Skip to content

[release-4.20] OCPBUGS-92038, OCPBUGS-92039, OCPBUGS-82147, OCPBUGS-92041, OCPBUGS-92042: Replace OLM-based Istio install with Sail Library#1459

Merged
openshift-merge-bot[bot] merged 12 commits into
openshift:release-4.20from
gcs278:backport-noOLM-4.20
Jul 3, 2026
Merged

[release-4.20] OCPBUGS-92038, OCPBUGS-92039, OCPBUGS-82147, OCPBUGS-92041, OCPBUGS-92042: Replace OLM-based Istio install with Sail Library#1459
openshift-merge-bot[bot] merged 12 commits into
openshift:release-4.20from
gcs278:backport-noOLM-4.20

Conversation

@gcs278

@gcs278 gcs278 commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Backport of the noOLM / Sail Library installation path (NE-2286, shipped in 4.22) to release-4.20. This resolves several fundamental OLM bugs that have no viable OLM-based workaround — most critically OCPBUGS-86778, which blocks all OSSM z-stream upgrades and prevents shipping CVE fixes.

This is part of an approved SBAR to backport the Sail Library (noOLM) from 4.22 to 4.19–4.21. This is an identical backport to the 4.21 PR: #1442 (origin test coverage: openshift/origin#31232).

This PR is intended to merge with the GatewayAPIWithoutOLM feature gate disabled, making it a no-op on merge. The goal is to subsequently enable the gate by default (via openshift/api) to activate the Sail Library path and resolve the OLM issues.

Background

Gateway API on OCP 4.19–4.21 uses the Cluster Ingress Operator (CIO) to install Istio via OLM (OSSM operator). This path has several critical bugs:

  • OCPBUGS-88295: OSSM z-stream upgrades are blocked, preventing CVE fixes from being delivered
  • OCPBUGS-82146: OLM-related install failures
  • OCPBUGS-78330: Hardcoded catalog source breaks disconnected environments
  • OCPBUGS-85550: Gateway API fails on clusters without Marketplace capability

In OCP 4.22, NE-2286 replaced OLM with the Sail Library — CIO now installs Istio directly via embedded Helm charts. This feature shipped as GA behind the GatewayAPIWithoutOLM feature gate.

Cherry-picked PRs

PR Title Why
#1354 NE-2471: Replace OLM-based Istio install with Sail Library Core change — adds istio_sail_installer.go, istio_olm.go refactor, migration.go, status.go, CRD manifests, Sail Library RBAC manifests
#1402 OCPBUGS-79467: Change default log level from DEBUG to INFO Sail Library generates ~2,000 debug logs/hour; without this fix, enabling noOLM floods the logs. Both commits cherry-picked (commit 2 was missed on 4.21 — not repeating that here).
#1404 NE-2519: Move Sail Library to official release branch Moves from dev Sail Library branch to official OSSM 3.3.1 release

Note: #1393 (OCPBUGS-79667: Use feature-gate annotation for Sail Library RBAC) was also a dependency but is being skipped because CVO on this release does not support the release.openshift.io/feature-gate annotation (openshift/cluster-version-operator#1273 was not backported). The Sail Library RBAC manifests will ship with the release.openshift.io/feature-set: CustomNoUpgrade annotation and will need a separate annotation removal PR before GA promotion, similar to what was done on 4.21 (#1462).

Versioning

This backport does not bump the Gateway API CRDs (remain at v1.3.0) or the Istio version (remains at v1.26.2) for the noOLM code path. When the GatewayAPIWithoutOLM feature gate is enabled, the Sail Library will install Istio using the same v1.26.2 version that the OLM path currently uses. This works because the vendored Sail Library (OSSM 3.3.1) still supports Istio 1.26.2.

When noOLM shipped in 4.22, the OLM and noOLM versions were already aligned at 3.3.1, so version separation was not needed. On 4.20, the OLM path is on 3.1.0 — keeping both paths at the same Istio version avoids introducing conditional logic or separate deployment manifests in the backport.

Conflicts resolved

  • pkg/operator/operator.go: Added GatewayAPIWithoutOLM gate alongside existing 4.20 gates (GatewayAPI, GatewayAPIController, RouteExternalCertificate, IngressControllerLBSubnetsAWS, SetEIPForNLBIngressController)
  • pkg/operator/controller/status/controller.go: Took incoming noOLM logic (useOLM/useSailLibrary, conditional subscription listing) but wrapped in existing 4.20 GatewayAPIEnabled guard
  • test/e2e/gateway_api_test.go: Kept 4.20 gatewayAPIControllerEnabled guard, added gatewayAPIWithoutOLMEnabled conditionals inside for Sail Library vs OLM test selection. Removed duplicate testCRDNames declaration (already present via [release-4.20] OCPBUGS-85523: Remove restriction of unmanaged x-k8s.io #1488). Kept istioCRDNames. Removed references to testGatewayAPIInfrastructureAnnotations, testGatewayAPIInternalLoadBalancer, and testGatewayOpenshiftConditions which were added in separate PRs not present on release-4.20.
  • go.mod / vendor/: Added replace directives for openshift/api (fork with gate), sail-operator (official OSSM 3.3.1), and dependency pins (see Dependency Pinning Approach below). Re-vendored from scratch.
  • pkg/operator/controller/canary/daemonset.go: Skipped log.Info() addition from PR OCPBUGS-79467: Change default log level from DEBUG to INFO #1402 commit 2 — references cert-hash-rotation code not present on release-4.20
  • pkg/operator/controller/canary-certificate/controller.go: Skipped log.Info() additions from PR OCPBUGS-79467: Change default log level from DEBUG to INFO #1402 commit 2 — controller does not exist on release-4.20

Rollout Plan

Phase 1 — Land code (gate OFF)

Phase 2 — TechPreview soak

Phase 3 — GA promotion

Dependency Pinning Approach

Unlike the 4.21 backport which bumped k8s and controller-runtime, this backport keeps all dependencies at their original 4.20 versions. The sail-operator (OSSM 3.3.1) requires k8s 0.34 and controller-runtime 0.22, but its pkg/install package only uses basic CRUD operations (client.New, client.Get, client.Create, client.Update) and stable types (metav1, corev1, runtime, rest.Config) that exist unchanged in the 4.20 versions.

To prevent go mod tidy from bumping dependencies transitively, the following replace directives pin modules to their 4.20 versions:

Module Pinned Version 4.20 Original
k8s.io/api v0.33.2 v0.33.2
k8s.io/apimachinery v0.33.2 v0.33.2
k8s.io/client-go v0.32.1 v0.32.1
k8s.io/apiextensions-apiserver v0.33.0 v0.33.0
k8s.io/apiserver v0.33.0 v0.33.0
k8s.io/component-base v0.33.0 v0.33.0
k8s.io/kube-openapi v0.0.0-20250318... v0.0.0-20250318...
sigs.k8s.io/controller-runtime v0.20.4 v0.20.4
sigs.k8s.io/gateway-api v1.2.1 v1.2.1
github.com/google/gnostic-models v0.6.9 v0.6.9

Why pinning is necessary: The sail-operator (OSSM 3.3.1) transitively pulls in k8s 0.34 and controller-runtime 0.22, which would force a k8s minor version bump incompatible with the frozen openshift ecosystem packages (client-go, library-go). Without the pins, go mod tidy would bump these dependencies and break the build.

Risk assessment: The sail-operator install package uses only stable controller-runtime interfaces (client.Client CRUD operations, pkg/log, pkg/scheme). No APIs introduced in controller-runtime 0.21+ or k8s 0.34+ are used. The structured-merge-diff/v4 vs v6 incompatibility that would arise from bumping k8s is avoided entirely. This approach was validated by building successfully and by auditing every import in the sail-operator's pkg/install, api/v1, and resources packages.

Longevity: If a future z-stream requires vendoring a newer sail-operator, the pins should be re-evaluated — but z-streams do not bump k8s minor versions, so these pins are expected to hold for the life of 4.20.

Verification

  • make builds successfully
  • No unresolved merge conflict markers in any commit
  • Full CI (blocked on openshift/api dependency)

🤖 Generated with Claude Code

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 2, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

@gcs278: This pull request references NE-2286 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "4.20." or "openshift-4.20.", but it targets "openshift-4.22" instead.

Details

In response to this:

Summary

Backport of the noOLM / Sail Library installation path (NE-2286, shipped in 4.22) to release-4.20. This resolves several fundamental OLM bugs that have no viable OLM-based workaround — most critically OCPBUGS-86778, which blocks all OSSM z-stream upgrades and prevents shipping CVE fixes.

This PR is intended to merge with the GatewayAPIWithoutOLM feature gate disabled, making it a no-op on merge. The goal is to subsequently enable the gate by default (via openshift/api) to activate the Sail Library path and resolve the OLM issues.

Cherry-picked PRs

PR Title Why
#1354 NE-2471: Replace OLM-based Istio install with Sail Library Core change — adds istio_sail_installer.go, istio_olm.go refactor, migration.go, status.go, CRD manifests, Sail Library RBAC manifests
#1393 OCPBUGS-79667: Use feature-gate annotation for Sail Library RBAC Conditionally deploys Sail Library RBAC based on GatewayAPIWithoutOLM feature gate — required for the gate to control RBAC deployment when enabled
#1402 OCPBUGS-79467: Change default log level from DEBUG to INFO Sail Library generates ~2,000 debug logs/hour; without this fix, enabling noOLM floods the logs. Only the log level change (commit 1) is cherry-picked; commit 2 references code not present on 4.20.
#1404 NE-2519: Move Sail Library to official release branch Moves from dev Sail Library branch to official OSSM 3.3.1 release

Versioning

This backport does not bump the Gateway API CRDs (remain at v1.3.0) or the Istio version (remains at v1.26.2) for the noOLM code path. When the GatewayAPIWithoutOLM feature gate is enabled, the Sail Library will install Istio using the same v1.26.2 version that the OLM path currently uses. This works because the vendored Sail Library (OSSM 3.3.1) still supports Istio 1.26.2.

Dependency Pinning Approach

Unlike the 4.21 backport which bumped k8s and controller-runtime, this backport keeps all dependencies at their original 4.20 versions. The sail-operator (OSSM 3.3.1) requires k8s 0.34 and controller-runtime 0.22, but its pkg/install package only uses basic CRUD operations (client.New, client.Get, client.Create, client.Update) and stable types (metav1, corev1, runtime, rest.Config) that exist unchanged in the 4.20 versions.

To prevent go mod tidy from bumping dependencies transitively, the following replace directives pin modules to their 4.20 versions:

Module Pinned Version 4.20 Original
k8s.io/api v0.33.2 v0.33.2
k8s.io/apimachinery v0.33.2 v0.33.2
k8s.io/client-go v0.32.1 v0.32.1
k8s.io/apiextensions-apiserver v0.33.0 v0.33.0
k8s.io/apiserver v0.33.0 v0.33.0
k8s.io/component-base v0.33.0 v0.33.0
k8s.io/kube-openapi v0.0.0-20250318... v0.0.0-20250318...
sigs.k8s.io/controller-runtime v0.20.4 v0.20.4
sigs.k8s.io/gateway-api v1.2.1 v1.2.1
github.com/google/gnostic-models v0.6.9 v0.6.9

Risk assessment: The sail-operator install package uses only stable controller-runtime interfaces (client.Client CRUD operations, pkg/log, pkg/scheme). No APIs introduced in controller-runtime 0.21+ or k8s 0.34+ are used. The structured-merge-diff/v4 vs v6 incompatibility that would arise from bumping k8s is avoided entirely. This approach was validated by building successfully and by auditing every import in the sail-operator's pkg/install, api/v1, and resources packages.

Conflicts resolved

  • pkg/operator/operator.go: Added GatewayAPIWithoutOLM gate alongside existing 4.20 gates (GatewayAPI, GatewayAPIController, RouteExternalCertificate, IngressControllerLBSubnetsAWS, SetEIPForNLBIngressController)
  • pkg/operator/controller/status/controller.go: Took incoming noOLM logic (useOLM/useSailLibrary, conditional subscription listing) but wrapped in existing 4.20 GatewayAPIEnabled guard
  • test/e2e/gateway_api_test.go: Kept 4.20 gatewayAPIControllerEnabled guard, added gatewayAPIWithoutOLMEnabled conditionals inside for Sail Library vs OLM test selection. Kept xcrdNames alongside new istioCRDNames. Removed references to testGatewayAPIInfrastructureAnnotations, testGatewayAPIInternalLoadBalancer, and testGatewayOpenshiftConditions which were added in separate PRs not present on release-4.20.
  • go.mod / vendor/: Added replace directives for openshift/api (fork with gate), sail-operator (official OSSM 3.3.1), and dependency pins (see Dependency Pinning Approach above). Re-vendored from scratch.

Merge Order

  1. Merge openshift/api PR — FG as disabled, allows CI to start
  2. TODO: Backport noOLM E2E tests to origin release-4.20
  3. Merge this PR — Sail Library code lands, gate still OFF
  4. Merge openshift/api PR — FG promotion to Default GA, activates noOLM
  5. Verify CI is green

Verification

  • make builds successfully
  • No unresolved merge conflict markers in any commit
  • Full CI (blocked on openshift/api dependency)

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f723af53-f3e8-4df6-a205-55e8f1a5508b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 2, 2026
@openshift-ci

openshift-ci Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@gcs278 gcs278 changed the title NE-2286: Backport noOLM / Sail Library to release-4.20 [release-4.20] NE-2286: Backport noOLM / Sail Library to release-4.20 Jun 2, 2026
@gcs278

gcs278 commented Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

/testwith openshift/cluster-ingress-operator/release-4.20/e2e-aws-operator openshift/api#2869

@gcs278

gcs278 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

/testwith openshift/cluster-ingress-operator/release-4.20/e2e-aws-operator openshift/api#2869

@gcs278 gcs278 marked this pull request as ready for review June 18, 2026 18:19
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 18, 2026
@gcs278

gcs278 commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Ready for early review, but blocked on getting some Jira Tickets set up and the 4.21 NO-OLM backport to merge to GA (openshift/api#2865)
/hold

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 18, 2026
@openshift-ci openshift-ci Bot requested review from grzpiotrowski and rikatz June 18, 2026 18:20
@gcs278 gcs278 changed the title [release-4.20] NE-2286: Backport noOLM / Sail Library to release-4.20 [release-4.20] Replace OLM-based Istio install with Sail Library Jun 22, 2026
@openshift-ci-robot openshift-ci-robot removed the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 22, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@gcs278: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

Summary

Backport of the noOLM / Sail Library installation path (NE-2286, shipped in 4.22) to release-4.20. This resolves several fundamental OLM bugs that have no viable OLM-based workaround — most critically OCPBUGS-86778, which blocks all OSSM z-stream upgrades and prevents shipping CVE fixes.

This PR is intended to merge with the GatewayAPIWithoutOLM feature gate disabled, making it a no-op on merge. The goal is to subsequently enable the gate by default (via openshift/api) to activate the Sail Library path and resolve the OLM issues.

Cherry-picked PRs

PR Title Why
#1354 NE-2471: Replace OLM-based Istio install with Sail Library Core change — adds istio_sail_installer.go, istio_olm.go refactor, migration.go, status.go, CRD manifests, Sail Library RBAC manifests
#1402 OCPBUGS-79467: Change default log level from DEBUG to INFO Sail Library generates ~2,000 debug logs/hour; without this fix, enabling noOLM floods the logs. Only the log level change (commit 1) is cherry-picked; commit 2 references code not present on 4.20.
#1404 NE-2519: Move Sail Library to official release branch Moves from dev Sail Library branch to official OSSM 3.3.1 release

Note: #1393 (OCPBUGS-79667: Use feature-gate annotation for Sail Library RBAC) was also a dependency but is being skipped because CVO on this release does not support the release.openshift.io/feature-gate annotation (openshift/cluster-version-operator#1273 was not backported). As a result, the Sail Library RBAC manifests use the release.openshift.io/feature-set annotation and a separate PR will be needed to remove this annotation before promoting the feature gate to GA.

Versioning

This backport does not bump the Gateway API CRDs (remain at v1.3.0) or the Istio version (remains at v1.26.2) for the noOLM code path. When the GatewayAPIWithoutOLM feature gate is enabled, the Sail Library will install Istio using the same v1.26.2 version that the OLM path currently uses. This works because the vendored Sail Library (OSSM 3.3.1) still supports Istio 1.26.2.

Dependency Pinning Approach

Unlike the 4.21 backport which bumped k8s and controller-runtime, this backport keeps all dependencies at their original 4.20 versions. The sail-operator (OSSM 3.3.1) requires k8s 0.34 and controller-runtime 0.22, but its pkg/install package only uses basic CRUD operations (client.New, client.Get, client.Create, client.Update) and stable types (metav1, corev1, runtime, rest.Config) that exist unchanged in the 4.20 versions.

To prevent go mod tidy from bumping dependencies transitively, the following replace directives pin modules to their 4.20 versions:

Module Pinned Version 4.20 Original
k8s.io/api v0.33.2 v0.33.2
k8s.io/apimachinery v0.33.2 v0.33.2
k8s.io/client-go v0.32.1 v0.32.1
k8s.io/apiextensions-apiserver v0.33.0 v0.33.0
k8s.io/apiserver v0.33.0 v0.33.0
k8s.io/component-base v0.33.0 v0.33.0
k8s.io/kube-openapi v0.0.0-20250318... v0.0.0-20250318...
sigs.k8s.io/controller-runtime v0.20.4 v0.20.4
sigs.k8s.io/gateway-api v1.2.1 v1.2.1
github.com/google/gnostic-models v0.6.9 v0.6.9

Risk assessment: The sail-operator install package uses only stable controller-runtime interfaces (client.Client CRUD operations, pkg/log, pkg/scheme). No APIs introduced in controller-runtime 0.21+ or k8s 0.34+ are used. The structured-merge-diff/v4 vs v6 incompatibility that would arise from bumping k8s is avoided entirely. This approach was validated by building successfully and by auditing every import in the sail-operator's pkg/install, api/v1, and resources packages.

Conflicts resolved

  • pkg/operator/operator.go: Added GatewayAPIWithoutOLM gate alongside existing 4.20 gates (GatewayAPI, GatewayAPIController, RouteExternalCertificate, IngressControllerLBSubnetsAWS, SetEIPForNLBIngressController)
  • pkg/operator/controller/status/controller.go: Took incoming noOLM logic (useOLM/useSailLibrary, conditional subscription listing) but wrapped in existing 4.20 GatewayAPIEnabled guard
  • test/e2e/gateway_api_test.go: Kept 4.20 gatewayAPIControllerEnabled guard, added gatewayAPIWithoutOLMEnabled conditionals inside for Sail Library vs OLM test selection. Kept xcrdNames alongside new istioCRDNames. Removed references to testGatewayAPIInfrastructureAnnotations, testGatewayAPIInternalLoadBalancer, and testGatewayOpenshiftConditions which were added in separate PRs not present on release-4.20.
  • go.mod / vendor/: Added replace directives for openshift/api (fork with gate), sail-operator (official OSSM 3.3.1), and dependency pins (see Dependency Pinning Approach above). Re-vendored from scratch.

Merge Order

  1. Merge openshift/api PR — FG as disabled, allows CI to start
  2. TODO: Backport noOLM E2E tests to origin release-4.20
  3. Merge this PR — Sail Library code lands, gate still OFF
  4. Merge [release-4.20] OCPBUGS-92038, OCPBUGS-92039, OCPBUGS-82147, OCPBUGS-92041, OCPBUGS-92042: Promote GatewayAPIWithoutOLM feature gate to TechPreview api#2874 — FG promotion to TechPreview, allows CI soak
  5. Verify CI is green
  6. TODO: Merge CIO PR to remove release.openshift.io/feature-set annotation from Sail Library RBAC manifests
  7. Merge openshift/api PR — FG promotion to Default GA, activates noOLM
  8. Verify CI is green

Verification

  • make builds successfully
  • No unresolved merge conflict markers in any commit
  • Full CI (blocked on openshift/api dependency)

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gcs278

gcs278 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

/assign @aswinsuryan
/assign @rikatz

@gcs278 gcs278 changed the title [release-4.20] Replace OLM-based Istio install with Sail Library [release-4.20] OCPBUGS-92038, OCPBUGS-92039, OCPBUGS-92040, OCPBUGS-92041, OCPBUGS-92042: Replace OLM-based Istio install with Sail Library Jun 24, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 24, 2026
@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 2, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD d1ade79 and 2 for PR HEAD faf1ca7 in total

Vendor the GatewayAPIWithoutOLM in the openshift/api repo to support
backporting the No OLM logic into the release-4.20 branch.

PR: openshift#1354
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@gcs278: This pull request references Jira Issue OCPBUGS-92038, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.z) matches configured target version for branch (4.20.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-88295 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-88295 targets the "4.21.z" version, which is one of the valid target versions: 4.21.0, 4.21.z
  • bug has dependents

Requesting review from QA contact:
/cc @melvinjoseph86

This pull request references Jira Issue OCPBUGS-92039, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.z) matches configured target version for branch (4.20.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-88297 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-88297 targets the "4.21.z" version, which is one of the valid target versions: 4.21.0, 4.21.z
  • bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (iamin@redhat.com), skipping review request.

This pull request references Jira Issue OCPBUGS-82147, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.z) matches configured target version for branch (4.20.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-82146 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-82146 targets the "4.21.z" version, which is one of the valid target versions: 4.21.0, 4.21.z
  • bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (iamin@redhat.com), skipping review request.

This pull request references Jira Issue OCPBUGS-92041, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.z) matches configured target version for branch (4.20.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-78330 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-78330 targets the "4.21.z" version, which is one of the valid target versions: 4.21.0, 4.21.z
  • bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (iamin@redhat.com), skipping review request.

This pull request references Jira Issue OCPBUGS-92042, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.z) matches configured target version for branch (4.20.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-85550 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-85550 targets the "4.21.z" version, which is one of the valid target versions: 4.21.0, 4.21.z
  • bug has dependents

Requesting review from QA contact:
/cc @melvinjoseph86

Details

In response to this:

Summary

Backport of the noOLM / Sail Library installation path (NE-2286, shipped in 4.22) to release-4.20. This resolves several fundamental OLM bugs that have no viable OLM-based workaround — most critically OCPBUGS-86778, which blocks all OSSM z-stream upgrades and prevents shipping CVE fixes.

This is part of an approved SBAR to backport the Sail Library (noOLM) from 4.22 to 4.19–4.21. This is an identical backport to the 4.21 PR: #1442 (origin test coverage: openshift/origin#31232).

This PR is intended to merge with the GatewayAPIWithoutOLM feature gate disabled, making it a no-op on merge. The goal is to subsequently enable the gate by default (via openshift/api) to activate the Sail Library path and resolve the OLM issues.

Background

Gateway API on OCP 4.19–4.21 uses the Cluster Ingress Operator (CIO) to install Istio via OLM (OSSM operator). This path has several critical bugs:

  • OCPBUGS-88295: OSSM z-stream upgrades are blocked, preventing CVE fixes from being delivered
  • OCPBUGS-82146: OLM-related install failures
  • OCPBUGS-78330: Hardcoded catalog source breaks disconnected environments
  • OCPBUGS-85550: Gateway API fails on clusters without Marketplace capability

In OCP 4.22, NE-2286 replaced OLM with the Sail Library — CIO now installs Istio directly via embedded Helm charts. This feature shipped as GA behind the GatewayAPIWithoutOLM feature gate.

Cherry-picked PRs

PR Title Why
#1354 NE-2471: Replace OLM-based Istio install with Sail Library Core change — adds istio_sail_installer.go, istio_olm.go refactor, migration.go, status.go, CRD manifests, Sail Library RBAC manifests
#1402 OCPBUGS-79467: Change default log level from DEBUG to INFO Sail Library generates ~2,000 debug logs/hour; without this fix, enabling noOLM floods the logs. Both commits cherry-picked (commit 2 was missed on 4.21 — not repeating that here).
#1404 NE-2519: Move Sail Library to official release branch Moves from dev Sail Library branch to official OSSM 3.3.1 release

Note: #1393 (OCPBUGS-79667: Use feature-gate annotation for Sail Library RBAC) was also a dependency but is being skipped because CVO on this release does not support the release.openshift.io/feature-gate annotation (openshift/cluster-version-operator#1273 was not backported). The Sail Library RBAC manifests will ship with the release.openshift.io/feature-set: CustomNoUpgrade annotation and will need a separate annotation removal PR before GA promotion, similar to what was done on 4.21 (#1462).

Versioning

This backport does not bump the Gateway API CRDs (remain at v1.3.0) or the Istio version (remains at v1.26.2) for the noOLM code path. When the GatewayAPIWithoutOLM feature gate is enabled, the Sail Library will install Istio using the same v1.26.2 version that the OLM path currently uses. This works because the vendored Sail Library (OSSM 3.3.1) still supports Istio 1.26.2.

When noOLM shipped in 4.22, the OLM and noOLM versions were already aligned at 3.3.1, so version separation was not needed. On 4.20, the OLM path is on 3.1.0 — keeping both paths at the same Istio version avoids introducing conditional logic or separate deployment manifests in the backport.

Conflicts resolved

  • pkg/operator/operator.go: Added GatewayAPIWithoutOLM gate alongside existing 4.20 gates (GatewayAPI, GatewayAPIController, RouteExternalCertificate, IngressControllerLBSubnetsAWS, SetEIPForNLBIngressController)
  • pkg/operator/controller/status/controller.go: Took incoming noOLM logic (useOLM/useSailLibrary, conditional subscription listing) but wrapped in existing 4.20 GatewayAPIEnabled guard
  • test/e2e/gateway_api_test.go: Kept 4.20 gatewayAPIControllerEnabled guard, added gatewayAPIWithoutOLMEnabled conditionals inside for Sail Library vs OLM test selection. Removed duplicate testCRDNames declaration (already present via [release-4.20] OCPBUGS-85523: Remove restriction of unmanaged x-k8s.io #1488). Kept istioCRDNames. Removed references to testGatewayAPIInfrastructureAnnotations, testGatewayAPIInternalLoadBalancer, and testGatewayOpenshiftConditions which were added in separate PRs not present on release-4.20.
  • go.mod / vendor/: Added replace directives for openshift/api (fork with gate), sail-operator (official OSSM 3.3.1), and dependency pins (see Dependency Pinning Approach below). Re-vendored from scratch.
  • pkg/operator/controller/canary/daemonset.go: Skipped log.Info() addition from PR OCPBUGS-79467: Change default log level from DEBUG to INFO #1402 commit 2 — references cert-hash-rotation code not present on release-4.20
  • pkg/operator/controller/canary-certificate/controller.go: Skipped log.Info() additions from PR OCPBUGS-79467: Change default log level from DEBUG to INFO #1402 commit 2 — controller does not exist on release-4.20

Rollout Plan

Phase 1 — Land code (gate OFF)

Phase 2 — TechPreview soak

Phase 3 — GA promotion

Dependency Pinning Approach

Unlike the 4.21 backport which bumped k8s and controller-runtime, this backport keeps all dependencies at their original 4.20 versions. The sail-operator (OSSM 3.3.1) requires k8s 0.34 and controller-runtime 0.22, but its pkg/install package only uses basic CRUD operations (client.New, client.Get, client.Create, client.Update) and stable types (metav1, corev1, runtime, rest.Config) that exist unchanged in the 4.20 versions.

To prevent go mod tidy from bumping dependencies transitively, the following replace directives pin modules to their 4.20 versions:

Module Pinned Version 4.20 Original
k8s.io/api v0.33.2 v0.33.2
k8s.io/apimachinery v0.33.2 v0.33.2
k8s.io/client-go v0.32.1 v0.32.1
k8s.io/apiextensions-apiserver v0.33.0 v0.33.0
k8s.io/apiserver v0.33.0 v0.33.0
k8s.io/component-base v0.33.0 v0.33.0
k8s.io/kube-openapi v0.0.0-20250318... v0.0.0-20250318...
sigs.k8s.io/controller-runtime v0.20.4 v0.20.4
sigs.k8s.io/gateway-api v1.2.1 v1.2.1
github.com/google/gnostic-models v0.6.9 v0.6.9

Why pinning is necessary: The sail-operator (OSSM 3.3.1) transitively pulls in k8s 0.34 and controller-runtime 0.22, which would force a k8s minor version bump incompatible with the frozen openshift ecosystem packages (client-go, library-go). Without the pins, go mod tidy would bump these dependencies and break the build.

Risk assessment: The sail-operator install package uses only stable controller-runtime interfaces (client.Client CRUD operations, pkg/log, pkg/scheme). No APIs introduced in controller-runtime 0.21+ or k8s 0.34+ are used. The structured-merge-diff/v4 vs v6 incompatibility that would arise from bumping k8s is avoided entirely. This approach was validated by building successfully and by auditing every import in the sail-operator's pkg/install, api/v1, and resources packages.

Longevity: If a future z-stream requires vendoring a newer sail-operator, the pins should be re-evaluated — but z-streams do not bump k8s minor versions, so these pins are expected to hold for the life of 4.20.

Verification

  • make builds successfully
  • No unresolved merge conflict markers in any commit
  • Full CI (blocked on openshift/api dependency)

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gcs278 gcs278 force-pushed the backport-noOLM-4.20 branch from faf1ca7 to ee7b819 Compare July 2, 2026 22:56
@openshift-ci-robot openshift-ci-robot removed the verified Signifies that the PR passed pre-merge verification criteria label Jul 2, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@gcs278 gcs278 force-pushed the backport-noOLM-4.20 branch from ee7b819 to 5a6e37a Compare July 2, 2026 23:02
gcs278 and others added 11 commits July 2, 2026 19:04
Cherry-picked from: 8a40966
openshift#1354

Conflicts resolved:
- pkg/operator/operator.go: Added GatewayAPIWithoutOLM gate alongside
  existing 4.20 gates (GatewayAPI, GatewayAPIController, RouteExternalCertificate,
  IngressControllerLBSubnetsAWS, SetEIPForNLBIngressController)
- Note: Go tidy will fail in this commit since Aslak's development branch pulls in
  K8S dependencies that are too new - a future commit in this backport
  will vendor the official release resolve go.mod
Cherry-picked from: ed2eb36
openshift#1354

Conflicts resolved:
- pkg/operator/controller/status/controller.go: Took incoming noOLM logic
  (useOLM/useSailLibrary, conditional subscription listing) but wrapped in
  existing 4.20 GatewayAPIEnabled guard. Restored GatewayAPIControllerEnabled
  guard that was present in the original condition but dropped during
  cherry-pick.
Cherry-picked from: 9c4d792
openshift#1354

Conflicts resolved:
- test/e2e/gateway_api_test.go: Kept 4.20 gatewayAPIControllerEnabled guard,
  added gatewayAPIWithoutOLMEnabled conditionals inside it. Kept istioCRDNames.
  Removed references to testGatewayAPIInfrastructureAnnotations,
  testGatewayAPIInternalLoadBalancer, and testGatewayOpenshiftConditions
  which were added in separate PRs not present on release-4.20.
Controller-runtime echoes all recorder.Event() calls to DEBUG logs.
When we switched from DEBUG to INFO level, these operational events
became invisible in logs (though they still exist as K8s Events).

Add log.Info() calls alongside 16 recorder.Event() calls to restore
visibility of important operational events including certificate
lifecycle, IngressController admission, and DNS warnings.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Cherry-picked from: 43c978a
openshift#1404

Conflicts resolved:
- go.mod: Switched sail-operator replace from aslakknutsen's development
  fork to the official openshift-service-mesh/sail-operator v0.0.0-20260327145107
  (OSSM 3.3.1). Added replace directives to pin k8s.io/api, apimachinery,
  apiextensions-apiserver, apiserver, client-go, component-base,
  kube-openapi, controller-runtime, gateway-api, and gnostic-models to
  their original 4.20 versions, preventing the sail-operator's transitive
  dependencies from bumping them. This avoids the structured-merge-diff
  v4/v6 incompatibility and preserves compatibility with the 4.20
  openshift/client-go and openshift/library-go.
- vendor/: Re-vendored from scratch with pinned dependencies.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gcs278 gcs278 force-pushed the backport-noOLM-4.20 branch from 5a6e37a to 0631003 Compare July 2, 2026 23:05
@gcs278

gcs278 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

There was a conflict due to another backport #1488, that caused a variable to be declared twice. Removed here.

Rebased, fixed the conflict, and updated some commit messages to be accurate for 4.20. Will need another LGTM @rikatz

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@gcs278: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@melvinjoseph86

Copy link
Copy Markdown

Addind verified label again based on #1459 (comment)
/verified by @rhamini3

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@melvinjoseph86: This PR has been marked as verified by @rhamini3.

Details

In response to this:

Addind verified label again based on #1459 (comment)
/verified by @rhamini3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 3, 2026
@rikatz

rikatz commented Jul 3, 2026

Copy link
Copy Markdown
Member

/lgtm
thanks

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit e40a071 into openshift:release-4.20 Jul 3, 2026
16 checks passed
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@gcs278: Jira Issue OCPBUGS-92038: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-92038 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Jira Issue OCPBUGS-92039: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-92039 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Jira Issue OCPBUGS-82147: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-82147 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Jira Issue OCPBUGS-92041: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-92041 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Jira Issue OCPBUGS-92042: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-92042 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Summary

Backport of the noOLM / Sail Library installation path (NE-2286, shipped in 4.22) to release-4.20. This resolves several fundamental OLM bugs that have no viable OLM-based workaround — most critically OCPBUGS-86778, which blocks all OSSM z-stream upgrades and prevents shipping CVE fixes.

This is part of an approved SBAR to backport the Sail Library (noOLM) from 4.22 to 4.19–4.21. This is an identical backport to the 4.21 PR: #1442 (origin test coverage: openshift/origin#31232).

This PR is intended to merge with the GatewayAPIWithoutOLM feature gate disabled, making it a no-op on merge. The goal is to subsequently enable the gate by default (via openshift/api) to activate the Sail Library path and resolve the OLM issues.

Background

Gateway API on OCP 4.19–4.21 uses the Cluster Ingress Operator (CIO) to install Istio via OLM (OSSM operator). This path has several critical bugs:

  • OCPBUGS-88295: OSSM z-stream upgrades are blocked, preventing CVE fixes from being delivered
  • OCPBUGS-82146: OLM-related install failures
  • OCPBUGS-78330: Hardcoded catalog source breaks disconnected environments
  • OCPBUGS-85550: Gateway API fails on clusters without Marketplace capability

In OCP 4.22, NE-2286 replaced OLM with the Sail Library — CIO now installs Istio directly via embedded Helm charts. This feature shipped as GA behind the GatewayAPIWithoutOLM feature gate.

Cherry-picked PRs

PR Title Why
#1354 NE-2471: Replace OLM-based Istio install with Sail Library Core change — adds istio_sail_installer.go, istio_olm.go refactor, migration.go, status.go, CRD manifests, Sail Library RBAC manifests
#1402 OCPBUGS-79467: Change default log level from DEBUG to INFO Sail Library generates ~2,000 debug logs/hour; without this fix, enabling noOLM floods the logs. Both commits cherry-picked (commit 2 was missed on 4.21 — not repeating that here).
#1404 NE-2519: Move Sail Library to official release branch Moves from dev Sail Library branch to official OSSM 3.3.1 release

Note: #1393 (OCPBUGS-79667: Use feature-gate annotation for Sail Library RBAC) was also a dependency but is being skipped because CVO on this release does not support the release.openshift.io/feature-gate annotation (openshift/cluster-version-operator#1273 was not backported). The Sail Library RBAC manifests will ship with the release.openshift.io/feature-set: CustomNoUpgrade annotation and will need a separate annotation removal PR before GA promotion, similar to what was done on 4.21 (#1462).

Versioning

This backport does not bump the Gateway API CRDs (remain at v1.3.0) or the Istio version (remains at v1.26.2) for the noOLM code path. When the GatewayAPIWithoutOLM feature gate is enabled, the Sail Library will install Istio using the same v1.26.2 version that the OLM path currently uses. This works because the vendored Sail Library (OSSM 3.3.1) still supports Istio 1.26.2.

When noOLM shipped in 4.22, the OLM and noOLM versions were already aligned at 3.3.1, so version separation was not needed. On 4.20, the OLM path is on 3.1.0 — keeping both paths at the same Istio version avoids introducing conditional logic or separate deployment manifests in the backport.

Conflicts resolved

  • pkg/operator/operator.go: Added GatewayAPIWithoutOLM gate alongside existing 4.20 gates (GatewayAPI, GatewayAPIController, RouteExternalCertificate, IngressControllerLBSubnetsAWS, SetEIPForNLBIngressController)
  • pkg/operator/controller/status/controller.go: Took incoming noOLM logic (useOLM/useSailLibrary, conditional subscription listing) but wrapped in existing 4.20 GatewayAPIEnabled guard
  • test/e2e/gateway_api_test.go: Kept 4.20 gatewayAPIControllerEnabled guard, added gatewayAPIWithoutOLMEnabled conditionals inside for Sail Library vs OLM test selection. Removed duplicate testCRDNames declaration (already present via [release-4.20] OCPBUGS-85523: Remove restriction of unmanaged x-k8s.io #1488). Kept istioCRDNames. Removed references to testGatewayAPIInfrastructureAnnotations, testGatewayAPIInternalLoadBalancer, and testGatewayOpenshiftConditions which were added in separate PRs not present on release-4.20.
  • go.mod / vendor/: Added replace directives for openshift/api (fork with gate), sail-operator (official OSSM 3.3.1), and dependency pins (see Dependency Pinning Approach below). Re-vendored from scratch.
  • pkg/operator/controller/canary/daemonset.go: Skipped log.Info() addition from PR OCPBUGS-79467: Change default log level from DEBUG to INFO #1402 commit 2 — references cert-hash-rotation code not present on release-4.20
  • pkg/operator/controller/canary-certificate/controller.go: Skipped log.Info() additions from PR OCPBUGS-79467: Change default log level from DEBUG to INFO #1402 commit 2 — controller does not exist on release-4.20

Rollout Plan

Phase 1 — Land code (gate OFF)

Phase 2 — TechPreview soak

Phase 3 — GA promotion

Dependency Pinning Approach

Unlike the 4.21 backport which bumped k8s and controller-runtime, this backport keeps all dependencies at their original 4.20 versions. The sail-operator (OSSM 3.3.1) requires k8s 0.34 and controller-runtime 0.22, but its pkg/install package only uses basic CRUD operations (client.New, client.Get, client.Create, client.Update) and stable types (metav1, corev1, runtime, rest.Config) that exist unchanged in the 4.20 versions.

To prevent go mod tidy from bumping dependencies transitively, the following replace directives pin modules to their 4.20 versions:

Module Pinned Version 4.20 Original
k8s.io/api v0.33.2 v0.33.2
k8s.io/apimachinery v0.33.2 v0.33.2
k8s.io/client-go v0.32.1 v0.32.1
k8s.io/apiextensions-apiserver v0.33.0 v0.33.0
k8s.io/apiserver v0.33.0 v0.33.0
k8s.io/component-base v0.33.0 v0.33.0
k8s.io/kube-openapi v0.0.0-20250318... v0.0.0-20250318...
sigs.k8s.io/controller-runtime v0.20.4 v0.20.4
sigs.k8s.io/gateway-api v1.2.1 v1.2.1
github.com/google/gnostic-models v0.6.9 v0.6.9

Why pinning is necessary: The sail-operator (OSSM 3.3.1) transitively pulls in k8s 0.34 and controller-runtime 0.22, which would force a k8s minor version bump incompatible with the frozen openshift ecosystem packages (client-go, library-go). Without the pins, go mod tidy would bump these dependencies and break the build.

Risk assessment: The sail-operator install package uses only stable controller-runtime interfaces (client.Client CRUD operations, pkg/log, pkg/scheme). No APIs introduced in controller-runtime 0.21+ or k8s 0.34+ are used. The structured-merge-diff/v4 vs v6 incompatibility that would arise from bumping k8s is avoided entirely. This approach was validated by building successfully and by auditing every import in the sail-operator's pkg/install, api/v1, and resources packages.

Longevity: If a future z-stream requires vendoring a newer sail-operator, the pins should be re-evaluated — but z-streams do not bump k8s minor versions, so these pins are expected to hold for the life of 4.20.

Verification

  • make builds successfully
  • No unresolved merge conflict markers in any commit
  • Full CI (blocked on openshift/api dependency)

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants