feat: add targetRef field to ZTunnel CRD

api/v1/istiorevisiontags_types.go

@@ -28,11 +28,11 @@ const (
 // IstioRevisionTagSpec defines the desired state of IstioRevisionTag
 type IstioRevisionTagSpec struct {
 	// +kubebuilder:validation:Required
-	TargetRef IstioRevisionTagTargetReference `json:"targetRef"`
+	TargetRef TargetReference `json:"targetRef"`
 }
 
-// IstioRevisionTagTargetReference can reference either Istio or IstioRevision objects in the cluster. In the case of referencing an Istio object, the Sail Operator will automatically update the reference to the Istio object's Active Revision.
-type IstioRevisionTagTargetReference struct {
+// TargetReference can reference either Istio or IstioRevision objects in the cluster. In the case of referencing an Istio object, the Sail Operator will automatically update the reference to the Istio object's Active Revision.
+type TargetReference struct {
 	// Kind is the kind of the target resource.
 	//
 	// +kubebuilder:validation:Enum=Istio;IstioRevision

api/v1/ztunnel_types.go

@@ -42,6 +42,10 @@ type ZTunnelSpec struct {
 	// Defines the values to be passed to the Helm charts when installing Istio ztunnel.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Helm Values"
 	Values *ZTunnelValues `json:"values,omitempty"`
+
+	// The Istio control plane that this ZTunnel instance is associated with. Valid references are Istio and IstioRevision resources, Istio resources are always resolved to their current active revision.
+	// Values relevant for ZTunnel will be copied from the referenced IstioRevision resource, these are `spec.values.global`, `spec.values.meshConfig`, `spec.values.revision`. Any user configuration in the ZTunnel spec will always take precedence over the settings copied from the Istio resource, however.
+	TargetRef *TargetReference `json:"targetRef,omitempty"`
 }
 
 // ZTunnelStatus defines the observed state of ZTunnel
@@ -57,6 +61,9 @@ type ZTunnelStatus struct {
 
 	// Reports the current state of the object.
 	State ZTunnelConditionReason `json:"state,omitempty"`
+
+	// IstioRevision stores the name of the referenced IstioRevision
+	IstioRevision string `json:"istioRevision,omitempty"`
 }
 
 // GetCondition returns the condition of the specified type
@@ -163,6 +170,7 @@ const (
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Whether the Istio ztunnel installation is ready to handle requests."
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of this object."
 // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the Istio ztunnel installation."
+// +kubebuilder:printcolumn:name="Revision",type="string",JSONPath=".status.istioRevision",description="The referenced IstioRevision."
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object"
 // +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default'",message="metadata.name must be 'default'"
 

bundle/manifests/sailoperator.clusterserviceversion.yaml

@@ -45,7 +45,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: OpenShift Optional, Integration & Delivery, Networking, Security
     containerImage: quay.io/sail-dev/sail-operator:1.30-latest
-    createdAt: "2026-04-16T12:47:34Z"
+    createdAt: "2026-04-16T13:45:36Z"
     description: The Sail Operator manages the lifecycle of your Istio control plane. It provides custom resources for you to deploy and manage your control plane components.
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "true"

bundle/manifests/sailoperator.io_istiorevisiontags.yaml

@@ -64,10 +64,10 @@ spec:
             description: IstioRevisionTagSpec defines the desired state of IstioRevisionTag
             properties:
               targetRef:
-                description: IstioRevisionTagTargetReference can reference either
-                  Istio or IstioRevision objects in the cluster. In the case of referencing
-                  an Istio object, the Sail Operator will automatically update the
-                  reference to the Istio object's Active Revision.
+                description: TargetReference can reference either Istio or IstioRevision
+                  objects in the cluster. In the case of referencing an Istio object,
+                  the Sail Operator will automatically update the reference to the
+                  Istio object's Active Revision.
                 properties:
                   kind:
                     description: Kind is the kind of the target resource.

bundle/manifests/sailoperator.io_ztunnels.yaml

@@ -33,6 +33,10 @@ spec:
       jsonPath: .spec.version
       name: Version
       type: string
+    - description: The referenced IstioRevision.
+      jsonPath: .status.istioRevision
+      name: Revision
+      type: string
     - description: The age of the object
       jsonPath: .metadata.creationTimestamp
       name: Age
@@ -70,6 +74,26 @@ spec:
                 description: Namespace to which the Istio ztunnel component should
                   be installed.
                 type: string
+              targetRef:
+                description: |-
+                  The Istio control plane that this ZTunnel instance is associated with. Valid references are Istio and IstioRevision resources, Istio resources are always resolved to their current active revision.
+                  Values relevant for ZTunnel will be copied from the referenced IstioRevision resource, these are `spec.values.global`, `spec.values.meshConfig`, `spec.values.revision`. Any user configuration in the ZTunnel spec will always take precedence over the settings copied from the Istio resource, however.
+                properties:
+                  kind:
+                    description: Kind is the kind of the target resource.
+                    enum:
+                    - Istio
+                    - IstioRevision
+                    type: string
+                  name:
+                    description: Name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
               values:
                 description: Defines the values to be passed to the Helm charts when
                   installing Istio ztunnel.
@@ -3600,6 +3624,9 @@ spec:
                       type: string
                   type: object
                 type: array
+              istioRevision:
+                description: IstioRevision stores the name of the referenced IstioRevision
+                type: string
               observedGeneration:
                 description: |-
                   ObservedGeneration is the most recent generation observed for this

chart/crds/sailoperator.io_istiorevisiontags.yaml

@@ -64,10 +64,10 @@ spec:
             description: IstioRevisionTagSpec defines the desired state of IstioRevisionTag
             properties:
               targetRef:
-                description: IstioRevisionTagTargetReference can reference either
-                  Istio or IstioRevision objects in the cluster. In the case of referencing
-                  an Istio object, the Sail Operator will automatically update the
-                  reference to the Istio object's Active Revision.
+                description: TargetReference can reference either Istio or IstioRevision
+                  objects in the cluster. In the case of referencing an Istio object,
+                  the Sail Operator will automatically update the reference to the
+                  Istio object's Active Revision.
                 properties:
                   kind:
                     description: Kind is the kind of the target resource.

chart/crds/sailoperator.io_ztunnels.yaml

@@ -33,6 +33,10 @@ spec:
       jsonPath: .spec.version
       name: Version
       type: string
+    - description: The referenced IstioRevision.
+      jsonPath: .status.istioRevision
+      name: Revision
+      type: string
     - description: The age of the object
       jsonPath: .metadata.creationTimestamp
       name: Age
@@ -70,6 +74,26 @@ spec:
                 description: Namespace to which the Istio ztunnel component should
                   be installed.
                 type: string
+              targetRef:
+                description: |-
+                  The Istio control plane that this ZTunnel instance is associated with. Valid references are Istio and IstioRevision resources, Istio resources are always resolved to their current active revision.
+                  Values relevant for ZTunnel will be copied from the referenced IstioRevision resource, these are `spec.values.global`, `spec.values.meshConfig`, `spec.values.revision`. Any user configuration in the ZTunnel spec will always take precedence over the settings copied from the Istio resource, however.
+                properties:
+                  kind:
+                    description: Kind is the kind of the target resource.
+                    enum:
+                    - Istio
+                    - IstioRevision
+                    type: string
+                  name:
+                    description: Name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
               values:
                 description: Defines the values to be passed to the Helm charts when
                   installing Istio ztunnel.
@@ -3600,6 +3624,9 @@ spec:
                       type: string
                   type: object
                 type: array
+              istioRevision:
+                description: IstioRevision stores the name of the referenced IstioRevision
+                type: string
               observedGeneration:
                 description: |-
                   ObservedGeneration is the most recent generation observed for this

chart/samples/ambient/istioztunnel-sample.yaml

@@ -5,3 +5,6 @@ metadata:
 spec:
   version: v1.29.2
   namespace: ztunnel
+  targetRef:
+    kind: Istio
+    name: default

controllers/istiorevisiontag/istiorevisiontag_controller.go

@@ -102,7 +102,7 @@ func (r *Reconciler) doReconcile(ctx context.Context, tag *v1.IstioRevisionTag)
 	}
 
 	log.Info("Retrieving referenced IstioRevision for IstioRevisionTag")
-	rev, err := r.getIstioRevision(ctx, tag.Spec.TargetRef)
+	rev, err := revision.GetIstioRevisionFromTargetReference(ctx, r.Client, tag.Spec.TargetRef)
 	if rev == nil || err != nil {
 		return nil, err
 	}
@@ -157,32 +157,6 @@ func (r *Reconciler) validate(ctx context.Context, tag *v1.IstioRevisionTag) err
 	return nil
 }
 
-func (r *Reconciler) getIstioRevision(ctx context.Context, ref v1.IstioRevisionTagTargetReference) (*v1.IstioRevision, error) {
-	var revisionName string
-	if ref.Kind == v1.IstioRevisionKind {
-		revisionName = ref.Name
-	} else if ref.Kind == v1.IstioKind {
-		i := v1.Istio{}
-		err := r.Client.Get(ctx, types.NamespacedName{Name: ref.Name}, &i)
-		if err != nil {
-			return nil, err
-		}
-		if i.Status.ActiveRevisionName == "" {
-			return nil, reconciler.NewTransientError("referenced Istio has no active revision")
-		}
-		revisionName = i.Status.ActiveRevisionName
-	} else {
-		return nil, reconciler.NewValidationError("unknown targetRef.kind")
-	}
-
-	rev := v1.IstioRevision{}
-	err := r.Client.Get(ctx, types.NamespacedName{Name: revisionName}, &rev)
-	if err != nil {
-		return nil, err
-	}
-	return &rev, nil
-}
-
 func (r *Reconciler) installHelmCharts(ctx context.Context, tag *v1.IstioRevisionTag, rev *v1.IstioRevision) error {
 	ownerReference := metav1.OwnerReference{
 		APIVersion:         v1.GroupVersion.String(),
@@ -401,7 +375,7 @@ func (r *Reconciler) isRevisionTagReferencedByWorkloads(ctx context.Context, tag
 		}
 	}
 
-	rev, err := r.getIstioRevision(ctx, tag.Spec.TargetRef)
+	rev, err := revision.GetIstioRevisionFromTargetReference(ctx, r.Client, tag.Spec.TargetRef)
 	if err != nil {
 		return false, err
 	}

controllers/istiorevisiontag/istiorevisiontag_controller_test.go

@@ -219,7 +219,7 @@ func TestDetermineInUseCondition(t *testing.T) {
 						Name: tagName,
 					},
 					Spec: v1.IstioRevisionTagSpec{
-						TargetRef: v1.IstioRevisionTagTargetReference{
+						TargetRef: v1.TargetReference{
 							Kind: "IstioRevision",
 							Name: rev.Name,
 						},
@@ -300,7 +300,7 @@ func TestValidation(t *testing.T) {
 					Name: "default",
 				},
 				Spec: v1.IstioRevisionTagSpec{
-					TargetRef: v1.IstioRevisionTagTargetReference{},
+					TargetRef: v1.TargetReference{},
 				},
 			},
 			expectedErrMessage: "spec.targetRef not set",
@@ -313,7 +313,7 @@ func TestValidation(t *testing.T) {
 					Name: "default",
 				},
 				Spec: v1.IstioRevisionTagSpec{
-					TargetRef: v1.IstioRevisionTagTargetReference{
+					TargetRef: v1.TargetReference{
 						Kind: "IstioRevision",
 						Name: revName,
 					},