From 6e8ae16cdcfaa91c561042d9933ac0213046ab37 Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Sun, 8 Feb 2026 15:05:53 +0200 Subject: [PATCH] Expose "peerCaCrl" Ztunnel param added in Helm The "peerCaCrl" Helm parameter for Ztunnel has been added in the following PR - https://github.com/istio/istio/pull/58132 Now, lets expose it to Sail Operator. Signed-off-by: Maxim Babushkin --- api/v1/values_types_extra.go | 8 ++++++ api/v1/zz_generated.deepcopy.go | 25 +++++++++++++++++++ .../manifests/sailoperator.io_ztunnels.yaml | 20 +++++++++++++++ chart/crds/sailoperator.io_ztunnels.yaml | 20 +++++++++++++++ docs/api-reference/sailoperator.io.md | 17 +++++++++++++ 5 files changed, 90 insertions(+) diff --git a/api/v1/values_types_extra.go b/api/v1/values_types_extra.go index b6f2a5f05..c6bcc2271 100644 --- a/api/v1/values_types_extra.go +++ b/api/v1/values_types_extra.go @@ -23,6 +23,11 @@ type SDSConfigToken struct { Aud string `json:"aud,omitempty"` } +type PeerCaCrlConfig struct { + // When enabled, ztunnel will check certificates against the CRL + Enabled *bool `json:"enabled,omitempty"` +} + type CNIValues struct { // Configuration for the Istio CNI plugin. Cni *CNIConfig `json:"cni,omitempty"` @@ -75,6 +80,9 @@ type ZTunnelConfig struct { Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` // The resource quotas configuration for ztunnel ResourceQuotas *ResourceQuotas `json:"resourceQuotas,omitempty"` + // Certificate Revocation List (CRL) support for plugged-in CAs. + // When enabled, ztunnel will check certificates against the CRL + PeerCaCrl *PeerCaCrlConfig `json:"peerCaCrl,omitempty"` // K8s node selector settings. // // See https://kubernetes.io/docs/user-guide/node-selection/ diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index 685cb83cc..01b22e756 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -3606,6 +3606,26 @@ func (in *OutboundTrafficPolicyConfig) DeepCopy() *OutboundTrafficPolicyConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PeerCaCrlConfig) DeepCopyInto(out *PeerCaCrlConfig) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerCaCrlConfig. +func (in *PeerCaCrlConfig) DeepCopy() *PeerCaCrlConfig { + if in == nil { + return nil + } + out := new(PeerCaCrlConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PilotConfig) DeepCopyInto(out *PilotConfig) { *out = *in @@ -5693,6 +5713,11 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) { *out = new(ResourceQuotas) (*in).DeepCopyInto(*out) } + if in.PeerCaCrl != nil { + in, out := &in.PeerCaCrl, &out.PeerCaCrl + *out = new(PeerCaCrlConfig) + (*in).DeepCopyInto(*out) + } if in.NodeSelector != nil { in, out := &in.NodeSelector, &out.NodeSelector *out = make(map[string]string, len(*in)) diff --git a/bundle/manifests/sailoperator.io_ztunnels.yaml b/bundle/manifests/sailoperator.io_ztunnels.yaml index 09f346bb6..b1fc38643 100644 --- a/bundle/manifests/sailoperator.io_ztunnels.yaml +++ b/bundle/manifests/sailoperator.io_ztunnels.yaml @@ -1225,6 +1225,16 @@ spec: See https://kubernetes.io/docs/user-guide/node-selection/ type: object + peerCaCrl: + description: |- + Certificate Revocation List (CRL) support for plugged-in CAs. + When enabled, ztunnel will check certificates against the CRL + properties: + enabled: + description: When enabled, ztunnel will check certificates + against the CRL + type: boolean + type: object podAnnotations: additionalProperties: type: string @@ -4776,6 +4786,16 @@ spec: See https://kubernetes.io/docs/user-guide/node-selection/ type: object + peerCaCrl: + description: |- + Certificate Revocation List (CRL) support for plugged-in CAs. + When enabled, ztunnel will check certificates against the CRL + properties: + enabled: + description: When enabled, ztunnel will check certificates + against the CRL + type: boolean + type: object podAnnotations: additionalProperties: type: string diff --git a/chart/crds/sailoperator.io_ztunnels.yaml b/chart/crds/sailoperator.io_ztunnels.yaml index 8d5e2095f..d755af0a8 100644 --- a/chart/crds/sailoperator.io_ztunnels.yaml +++ b/chart/crds/sailoperator.io_ztunnels.yaml @@ -1225,6 +1225,16 @@ spec: See https://kubernetes.io/docs/user-guide/node-selection/ type: object + peerCaCrl: + description: |- + Certificate Revocation List (CRL) support for plugged-in CAs. + When enabled, ztunnel will check certificates against the CRL + properties: + enabled: + description: When enabled, ztunnel will check certificates + against the CRL + type: boolean + type: object podAnnotations: additionalProperties: type: string @@ -4776,6 +4786,16 @@ spec: See https://kubernetes.io/docs/user-guide/node-selection/ type: object + peerCaCrl: + description: |- + Certificate Revocation List (CRL) support for plugged-in CAs. + When enabled, ztunnel will check certificates against the CRL + properties: + enabled: + description: When enabled, ztunnel will check certificates + against the CRL + type: boolean + type: object podAnnotations: additionalProperties: type: string diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index 2e451a1de..0d508e6f8 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -2373,6 +2373,22 @@ _Appears in:_ | `REGISTRY_ONLY` | Restrict outbound traffic to services defined in the service registry as well as those defined through ServiceEntries | +#### PeerCaCrlConfig + + + + + + + +_Appears in:_ +- [ZTunnelConfig](#ztunnelconfig) + +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `enabled` _boolean_ | When enabled, ztunnel will check certificates against the CRL | | | + + #### PilotConfig @@ -3451,6 +3467,7 @@ _Appears in:_ | `podLabels` _object (keys:string, values:string)_ | Additional labels to apply on the pod level. | | | | `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | The k8s resource requests and limits for the ztunnel Pods. | | | | `resourceQuotas` _[ResourceQuotas](#resourcequotas)_ | The resource quotas configuration for ztunnel | | | +| `peerCaCrl` _[PeerCaCrlConfig](#peercacrlconfig)_ | Certificate Revocation List (CRL) support for plugged-in CAs. When enabled, ztunnel will check certificates against the CRL | | | | `nodeSelector` _object (keys:string, values:string)_ | K8s node selector settings. See https://kubernetes.io/docs/user-guide/node-selection/ | | | | `imagePullSecrets` _string array_ | List of secret names to add to the service account as image pull secrets to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry. | | | | `env` _object (keys:string, values:string)_ | A `key: value` mapping of environment variables to add to the pod | | |