feat: operator ambient mode#1496
Merged
chance-coleman merged 3 commits intomainfrom Apr 28, 2025
Merged
Conversation
slaskawi
approved these changes
Apr 28, 2025
mjnagel
approved these changes
Apr 28, 2025
noahpb
pushed a commit
that referenced
this pull request
Apr 29, 2025
🤖 I have created a release *beep* *boop* --- ## [0.41.0](v0.40.1...v0.41.0) (2025-04-28) ### Features * add conditional netpol for coredns ([#1501](#1501)) ([fc7ace3](fc7ace3)) * client credential registration default ([#1482](#1482)) ([894c5d9](894c5d9)) * keycloak fips mode ([#1469](#1469)) ([74e632e](74e632e)) * operator ambient mode ([#1496](#1496)) ([71f03fd](71f03fd)) * opt Grafana into ambient ([#1466](#1466)) ([dac2d3e](dac2d3e)) * opt logging into ambient ([#1472](#1472)) ([117d586](117d586)) * opt metrics-server into ambient ([#1458](#1458)) ([01c2ec6](01c2ec6)) * opt velero into ambient ([#1490](#1490)) ([a0591c7](a0591c7)) ### Bug Fixes * **ci:** permissions on release workflow ([#1507](#1507)) ([cb12f13](cb12f13)) * **ci:** renovate readiness version loop fix ([#1488](#1488)) ([a40c15b](a40c15b)) * update loki images to fips images ([#1502](#1502)) ([eb20b4e](eb20b4e)) ### Miscellaneous * **ci:** automated renovate readiness action checks ([#1465](#1465)) ([ed0ca6b](ed0ca6b)) * **ci:** switch eks CI to FIPS ami, update to 1.31 k8s testing ([#1474](#1474)) ([7307d03](7307d03)) * **deps:** update grafana ([#1489](#1489)) ([0c063f1](0c063f1)) * **deps:** update istio to v1.25.2 ([#1461](#1461)) ([1067560](1067560)) * **deps:** update istio to v1.3.0 ([#1491](#1491)) ([9066584](9066584)) * **deps:** update keycloak to v0.13.0 ([#1506](#1506)) ([04d42ef](04d42ef)) * **deps:** update keycloak to v26.2.0 ([#1452](#1452)) ([927a57b](927a57b)) * **deps:** update keycloak to v26.2.1 ([#1486](#1486)) ([d68cad8](d68cad8)) * **deps:** update loki ([#1483](#1483)) ([3a697df](3a697df)) * **deps:** update neuvector ([#1417](#1417)) ([4c0d95d](4c0d95d)) * **deps:** update pepr ([#1454](#1454)) ([a98640f](a98640f)) * **deps:** update support dependencies to v4.7.0 ([#1477](#1477)) ([dcee0a3](dcee0a3)) * **deps:** update support-deps ([#1473](#1473)) ([3d9d501](3d9d501)) * **deps:** update support-deps ([#1480](#1480)) ([c41f359](c41f359)) * **deps:** update support-deps ([#1481](#1481)) ([cc2af2b](cc2af2b)) * **deps:** update support-deps ([#1487](#1487)) ([cdcba75](cdcba75)) * **deps:** update support-deps ([#1493](#1493)) ([88cbf29](88cbf29)) * **deps:** update support-deps ([#1497](#1497)) ([f308176](f308176)) * **deps:** update velero ([#1453](#1453)) ([7330ea9](7330ea9)) * **deps:** update velero ([#1492](#1492)) ([ff504c0](ff504c0)) * **deps:** update velero to v1.32.4 ([#1484](#1484)) ([06709e8](06709e8)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
mjnagel
pushed a commit
to BagelLab/uds-core
that referenced
this pull request
Nov 14, 2025
## Description Move operator over to using Ambient Mode. Since there is no package for pepr, this means using actions for configuring the labels of the namespace, specifically setting the `istio-injection=disabled` and `istio.io/dataplane-mode=ambient`. If the namespace is sidecar enabled (cluster upgrades), then we should cycle the pepr pods to utilize Ambient. Tested: 1. upgrade existing cluster and deploy new cluster 2. setting [this value](https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/uds-operator-config/values.yaml#L21) to explicitly use dynamic_client_registration since we still have that present until next release 3. let cluster sit and do its thing for 3 hours and no kupeapi issues ## Related Issue Fixes defenseunicorns#1420 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Steps to Validate - To test upgrade process `uds run test-uds-core-upgrade` - check the `pepr-system` namespace before upgrade to make sure its label is still `istio-injection=enabled` - on upgrade, namespace should have `istio-injection=disabled` ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed
mjnagel
pushed a commit
to BagelLab/uds-core
that referenced
this pull request
Nov 14, 2025
🤖 I have created a release *beep* *boop* --- ## [0.41.0](defenseunicorns/uds-core@v0.40.1...v0.41.0) (2025-04-28) ### Features * add conditional netpol for coredns ([defenseunicorns#1501](defenseunicorns#1501)) ([fc7ace3](defenseunicorns@fc7ace3)) * client credential registration default ([defenseunicorns#1482](defenseunicorns#1482)) ([894c5d9](defenseunicorns@894c5d9)) * keycloak fips mode ([defenseunicorns#1469](defenseunicorns#1469)) ([74e632e](defenseunicorns@74e632e)) * operator ambient mode ([defenseunicorns#1496](defenseunicorns#1496)) ([71f03fd](defenseunicorns@71f03fd)) * opt Grafana into ambient ([defenseunicorns#1466](defenseunicorns#1466)) ([dac2d3e](defenseunicorns@dac2d3e)) * opt logging into ambient ([defenseunicorns#1472](defenseunicorns#1472)) ([117d586](defenseunicorns@117d586)) * opt metrics-server into ambient ([defenseunicorns#1458](defenseunicorns#1458)) ([01c2ec6](defenseunicorns@01c2ec6)) * opt velero into ambient ([defenseunicorns#1490](defenseunicorns#1490)) ([a0591c7](defenseunicorns@a0591c7)) ### Bug Fixes * **ci:** permissions on release workflow ([defenseunicorns#1507](defenseunicorns#1507)) ([cb12f13](defenseunicorns@cb12f13)) * **ci:** renovate readiness version loop fix ([defenseunicorns#1488](defenseunicorns#1488)) ([a40c15b](defenseunicorns@a40c15b)) * update loki images to fips images ([defenseunicorns#1502](defenseunicorns#1502)) ([eb20b4e](defenseunicorns@eb20b4e)) ### Miscellaneous * **ci:** automated renovate readiness action checks ([defenseunicorns#1465](defenseunicorns#1465)) ([ed0ca6b](defenseunicorns@ed0ca6b)) * **ci:** switch eks CI to FIPS ami, update to 1.31 k8s testing ([defenseunicorns#1474](defenseunicorns#1474)) ([7307d03](defenseunicorns@7307d03)) * **deps:** update grafana ([defenseunicorns#1489](defenseunicorns#1489)) ([0c063f1](defenseunicorns@0c063f1)) * **deps:** update istio to v1.25.2 ([defenseunicorns#1461](defenseunicorns#1461)) ([1067560](defenseunicorns@1067560)) * **deps:** update istio to v1.3.0 ([defenseunicorns#1491](defenseunicorns#1491)) ([9066584](defenseunicorns@9066584)) * **deps:** update keycloak to v0.13.0 ([defenseunicorns#1506](defenseunicorns#1506)) ([04d42ef](defenseunicorns@04d42ef)) * **deps:** update keycloak to v26.2.0 ([defenseunicorns#1452](defenseunicorns#1452)) ([927a57b](defenseunicorns@927a57b)) * **deps:** update keycloak to v26.2.1 ([defenseunicorns#1486](defenseunicorns#1486)) ([d68cad8](defenseunicorns@d68cad8)) * **deps:** update loki ([defenseunicorns#1483](defenseunicorns#1483)) ([3a697df](defenseunicorns@3a697df)) * **deps:** update neuvector ([defenseunicorns#1417](defenseunicorns#1417)) ([4c0d95d](defenseunicorns@4c0d95d)) * **deps:** update pepr ([defenseunicorns#1454](defenseunicorns#1454)) ([a98640f](defenseunicorns@a98640f)) * **deps:** update support dependencies to v4.7.0 ([defenseunicorns#1477](defenseunicorns#1477)) ([dcee0a3](defenseunicorns@dcee0a3)) * **deps:** update support-deps ([defenseunicorns#1473](defenseunicorns#1473)) ([3d9d501](defenseunicorns@3d9d501)) * **deps:** update support-deps ([defenseunicorns#1480](defenseunicorns#1480)) ([c41f359](defenseunicorns@c41f359)) * **deps:** update support-deps ([defenseunicorns#1481](defenseunicorns#1481)) ([cc2af2b](defenseunicorns@cc2af2b)) * **deps:** update support-deps ([defenseunicorns#1487](defenseunicorns#1487)) ([cdcba75](defenseunicorns@cdcba75)) * **deps:** update support-deps ([defenseunicorns#1493](defenseunicorns#1493)) ([88cbf29](defenseunicorns@88cbf29)) * **deps:** update support-deps ([defenseunicorns#1497](defenseunicorns#1497)) ([f308176](defenseunicorns@f308176)) * **deps:** update velero ([defenseunicorns#1453](defenseunicorns#1453)) ([7330ea9](defenseunicorns@7330ea9)) * **deps:** update velero ([defenseunicorns#1492](defenseunicorns#1492)) ([ff504c0](defenseunicorns@ff504c0)) * **deps:** update velero to v1.32.4 ([defenseunicorns#1484](defenseunicorns#1484)) ([06709e8](defenseunicorns@06709e8)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Move operator over to using Ambient Mode. Since there is no package for pepr, this means using actions for configuring the labels of the namespace, specifically setting the
istio-injection=disabledandistio.io/dataplane-mode=ambient. If the namespace is sidecar enabled (cluster upgrades), then we should cycle the pepr pods to utilize Ambient.Tested:
Related Issue
Fixes #1420
Type of change
Steps to Validate
uds run test-uds-core-upgradepepr-systemnamespace before upgrade to make sure its label is stillistio-injection=enabledistio-injection=disabledChecklist before merging