Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

operator sailoperator (1.1.0-nightly-2025-03-19) #6211

Merged
merged 1 commit into from
Mar 19, 2025
+44,967 −0
Merged

operator sailoperator (1.1.0-nightly-2025-03-19) #6211

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
operator sailoperator (1.1.0-nightly-2025-03-19) 
Signed-off-by: istio-testing <25311884+istio-testing@users.noreply.github.com>
  • Loading branch information
@istio-testing
istio-testing committed Mar 19, 2025
commit 2cf82e24430e5e9776e97c0ad7c1e469c0b6c174
211 changes: 211 additions & 0 deletions operators/sailoperator/1.1.0-nightly-2025-03-19/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
# About the Sail Operator

The Sail Operator is able to install and manage the lifecycle of the Istio
control plane in an OpenShift cluster.


## Prerequisites

You have deployed a cluster on OpenShift Container Platform 4.13 or later.

You are logged in to the OpenShift Container Platform web console as a user with
the `cluster-admin` role.

You have access to the OpenShift CLI (oc).


## Installing the Sail Operator

1. Navigate to the OperatorHub.

1. Click **Operator** -> **Operator Hub**.

1. Search for "sail".

1. Locate the Sail Operator, and click to select it.

1. When the prompt that discusses the community operator appears, click **Continue**.

1. Verify the Sail Operator is version 0.1, and click **Install**.

1. Use the default installation settings presented, and click **Install** to continue.

1. Click **Operators** -> **Installed Operators** to verify that the Sail Operator
is installed. `Succeeded` should appear in the **Status** column.


## Deploying Istio

To deploy Istio, you must create two resources: `Istio` and `IstioCNI`. The
`Istio` resource deploys and configures the Istio Control Plane, whereas the
`IstioCNI` resource deploys and configures the Istio CNI plugin. You should
create these resources in separate projects.


### Creating the istio-system and istio-cni Projects

1. In the OpenShift Container Platform web console, click **Home** -> **Projects**.

1. Click **Create Project**.

1. At the prompt, you must enter a name for the project in the **Name** field.
For example, `istio-system`. The Operator deploys Istio to the project you
specify. The other fields provide supplementary information and are optional.

1. Click **Create**.

Repeat the process to create a project named `istio-cni`.


### Creating the Istio resource

1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**.
1. Select the `istio-system` project from the **Namespace** drop-down menu.
1. Click the Sail Operator.
1. Click **Istio**.
1. Click **Create Istio**.
1. Click **Create**. This action deploys the Istio control plane.
1. When `State: Healthy` appears in the `Status` column, Istio is successfully deployed.


### Creating the IstioCNI resource

1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**.
1. Click the Sail Operator.
1. Click **IstioCNI**.
1. Click **Create IstioCNI**.
1. Ensure that the name is `default`.
1. Select the `istio-cni` project from the **Namespace** drop-down menu.
1. Click **Create**. This action deploys the Istio CNI plugin.
1. When `State: Healthy` appears in the `Status` column, the Istio CNI plugin is successfully deployed.


### Selecting the Istio and IstioCNI versions

The `version` field of the `Istio` and `IstioCNI` resource defines which version
of each component should be deployed. This can be set using the `Istio Version`
drop down menu when creating a new `Istio` with the OpenShift Container Platform
web console. For a list of available versions, see the [versions.yaml](/pkg/istioversion/versions.yaml) file
or use the command:

```sh
$ kubectl explain istio.spec.version
```

### Customizing Istio configuration

The `spec.values` field of the `Istio` and `IstioCNI` resource can be used to
customize Istio and Istio CNI plugin configuration using Istio's `Helm`
configuration values. When you create this resource using the OpenShift
Container Platform web console, it is pre-populated with configuration settings
to enable Istio to run on OpenShift.

To view or modify the `Istio` resource from the OpenShift Container Platform web console:

1. Click **Operators** -> **Installed Operators**.
1. Click **Istio** in the **Provided APIs** column.
1. Click `Istio` instance, "istio-sample" by default, in the **Name** column.
1. Click **YAML** to view the `Istio` configuration and make modifications.

An example configuration:

```
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
name: example
spec:
version: v1.20.0
values:
global:
mtls:
enabled: true
trustDomainAliases:
- example.net
meshConfig:
trustDomain: example.com
trustDomainAliases:
- example.net
```

For a list of available configuration for the `spec.values` field, run the
following command:

```sh
$ kubectl explain istio.spec.values
```

For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above.

Alternatively, refer to [Istio's artifacthub chart documentation](https://artifacthub.io/packages/search?org=istio&sort=relevance&page=1) for:

- [Base parameters](https://artifacthub.io/packages/helm/istio-official/base?modal=values)
- [Istiod parameters](https://artifacthub.io/packages/helm/istio-official/istiod?modal=values)
- [Gateway parameters](https://artifacthub.io/packages/helm/istio-official/gateway?modal=values)
- [CNI parameters](https://artifacthub.io/packages/helm/istio-official/cni?modal=values)
- [ZTunnel parameters](https://artifacthub.io/packages/helm/istio-official/ztunnel?modal=values)


## Installing the istioctl tool

The `istioctl` tool is a configuration command line utility that allows service
operators to debug and diagnose Istio service mesh deployments.

For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.md).

## Installing the Bookinfo Application

You can use the `bookinfo` example application to explore service mesh features.
Using the `bookinfo` application, you can easily confirm that requests from a
web browser pass through the mesh and reach the application.

For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.md).


## Creating and Configuring Gateways

The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not
part of the control plane. As a security best-practice, Ingress and Egress
Gateways should be deployed in a different namespace than the namespace that
contains the control plane.

You can deploy gateways using either the Gateway API or Gateway Injection methods.

For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.md).


## Istio Addons Integrations

Istio can be integrated with other software to provide additional functionality
(More information can be found in: https://istio.io/latest/docs/ops/integrations/).
The following addons are for demonstration or development purposes only and
should not be used in production environments:

For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.md).


## Undeploying Istio and the Sail Operator

### Deleting Istio
1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**.
1. Click **Istio** in the **Provided APIs** column.
1. Click the Options menu, and select **Delete Istio**.
1. At the prompt to confirm the action, click **Delete**.

### Deleting IstioCNI
1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**.
1. Click **IstioCNI** in the **Provided APIs** column.
1. Click the Options menu, and select **Delete IstioCNI**.
1. At the prompt to confirm the action, click **Delete**.

### Deleting the Sail Operator
1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**.
1. Locate the Sail Operator. Click the Options menu, and select **Uninstall Operator**.
1. At the prompt to confirm the action, click **Uninstall**.

### Deleting the Projects
1. In the OpenShift Container Platform web console, click **Home** -> **Projects**.
1. Locate the name of the project and click the Options menu.
1. Click **Delete Project**.
1. At the prompt to confirm the action, enter the name of the project.
1. Click **Delete**.
366 changes: 366 additions & 0 deletions ...tors/sailoperator/1.1.0-nightly-2025-03-19/manifests/extensions.istio.io_wasmplugins.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,366 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
creationTimestamp: null
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: wasmplugins.extensions.istio.io
spec:
group: extensions.istio.io
names:
categories:
- istio-io
- extensions-istio-io
kind: WasmPlugin
listKind: WasmPluginList
plural: wasmplugins
singular: wasmplugin
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
description: 'Extend the functionality provided by the Istio proxy through
WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
properties:
failStrategy:
description: |-
Specifies the failure behavior for the plugin due to fatal errors.
Valid Options: FAIL_CLOSE, FAIL_OPEN
enum:
- FAIL_CLOSE
- FAIL_OPEN
type: string
imagePullPolicy:
description: |-
The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`.
Valid Options: IfNotPresent, Always
enum:
- UNSPECIFIED_POLICY
- IfNotPresent
- Always
type: string
imagePullSecret:
description: Credentials to use for OCI image pulling.
maxLength: 253
minLength: 1
type: string
match:
description: Specifies the criteria to determine which traffic is
passed to WasmPlugin.
items:
properties:
mode:
description: |-
Criteria for selecting traffic by their direction.
Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER
enum:
- UNDEFINED
- CLIENT
- SERVER
- CLIENT_AND_SERVER
type: string
ports:
description: Criteria for selecting traffic by their destination
port.
items:
properties:
number:
maximum: 65535
minimum: 1
type: integer
required:
- number
type: object
type: array
x-kubernetes-list-map-keys:
- number
x-kubernetes-list-type: map
type: object
type: array
phase:
description: |-
Determines where in the filter chain this `WasmPlugin` is to be injected.
Valid Options: AUTHN, AUTHZ, STATS
enum:
- UNSPECIFIED_PHASE
- AUTHN
- AUTHZ
- STATS
type: string
pluginConfig:
description: The configuration that will be passed on to the plugin.
type: object
x-kubernetes-preserve-unknown-fields: true
pluginName:
description: The plugin name to be used in the Envoy configuration
(used to be called `rootID`).
maxLength: 256
minLength: 1
type: string
priority:
description: Determines ordering of `WasmPlugins` in the same `phase`.
format: int32
nullable: true
type: integer
selector:
description: Criteria used to select the specific set of pods/VMs
on which this plugin configuration should be applied.
properties:
matchLabels:
additionalProperties:
maxLength: 63
type: string
x-kubernetes-validations:
- message: wildcard not allowed in label value match
rule: '!self.contains("*")'
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
maxProperties: 4096
type: object
x-kubernetes-validations:
- message: wildcard not allowed in label key match
rule: self.all(key, !key.contains("*"))
- message: key must not be empty
rule: self.all(key, key.size() != 0)
type: object
sha256:
description: SHA256 checksum that will be used to verify Wasm module
or OCI container.
pattern: (^$|^[a-f0-9]{64}$)
type: string
targetRef:
properties:
group:
description: group is the group of the target resource.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
x-kubernetes-validations:
- message: cross namespace referencing is not currently supported
rule: self.size() == 0
required:
- kind
- name
type: object
targetRefs:
description: Optional.
items:
properties:
group:
description: group is the group of the target resource.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: kind is kind of the target resource.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
namespace:
description: namespace is the namespace of the referent.
type: string
x-kubernetes-validations:
- message: cross namespace referencing is not currently supported
rule: self.size() == 0
required:
- kind
- name
type: object
maxItems: 16
type: array
type:
description: |-
Specifies the type of Wasm Extension to be used.
Valid Options: HTTP, NETWORK
enum:
- UNSPECIFIED_PLUGIN_TYPE
- HTTP
- NETWORK
type: string
url:
description: URL of a Wasm module or OCI container.
minLength: 1
type: string
x-kubernetes-validations:
- message: url must have schema one of [http, https, file, oci]
rule: |-
isURL(self) ? (url(self).getScheme() in ["", "http", "https", "oci", "file"]) : (isURL("http://" + self) &&
url("http://" + self).getScheme() in ["", "http", "https", "oci", "file"])
verificationKey:
type: string
vmConfig:
description: Configuration for a Wasm VM.
properties:
env:
description: Specifies environment variables to be injected to
this VM.
items:
properties:
name:
description: Name of the environment variable.
maxLength: 256
minLength: 1
type: string
value:
description: Value for the environment variable.
maxLength: 2048
type: string
valueFrom:
description: |-
Source for the environment variable's value.
Valid Options: INLINE, HOST
enum:
- INLINE
- HOST
type: string
required:
- name
type: object
x-kubernetes-validations:
- message: value may only be set when valueFrom is INLINE
rule: '(has(self.valueFrom) ? self.valueFrom : "") != "HOST"
|| !has(self.value)'
maxItems: 256
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
required:
- url
type: object
x-kubernetes-validations:
- message: only one of targetRefs or selector can be set
rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+ (has(self.targetRefs) ? 1 : 0) <= 1'
status:
properties:
conditions:
description: Current service state of the resource.
items:
properties:
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
observedGeneration:
anyOf:
- type: integer
- type: string
description: Resource Generation to which the Condition refers.
x-kubernetes-int-or-string: true
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: Status is the status of the condition.
type: string
type:
description: Type is the type of the condition.
type: string
type: object
type: array
observedGeneration:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
validationMessages:
description: Includes any errors or warnings detected by Istio's analyzers.
items:
properties:
documentationUrl:
description: A url pointing to the Istio documentation for this
specific error type.
type: string
level:
description: |-
Represents how severe a message is.
Valid Options: UNKNOWN, ERROR, WARNING, INFO
enum:
- UNKNOWN
- ERROR
- WARNING
- INFO
type: string
type:
properties:
code:
description: A 7 character code matching `^IST[0-9]{4}$`
intended to uniquely identify the message type.
type: string
name:
description: A human-readable name for the message type.
type: string
type: object
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null
17 changes: 17 additions & 0 deletions ...nightly-2025-03-19/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: sailoperator
app.kubernetes.io/instance: metrics-reader
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: clusterrole
app.kubernetes.io/part-of: sailoperator
name: metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
5,729 changes: 5,729 additions & 0 deletions ...sailoperator/1.1.0-nightly-2025-03-19/manifests/networking.istio.io_destinationrules.yaml
View file

Large diffs are not rendered by default.

413 changes: 413 additions & 0 deletions ...ors/sailoperator/1.1.0-nightly-2025-03-19/manifests/networking.istio.io_envoyfilters.yaml
View file

Large diffs are not rendered by default.

731 changes: 731 additions & 0 deletions operators/sailoperator/1.1.0-nightly-2025-03-19/manifests/networking.istio.io_gateways.yaml
View file

Large diffs are not rendered by default.

158 changes: 158 additions & 0 deletions ...ors/sailoperator/1.1.0-nightly-2025-03-19/manifests/networking.istio.io_proxyconfigs.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
creationTimestamp: null
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: proxyconfigs.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: ProxyConfig
listKind: ProxyConfigList
plural: proxyconfigs
singular: proxyconfig
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
properties:
spec:
description: 'Provides configuration for individual workloads. See more
details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
properties:
concurrency:
description: The number of worker threads to run.
format: int32
minimum: 0
nullable: true
type: integer
environmentVariables:
additionalProperties:
maxLength: 2048
type: string
description: Additional environment variables for the proxy.
type: object
image:
description: Specifies the details of the proxy image.
properties:
imageType:
description: The image type of the image.
type: string
type: object
selector:
description: Optional.
properties:
matchLabels:
additionalProperties:
maxLength: 63
type: string
x-kubernetes-validations:
- message: wildcard not allowed in label value match
rule: '!self.contains("*")'
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
maxProperties: 4096
type: object
x-kubernetes-validations:
- message: wildcard not allowed in label key match
rule: self.all(key, !key.contains("*"))
- message: key must not be empty
rule: self.all(key, key.size() != 0)
type: object
type: object
status:
properties:
conditions:
description: Current service state of the resource.
items:
properties:
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
observedGeneration:
anyOf:
- type: integer
- type: string
description: Resource Generation to which the Condition refers.
x-kubernetes-int-or-string: true
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: Status is the status of the condition.
type: string
type:
description: Type is the type of the condition.
type: string
type: object
type: array
observedGeneration:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
validationMessages:
description: Includes any errors or warnings detected by Istio's analyzers.
items:
properties:
documentationUrl:
description: A url pointing to the Istio documentation for this
specific error type.
type: string
level:
description: |-
Represents how severe a message is.
Valid Options: UNKNOWN, ERROR, WARNING, INFO
enum:
- UNKNOWN
- ERROR
- WARNING
- INFO
type: string
type:
properties:
code:
description: A 7 character code matching `^IST[0-9]{4}$`
intended to uniquely identify the message type.
type: string
name:
description: A human-readable name for the message type.
type: string
type: object
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null
926 changes: 926 additions & 0 deletions ...s/sailoperator/1.1.0-nightly-2025-03-19/manifests/networking.istio.io_serviceentries.yaml
View file

Large diffs are not rendered by default.

1,638 changes: 1,638 additions & 0 deletions operators/sailoperator/1.1.0-nightly-2025-03-19/manifests/networking.istio.io_sidecars.yaml
View file

Large diffs are not rendered by default.

3,167 changes: 3,167 additions & 0 deletions .../sailoperator/1.1.0-nightly-2025-03-19/manifests/networking.istio.io_virtualservices.yaml
View file

Large diffs are not rendered by default.

512 changes: 512 additions & 0 deletions .../sailoperator/1.1.0-nightly-2025-03-19/manifests/networking.istio.io_workloadentries.yaml
View file

Large diffs are not rendered by default.

954 changes: 954 additions & 0 deletions ...s/sailoperator/1.1.0-nightly-2025-03-19/manifests/networking.istio.io_workloadgroups.yaml
View file

Large diffs are not rendered by default.

24 changes: 24 additions & 0 deletions ...operator/1.1.0-nightly-2025-03-19/manifests/sail-operator-metrics-service_v1_service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: sail-operator
app.kubernetes.io/created-by: sailoperator
app.kubernetes.io/instance: sail-operator
app.kubernetes.io/managed-by: helm
app.kubernetes.io/name: deployment
app.kubernetes.io/part-of: sailoperator
control-plane: sail-operator
name: sail-operator-metrics-service
spec:
ipFamilyPolicy: PreferDualStack
ports:
- name: https
port: 8443
protocol: TCP
targetPort: 8443
selector:
control-plane: sail-operator
status:
loadBalancer: {}
982 changes: 982 additions & 0 deletions ...s/sailoperator/1.1.0-nightly-2025-03-19/manifests/sailoperator.clusterserviceversion.yaml
View file

Large diffs are not rendered by default.

1,521 changes: 1,521 additions & 0 deletions operators/sailoperator/1.1.0-nightly-2025-03-19/manifests/sailoperator.io_istiocnis.yaml
View file

Large diffs are not rendered by default.

9,517 changes: 9,517 additions & 0 deletions ...ators/sailoperator/1.1.0-nightly-2025-03-19/manifests/sailoperator.io_istiorevisions.yaml
View file

Large diffs are not rendered by default.

153 changes: 153 additions & 0 deletions ...rs/sailoperator/1.1.0-nightly-2025-03-19/manifests/sailoperator.io_istiorevisiontags.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
creationTimestamp: null
name: istiorevisiontags.sailoperator.io
spec:
group: sailoperator.io
names:
categories:
- istio-io
kind: IstioRevisionTag
listKind: IstioRevisionTagList
plural: istiorevisiontags
shortNames:
- istiorevtag
singular: istiorevisiontag
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The current state of this object.
jsonPath: .status.state
name: Status
type: string
- description: Whether the tag is being used by workloads.
jsonPath: .status.conditions[?(@.type=="InUse")].status
name: In use
type: string
- description: The IstioRevision this object is referencing.
jsonPath: .status.istioRevision
name: Revision
type: string
- description: The age of the object
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: IstioRevisionTag references an Istio or IstioRevision object
and serves as an alias for sidecar injection. It can be used to manage stable
revision tags without having to use istioctl or helm directly. See https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels
for more information on the concept.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IstioRevisionTagSpec defines the desired state of IstioRevisionTag
properties:
targetRef:
description: IstioRevisionTagTargetReference can reference either
Istio or IstioRevision objects in the cluster. In the case of referencing
an Istio object, the Sail Operator will automatically update the
reference to the Istio object's Active Revision.
properties:
kind:
description: Kind is the kind of the target resource.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the target resource.
maxLength: 253
minLength: 1
type: string
required:
- kind
- name
type: object
required:
- targetRef
type: object
status:
description: IstioRevisionStatus defines the observed state of IstioRevision
properties:
conditions:
description: Represents the latest available observations of the object's
current state.
items:
description: IstioRevisionCondition represents a specific observation
of the IstioRevision object's state.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
the last transition.
type: string
reason:
description: Unique, single-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: The status of this condition. Can be True, False
or Unknown.
type: string
type:
description: The type of this condition.
type: string
type: object
type: array
istioRevision:
description: IstioRevision stores the name of the referenced IstioRevision
type: string
istiodNamespace:
description: IstiodNamespace stores the namespace of the corresponding
Istiod instance
type: string
observedGeneration:
description: |-
ObservedGeneration is the most recent generation observed for this
IstioRevisionTag object. It corresponds to the object's generation, which is
updated on mutation by the API Server. The information in the status
pertains to this particular generation of the object.
format: int64
type: integer
state:
description: Reports the current state of the object.
type: string
required:
- istioRevision
- istiodNamespace
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null
9,611 changes: 9,611 additions & 0 deletions operators/sailoperator/1.1.0-nightly-2025-03-19/manifests/sailoperator.io_istios.yaml
View file

Large diffs are not rendered by default.

5,603 changes: 5,603 additions & 0 deletions operators/sailoperator/1.1.0-nightly-2025-03-19/manifests/sailoperator.io_ztunnels.yaml
View file

Large diffs are not rendered by default.

773 changes: 773 additions & 0 deletions ...loperator/1.1.0-nightly-2025-03-19/manifests/security.istio.io_authorizationpolicies.yaml
View file

Large diffs are not rendered by default.

359 changes: 359 additions & 0 deletions ...ailoperator/1.1.0-nightly-2025-03-19/manifests/security.istio.io_peerauthentications.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,359 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
creationTimestamp: null
labels:
app: istio-pilot
chart: istio
heritage: Tiller
istio: security
release: istio
name: peerauthentications.security.istio.io
spec:
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: PeerAuthentication
listKind: PeerAuthenticationList
plural: peerauthentications
shortNames:
- pa
singular: peerauthentication
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Defines the mTLS mode used for peer authentication.
jsonPath: .spec.mtls.mode
name: Mode
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
properties:
spec:
description: 'Peer authentication configuration for workloads. See more
details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
properties:
mtls:
description: Mutual TLS settings for workload.
properties:
mode:
description: |-
Defines the mTLS mode used for peer authentication.
Valid Options: DISABLE, PERMISSIVE, STRICT
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
portLevelMtls:
additionalProperties:
properties:
mode:
description: |-
Defines the mTLS mode used for peer authentication.
Valid Options: DISABLE, PERMISSIVE, STRICT
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
description: Port specific mutual TLS settings.
minProperties: 1
type: object
x-kubernetes-validations:
- message: port must be between 1-65535
rule: self.all(key, 0 < int(key) && int(key) <= 65535)
selector:
description: The selector determines the workloads to apply the PeerAuthentication
on.
properties:
matchLabels:
additionalProperties:
maxLength: 63
type: string
x-kubernetes-validations:
- message: wildcard not allowed in label value match
rule: '!self.contains("*")'
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
maxProperties: 4096
type: object
x-kubernetes-validations:
- message: wildcard not allowed in label key match
rule: self.all(key, !key.contains("*"))
- message: key must not be empty
rule: self.all(key, key.size() != 0)
type: object
type: object
x-kubernetes-validations:
- message: portLevelMtls requires selector
rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels))
? self.selector.matchLabels : {}).size() > 0) : true'
status:
properties:
conditions:
description: Current service state of the resource.
items:
properties:
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
observedGeneration:
anyOf:
- type: integer
- type: string
description: Resource Generation to which the Condition refers.
x-kubernetes-int-or-string: true
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: Status is the status of the condition.
type: string
type:
description: Type is the type of the condition.
type: string
type: object
type: array
observedGeneration:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
validationMessages:
description: Includes any errors or warnings detected by Istio's analyzers.
items:
properties:
documentationUrl:
description: A url pointing to the Istio documentation for this
specific error type.
type: string
level:
description: |-
Represents how severe a message is.
Valid Options: UNKNOWN, ERROR, WARNING, INFO
enum:
- UNKNOWN
- ERROR
- WARNING
- INFO
type: string
type:
properties:
code:
description: A 7 character code matching `^IST[0-9]{4}$`
intended to uniquely identify the message type.
type: string
name:
description: A human-readable name for the message type.
type: string
type: object
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- description: Defines the mTLS mode used for peer authentication.
jsonPath: .spec.mtls.mode
name: Mode
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
properties:
spec:
description: 'Peer authentication configuration for workloads. See more
details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
properties:
mtls:
description: Mutual TLS settings for workload.
properties:
mode:
description: |-
Defines the mTLS mode used for peer authentication.
Valid Options: DISABLE, PERMISSIVE, STRICT
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
portLevelMtls:
additionalProperties:
properties:
mode:
description: |-
Defines the mTLS mode used for peer authentication.
Valid Options: DISABLE, PERMISSIVE, STRICT
enum:
- UNSET
- DISABLE
- PERMISSIVE
- STRICT
type: string
type: object
description: Port specific mutual TLS settings.
minProperties: 1
type: object
x-kubernetes-validations:
- message: port must be between 1-65535
rule: self.all(key, 0 < int(key) && int(key) <= 65535)
selector:
description: The selector determines the workloads to apply the PeerAuthentication
on.
properties:
matchLabels:
additionalProperties:
maxLength: 63
type: string
x-kubernetes-validations:
- message: wildcard not allowed in label value match
rule: '!self.contains("*")'
description: One or more labels that indicate a specific set of
pods/VMs on which a policy should be applied.
maxProperties: 4096
type: object
x-kubernetes-validations:
- message: wildcard not allowed in label key match
rule: self.all(key, !key.contains("*"))
- message: key must not be empty
rule: self.all(key, key.size() != 0)
type: object
type: object
x-kubernetes-validations:
- message: portLevelMtls requires selector
rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels))
? self.selector.matchLabels : {}).size() > 0) : true'
status:
properties:
conditions:
description: Current service state of the resource.
items:
properties:
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
observedGeneration:
anyOf:
- type: integer
- type: string
description: Resource Generation to which the Condition refers.
x-kubernetes-int-or-string: true
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: Status is the status of the condition.
type: string
type:
description: Type is the type of the condition.
type: string
type: object
type: array
observedGeneration:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
validationMessages:
description: Includes any errors or warnings detected by Istio's analyzers.
items:
properties:
documentationUrl:
description: A url pointing to the Istio documentation for this
specific error type.
type: string
level:
description: |-
Represents how severe a message is.
Valid Options: UNKNOWN, ERROR, WARNING, INFO
enum:
- UNKNOWN
- ERROR
- WARNING
- INFO
type: string
type:
properties:
code:
description: A 7 character code matching `^IST[0-9]{4}$`
intended to uniquely identify the message type.
type: string
name:
description: A human-readable name for the message type.
type: string
type: object
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null
599 changes: 599 additions & 0 deletions ...operator/1.1.0-nightly-2025-03-19/manifests/security.istio.io_requestauthentications.yaml
View file

Large diffs are not rendered by default.

929 changes: 929 additions & 0 deletions ...ators/sailoperator/1.1.0-nightly-2025-03-19/manifests/telemetry.istio.io_telemetries.yaml
View file

Large diffs are not rendered by default.

14 changes: 14 additions & 0 deletions operators/sailoperator/1.1.0-nightly-2025-03-19/metadata/annotations.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
annotations:
# Core bundle annotations.
operators.operatorframework.io.bundle.mediatype.v1: registry+v1
operators.operatorframework.io.bundle.manifests.v1: manifests/
operators.operatorframework.io.bundle.metadata.v1: metadata/
operators.operatorframework.io.bundle.package.v1: sailoperator
operators.operatorframework.io.bundle.channels.v1: "1.1-nightly"
operators.operatorframework.io.metrics.builder: operator-sdk-v1.39.1
operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4

# Annotations for testing.
operators.operatorframework.io.test.mediatype.v1: scorecard+v1
operators.operatorframework.io.test.config.v1: tests/scorecard/
60 changes: 60 additions & 0 deletions operators/sailoperator/1.1.0-nightly-2025-03-19/tests/scorecard/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
apiVersion: scorecard.operatorframework.io/v1alpha3
kind: Configuration
metadata:
name: config
stages:
- parallel: true
tests:
- entrypoint:
- scorecard-test
- basic-check-spec
image: quay.io/operator-framework/scorecard-test:v1.39.1
labels:
suite: basic
test: basic-check-spec-test
storage:
spec:
mountPath: {}
- entrypoint:
- scorecard-test
- olm-bundle-validation
image: quay.io/operator-framework/scorecard-test:v1.39.1
labels:
suite: olm
test: olm-bundle-validation-test
storage:
spec:
mountPath: {}
- entrypoint:
- scorecard-test
- olm-crds-have-validation
image: quay.io/operator-framework/scorecard-test:v1.39.1
labels:
suite: olm
test: olm-crds-have-validation-test
storage:
spec:
mountPath: {}
- entrypoint:
- scorecard-test
- olm-spec-descriptors
image: quay.io/operator-framework/scorecard-test:v1.39.1
labels:
suite: olm
test: olm-spec-descriptors-test
storage:
spec:
mountPath: {}
- entrypoint:
- scorecard-test
- olm-status-descriptors
image: quay.io/operator-framework/scorecard-test:v1.39.1
labels:
suite: olm
test: olm-status-descriptors-test
storage:
spec:
mountPath: {}
storage:
spec:
mountPath: {}