feat: add targetRef field to ZTunnel CRD

[dgn]

This adds a targetRef field to the ZTunnel CRD, allowing users to keep their ZTunnel config in sync with what they already defined in the Istio or IstioRevision CRD.

[codecov]

Codecov Report

❌ Patch coverage is 85.71429% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.19%. Comparing base (8f7ce71) to head (eaa8de5).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
controllers/ztunnel/ztunnel_controller.go	86.66%	4 Missing and 2 partials ⚠️
pkg/reconcile/ztunnel.go	64.70%	3 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1259      +/-   ##
==========================================
- Coverage   81.26%   81.19%   -0.08%     
==========================================
  Files          46       46              
  Lines        2493     2542      +49     
==========================================
+ Hits         2026     2064      +38     
- Misses        344      349       +5     
- Partials      123      129       +6     

Flag	Coverage Δ
integration-tests	71.17% <80.95%> (+0.09%)	⬆️
unit-tests	53.38% <30.95%> (-0.41%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dgn]

This should support most use cases including RevisionBased update strategies already. Another thing we could add is making the IstioRevisionController aware of the link - currently, users have to configure the ZTunnel namespace on their Istio/IstioRevision:

spec:
  values:
    pilot:
      trustedZtunnelNamespace: ztunnel

This could be inferred at install time by looking for a ZTunnel resource that has a targetRef pointing to this IstioRevision and then pulling the spec.namespace value from that ZTunnel.

[FilipB]

Maybe it would make sense to warn users when setting the same config in both ztunnel and Istio to different values?

[dgn]

I don't think we need to warn users - their settings will always take precedence. By default, they should only configure the version and targetRef

[sridhargaddam]

Yeah, a warning might imply that something is wrong. Can we add a log message saying that user setting from ztunnel are used?

[dgn]

hmm. as we're just merging the fields I don't think we have the ability to give that sort of granular feedback. or rather, we'd have to add a bunch of logic in order to do that. maybe just documenting the behavior is enough?

[sridhargaddam]

Sure, works for me.

[FilipB]

Should this be added to samples?

[dgn]

I'm not sure about the global setting. I will add the targetRef to the sample though

[sridhargaddam]

Thanks @dgn.

[sridhargaddam]

Yeah, a warning might imply that something is wrong. Can we add a log message saying that user setting from ztunnel are used?

[sridhargaddam]

Should we add input validation for targetReference?

[sridhargaddam]

Do you think we will require a test case without the targetRef?

[dgn]

we have tests that verify that user input takes precedence so it should be okay

[sridhargaddam]

This should support most use cases including RevisionBased update strategies already. Another thing we could add is making the IstioRevisionController aware of the link - currently, users have to configure the ZTunnel namespace on their Istio/IstioRevision:

spec:
  values:
    pilot:
      trustedZtunnelNamespace: ztunnel

This could be inferred at install time by looking for a ZTunnel resource that has a targetRef pointing to this IstioRevision and then pulling the spec.namespace value from that ZTunnel.

This is a good idea.

[zmiklank]

Hi @dgn, do you think it could be useful to add info about this API change into ZTunnel CRD docs too?

[dgn]

Hi @dgn, do you think it could be useful to add info about this API change into ZTunnel CRD docs too?

done!

[sridhargaddam]

Can you remind me if we wanted to populate the spec.version as well from the targetRef?

[dgn]

I considered it, but I guess we'd want to have a placeholder version in that case? (e.g. "fromParent")

[dgn]

Hi @dgn, do you think it could be useful to add info about this API change into ZTunnel CRD docs too?

Done!

[dgn]

All comments addressed, PTAL 🙂

[sridhargaddam]

Mostly good - just some minor comments.

[sridhargaddam]

LGTM, thanks @dgn

[sridhargaddam]

I've added "/hold" so that @nrfox (or others) can take a final look. Feel free to remove the hold if needed.

[dgn]

/retest