[release-4.20] OCPBUGS-92038, OCPBUGS-92039, OCPBUGS-82147, OCPBUGS-92041, OCPBUGS-92042: Replace OLM-based Istio install with Sail Library#1459
Conversation
|
@gcs278: This pull request references NE-2286 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "4.20." or "openshift-4.20.", but it targets "openshift-4.22" instead. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Skipping CI for Draft Pull Request. |
|
/testwith openshift/cluster-ingress-operator/release-4.20/e2e-aws-operator openshift/api#2869 |
0fdfa93 to
9812b49
Compare
|
/testwith openshift/cluster-ingress-operator/release-4.20/e2e-aws-operator openshift/api#2869 |
|
Ready for early review, but blocked on getting some Jira Tickets set up and the 4.21 NO-OLM backport to merge to GA (openshift/api#2865) |
|
@gcs278: No Jira issue is referenced in the title of this pull request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/assign @aswinsuryan |
Vendor the GatewayAPIWithoutOLM in the openshift/api repo to support backporting the No OLM logic into the release-4.20 branch. PR: openshift#1354
|
@gcs278: This pull request references Jira Issue OCPBUGS-92038, which is valid. 7 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-92039, which is valid. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (iamin@redhat.com), skipping review request. This pull request references Jira Issue OCPBUGS-82147, which is valid. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (iamin@redhat.com), skipping review request. This pull request references Jira Issue OCPBUGS-92041, which is valid. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (iamin@redhat.com), skipping review request. This pull request references Jira Issue OCPBUGS-92042, which is valid. 7 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
faf1ca7 to
ee7b819
Compare
ee7b819 to
5a6e37a
Compare
Cherry-picked from: 8a40966 openshift#1354 Conflicts resolved: - pkg/operator/operator.go: Added GatewayAPIWithoutOLM gate alongside existing 4.20 gates (GatewayAPI, GatewayAPIController, RouteExternalCertificate, IngressControllerLBSubnetsAWS, SetEIPForNLBIngressController) - Note: Go tidy will fail in this commit since Aslak's development branch pulls in K8S dependencies that are too new - a future commit in this backport will vendor the official release resolve go.mod
Cherry-picked from: 5617a41 openshift#1354
Cherry-picked from: ed2eb36 openshift#1354 Conflicts resolved: - pkg/operator/controller/status/controller.go: Took incoming noOLM logic (useOLM/useSailLibrary, conditional subscription listing) but wrapped in existing 4.20 GatewayAPIEnabled guard. Restored GatewayAPIControllerEnabled guard that was present in the original condition but dropped during cherry-pick.
…rRole Cherry-picked from: a758d83 openshift#1354
Cherry-picked from: 9c4d792 openshift#1354 Conflicts resolved: - test/e2e/gateway_api_test.go: Kept 4.20 gatewayAPIControllerEnabled guard, added gatewayAPIWithoutOLMEnabled conditionals inside it. Kept istioCRDNames. Removed references to testGatewayAPIInfrastructureAnnotations, testGatewayAPIInternalLoadBalancer, and testGatewayOpenshiftConditions which were added in separate PRs not present on release-4.20.
Cherry-picked from: 955a5c0 openshift#1354
Cherry-picked from: 6d2c6c8 openshift#1402
Controller-runtime echoes all recorder.Event() calls to DEBUG logs. When we switched from DEBUG to INFO level, these operational events became invisible in logs (though they still exist as K8s Events). Add log.Info() calls alongside 16 recorder.Event() calls to restore visibility of important operational events including certificate lifecycle, IngressController admission, and DNS warnings. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Cherry-picked from: 43c978a openshift#1404 Conflicts resolved: - go.mod: Switched sail-operator replace from aslakknutsen's development fork to the official openshift-service-mesh/sail-operator v0.0.0-20260327145107 (OSSM 3.3.1). Added replace directives to pin k8s.io/api, apimachinery, apiextensions-apiserver, apiserver, client-go, component-base, kube-openapi, controller-runtime, gateway-api, and gnostic-models to their original 4.20 versions, preventing the sail-operator's transitive dependencies from bumping them. This avoids the structured-merge-diff v4/v6 incompatibility and preserves compatibility with the 4.20 openshift/client-go and openshift/library-go. - vendor/: Re-vendored from scratch with pinned dependencies. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cherry-picked from: b1bbbb7 openshift#1404
5a6e37a to
0631003
Compare
|
@gcs278: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Addind verified label again based on #1459 (comment) |
|
@melvinjoseph86: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/lgtm |
e40a071
into
openshift:release-4.20
|
@gcs278: Jira Issue OCPBUGS-92038: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged:
All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-92038 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. Jira Issue OCPBUGS-92039: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged:
All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-92039 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. Jira Issue OCPBUGS-82147: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged:
All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-82147 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. Jira Issue OCPBUGS-92041: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged:
All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-92041 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. Jira Issue OCPBUGS-92042: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged:
All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-92042 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Summary
Backport of the noOLM / Sail Library installation path (NE-2286, shipped in 4.22) to release-4.20. This resolves several fundamental OLM bugs that have no viable OLM-based workaround — most critically OCPBUGS-86778, which blocks all OSSM z-stream upgrades and prevents shipping CVE fixes.
This is part of an approved SBAR to backport the Sail Library (noOLM) from 4.22 to 4.19–4.21. This is an identical backport to the 4.21 PR: #1442 (origin test coverage: openshift/origin#31232).
This PR is intended to merge with the
GatewayAPIWithoutOLMfeature gate disabled, making it a no-op on merge. The goal is to subsequently enable the gate by default (via openshift/api) to activate the Sail Library path and resolve the OLM issues.Background
Gateway API on OCP 4.19–4.21 uses the Cluster Ingress Operator (CIO) to install Istio via OLM (OSSM operator). This path has several critical bugs:
In OCP 4.22, NE-2286 replaced OLM with the Sail Library — CIO now installs Istio directly via embedded Helm charts. This feature shipped as GA behind the
GatewayAPIWithoutOLMfeature gate.Cherry-picked PRs
istio_sail_installer.go,istio_olm.gorefactor,migration.go,status.go, CRD manifests, Sail Library RBAC manifestsNote: #1393 (OCPBUGS-79667: Use feature-gate annotation for Sail Library RBAC) was also a dependency but is being skipped because CVO on this release does not support the
release.openshift.io/feature-gateannotation (openshift/cluster-version-operator#1273 was not backported). The Sail Library RBAC manifests will ship with therelease.openshift.io/feature-set: CustomNoUpgradeannotation and will need a separate annotation removal PR before GA promotion, similar to what was done on 4.21 (#1462).Versioning
This backport does not bump the Gateway API CRDs (remain at v1.3.0) or the Istio version (remains at v1.26.2) for the noOLM code path. When the
GatewayAPIWithoutOLMfeature gate is enabled, the Sail Library will install Istio using the same v1.26.2 version that the OLM path currently uses. This works because the vendored Sail Library (OSSM 3.3.1) still supports Istio 1.26.2.When noOLM shipped in 4.22, the OLM and noOLM versions were already aligned at 3.3.1, so version separation was not needed. On 4.20, the OLM path is on 3.1.0 — keeping both paths at the same Istio version avoids introducing conditional logic or separate deployment manifests in the backport.
Conflicts resolved
pkg/operator/operator.go: AddedGatewayAPIWithoutOLMgate alongside existing 4.20 gates (GatewayAPI,GatewayAPIController,RouteExternalCertificate,IngressControllerLBSubnetsAWS,SetEIPForNLBIngressController)pkg/operator/controller/status/controller.go: Took incoming noOLM logic (useOLM/useSailLibrary, conditional subscription listing) but wrapped in existing 4.20GatewayAPIEnabledguardtest/e2e/gateway_api_test.go: Kept 4.20gatewayAPIControllerEnabledguard, addedgatewayAPIWithoutOLMEnabledconditionals inside for Sail Library vs OLM test selection. Removed duplicatetestCRDNamesdeclaration (already present via [release-4.20] OCPBUGS-85523: Remove restriction of unmanaged x-k8s.io #1488). KeptistioCRDNames. Removed references totestGatewayAPIInfrastructureAnnotations,testGatewayAPIInternalLoadBalancer, andtestGatewayOpenshiftConditionswhich were added in separate PRs not present on release-4.20.go.mod/vendor/: Addedreplacedirectives foropenshift/api(fork with gate),sail-operator(official OSSM 3.3.1), and dependency pins (see Dependency Pinning Approach below). Re-vendored from scratch.pkg/operator/controller/canary/daemonset.go: Skippedlog.Info()addition from PR OCPBUGS-79467: Change default log level from DEBUG to INFO #1402 commit 2 — references cert-hash-rotation code not present on release-4.20pkg/operator/controller/canary-certificate/controller.go: Skippedlog.Info()additions from PR OCPBUGS-79467: Change default log level from DEBUG to INFO #1402 commit 2 — controller does not exist on release-4.20Rollout Plan
Phase 1 — Land code (gate OFF)
Phase 2 — TechPreview soak
Phase 3 — GA promotion
Dependency Pinning Approach
Unlike the 4.21 backport which bumped k8s and controller-runtime, this backport keeps all dependencies at their original 4.20 versions. The sail-operator (OSSM 3.3.1) requires k8s 0.34 and controller-runtime 0.22, but its
pkg/installpackage only uses basic CRUD operations (client.New,client.Get,client.Create,client.Update) and stable types (metav1,corev1,runtime,rest.Config) that exist unchanged in the 4.20 versions.To prevent
go mod tidyfrom bumping dependencies transitively, the followingreplacedirectives pin modules to their 4.20 versions:k8s.io/apik8s.io/apimachineryk8s.io/client-gok8s.io/apiextensions-apiserverk8s.io/apiserverk8s.io/component-basek8s.io/kube-openapisigs.k8s.io/controller-runtimesigs.k8s.io/gateway-apigithub.com/google/gnostic-modelsWhy pinning is necessary: The sail-operator (OSSM 3.3.1) transitively pulls in k8s 0.34 and controller-runtime 0.22, which would force a k8s minor version bump incompatible with the frozen openshift ecosystem packages (client-go, library-go). Without the pins,
go mod tidywould bump these dependencies and break the build.Risk assessment: The sail-operator install package uses only stable controller-runtime interfaces (
client.ClientCRUD operations,pkg/log,pkg/scheme). No APIs introduced in controller-runtime 0.21+ or k8s 0.34+ are used. Thestructured-merge-diff/v4vsv6incompatibility that would arise from bumping k8s is avoided entirely. This approach was validated by building successfully and by auditing every import in the sail-operator'spkg/install,api/v1, andresourcespackages.Longevity: If a future z-stream requires vendoring a newer sail-operator, the pins should be re-evaluated — but z-streams do not bump k8s minor versions, so these pins are expected to hold for the life of 4.20.
Verification
makebuilds successfully🤖 Generated with Claude Code