel/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+appVersion: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e
 description: Helm chart for istio ztunnel components
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -8,4 +8,4 @@ keywords:
 name: ztunnel
 sources:
 - https://github.com/istio/istio
-version: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+version: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e

resources/latest/charts/ztunnel/values.yaml

@@ -2,7 +2,7 @@ defaults:
   # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
   hub: gcr.io/istio-testing
   # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
-  tag: 1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+  tag: 1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e
   # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
   variant: ""
 

versions.yaml

@@ -44,10 +44,10 @@ versions:
     version: 1.23-alpha
     repo: https://github.com/istio/istio
     branch: master
-    commit: ddfb9f10f70e42e10a57d9909142a89b0cc95c5f
+    commit: 99c8da361a0f4037fc09db5947e53f42a140858e
     charts:
-      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f/helm/base-1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f.tgz
-      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f/helm/cni-1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f.tgz
-      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f/helm/gateway-1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f.tgz
-      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f/helm/istiod-1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f.tgz
-      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f/helm/ztunnel-1.23-alpha.ddfb9f10f70e42e10a57d9909142a89b0cc95c5f.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e/helm/base-1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e/helm/cni-1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e/helm/gateway-1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e/helm/istiod-1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e/helm/ztunnel-1.23-alpha.99c8da361a0f4037fc09db5947e53f42a140858e.tgz