Fix infinite reconciliation on webhook resources by dgn · Pull Request #1651 · istio-ecosystem/sail-operator

dgn · 2026-03-05T16:11:05Z

istiod updates the CABundle and FailurePolicy on its ValidatingWebhookConfigurations and MutatingWebhookConfigurations. The controller needs to ignore those changes to avoid continuous reconciliation of the control plane.

codecov · 2026-03-05T16:21:06Z

Codecov Report

❌ Patch coverage is 0% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.44%. Comparing base (6b151f8) to head (3d2f26c).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...trollers/istiorevision/istiorevision_controller.go	0.00%	12 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (6b151f8) and HEAD (3d2f26c). Click for more details.

HEAD has 1 upload less than BASE

Flag BASE (6b151f8) HEAD (3d2f26c)

2 1

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1651       +/-   ##
===========================================
- Coverage   80.96%   52.44%   -28.53%     
===========================================
  Files          50       50               
  Lines        2474     2479        +5     
===========================================
- Hits         2003     1300      -703     
- Misses        347     1096      +749     
+ Partials      124       83       -41

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

nrfox

One very small nit otherwise LGTM.

Curious how we caught the validating webhook but not the mutating webhook?

controllers/istiorevision/istiorevision_controller.go

dgn · 2026-03-06T08:56:49Z

Curious how we caught the validating webhook but not the mutating webhook?

Honestly this behavior was known and stable for a looong time.. I'm wondering how we didn't hit this bug earlier.

dgn · 2026-03-06T09:46:01Z

/retest

dgn · 2026-03-06T10:22:55Z

/retest

dgn · 2026-03-06T12:36:20Z

/retest

sridhargaddam · 2026-03-06T13:49:04Z

controllers/istiorevision/istiorevision_controller.go

+		}
+	case *admissionv1.MutatingWebhookConfiguration:
+		for i := range len(webhookConfig.Webhooks) {
+			webhookConfig.Webhooks[i].ClientConfig.CABundle = nil


Dont we have to clear FailurePolicy for the MutatingWebhookConfiguration as well?

webhookConfig.Webhooks[i].FailurePolicy = nil

nope. istiod never modifies it, it only does it for the ValidatingWebhookConfiguration

sridhargaddam · 2026-03-06T13:50:41Z

@dgn Added a hold for you to take a look at my review comment. Please feel free to remove it, if changes are not required.

dgn · 2026-03-06T15:12:54Z

/retest

dgn · 2026-03-06T15:13:13Z

/cherry-pick release-1.29
/cherry-pick release-1.28
/cherry-pick release-1.27
/cherry-pick release-1.26
/cherry-pick release-1.0

istio-testing · 2026-03-06T15:13:16Z

@dgn: once the present PR merges, I will cherry-pick it on top of release-1.0, release-1.26, release-1.27, release-1.28, release-1.29 in new PRs and assign them to you.

Details

In response to this:

/cherry-pick release-1.29
/cherry-pick release-1.28
/cherry-pick release-1.27
/cherry-pick release-1.26
/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

dgn · 2026-03-06T15:52:39Z

/retest

istiod updates the CABundle and FailurePolicy on its ValidatingWebhookConfigurations and MutatingWebhookConfigurations. The controller needs to ignore those changes to avoid continuous reconciliation of the control plane. Signed-off-by: Daniel Grimm <dgrimm@redhat.com>

istio-testing · 2026-03-06T16:32:51Z

In response to a cherrypick label: #1651 failed to apply on top of branch "release-1.0":

Applying: Fix infinite reconciliation on webhook resources
Using index info to reconstruct a base tree...
M	controllers/istiorevision/istiorevision_controller.go
M	tests/integration/api/istiorevision_test.go
Falling back to patching base and 3-way merge...
Auto-merging tests/integration/api/istiorevision_test.go
CONFLICT (content): Merge conflict in tests/integration/api/istiorevision_test.go
Auto-merging controllers/istiorevision/istiorevision_controller.go
CONFLICT (content): Merge conflict in controllers/istiorevision/istiorevision_controller.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Fix infinite reconciliation on webhook resources

istio-testing · 2026-03-06T16:32:53Z

In response to a cherrypick label: new issue created for failed cherrypick: #1658

istio-testing · 2026-03-06T16:33:28Z

In response to a cherrypick label: new pull request created: #1659

istio-testing · 2026-03-06T16:34:06Z

In response to a cherrypick label: new pull request created: #1660

* upstream/main: Automator: Update dependencies in istio-ecosystem/sail-operator@main (istio-ecosystem#1666) Automator: Update dependencies in istio-ecosystem/sail-operator@main (istio-ecosystem#1665) Automator: Update dependencies in istio-ecosystem/sail-operator@main (istio-ecosystem#1662) Fix infinite reconciliation on webhook resources (istio-ecosystem#1651)

istiod updates the CABundle and FailurePolicy on its ValidatingWebhookConfigurations and MutatingWebhookConfigurations. The controller needs to ignore those changes to avoid continuous reconciliation of the control plane. Signed-off-by: Daniel Grimm <dgrimm@redhat.com>

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

istiod updates the CABundle and FailurePolicy on its ValidatingWebhookConfigurations and MutatingWebhookConfigurations. The controller needs to ignore those changes to avoid continuous reconciliation of the control plane. Signed-off-by: Daniel Grimm <dgrimm@redhat.com>

* upstream/release-1.0: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1671)

dgn requested a review from a team as a code owner March 5, 2026 16:11

istio-testing added the size/M label Mar 5, 2026

dgn added cherrypick/release-1.0 cherrypick/release-1.26 cherrypick/release-1.27 cherrypick/release-1.28 cherrypick/release-1.29 and removed size/M labels Mar 5, 2026

dgn force-pushed the fix-webhook-reconciliation branch from 03c5c81 to 52e5dff Compare March 5, 2026 16:16

istio-testing added the size/M label Mar 5, 2026

nrfox reviewed Mar 5, 2026

View reviewed changes

controllers/istiorevision/istiorevision_controller.go Outdated Show resolved Hide resolved

dgn force-pushed the fix-webhook-reconciliation branch from 52e5dff to 5308696 Compare March 6, 2026 08:55

nrfox approved these changes Mar 6, 2026

View reviewed changes

sridhargaddam reviewed Mar 6, 2026

View reviewed changes

sridhargaddam added the do-not-merge/hold label Mar 6, 2026

dgn removed the do-not-merge/hold label Mar 6, 2026

dgn force-pushed the fix-webhook-reconciliation branch from 5308696 to 3d2f26c Compare March 6, 2026 16:08

istio-testing merged commit b3cd952 into istio-ecosystem:main Mar 6, 2026
14 of 15 checks passed

istio-testing mentioned this pull request Mar 6, 2026

[release-1.27] Fix infinite reconciliation on webhook resources #1656

Merged

istio-testing mentioned this pull request Mar 6, 2026

[release-1.26] Fix infinite reconciliation on webhook resources #1657

Closed

istio-testing mentioned this pull request Mar 6, 2026

[release-1.0] Fix infinite reconciliation on webhook resources #1658

Open

istio-testing mentioned this pull request Mar 6, 2026

[release-1.29] Fix infinite reconciliation on webhook resources #1659

Merged

istio-testing mentioned this pull request Mar 6, 2026

[release-1.28] Fix infinite reconciliation on webhook resources #1660

Merged

dgn mentioned this pull request Mar 10, 2026

[release-1.26] Fix infinite reconciliation on webhook resources #1670

Merged

dgn mentioned this pull request Mar 10, 2026

[release-1.0] Fix infinite reconciliation on webhook resources #1671

Merged

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 10, 2026

Automated merge

0213187

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 10, 2026

Automated merge

06253a1

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 10, 2026

Automated merge

64436ff

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 11, 2026

Automated merge

0555ad5

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 11, 2026

Automated merge

9df7938

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 11, 2026

Automated merge

c5499df

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 11, 2026

Automated merge

397b4e9

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 11, 2026

Automated merge

0af65c0

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 11, 2026

Automated merge

666f84e

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 12, 2026

Automated merge

064edfd

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 12, 2026

Automated merge

0f901f9

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Mar 12, 2026

Automated merge

2d3e05f

* upstream/release-1.26: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1670)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Apr 9, 2026

Automated merge

3c9174e

* upstream/release-1.0: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1671)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Apr 9, 2026

Automated merge

801dae6

* upstream/release-1.0: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1671)

openshift-service-mesh-bot pushed a commit to openshift-service-mesh-bot/sail-operator that referenced this pull request Apr 10, 2026

Automated merge

a91cb78

* upstream/release-1.0: Fix infinite reconciliation on webhook resources (istio-ecosystem#1651) (istio-ecosystem#1671)

Conversation

dgn commented Mar 5, 2026

Uh oh!

codecov bot commented Mar 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

nrfox left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

dgn commented Mar 6, 2026

Uh oh!

dgn commented Mar 6, 2026

Uh oh!

dgn commented Mar 6, 2026

Uh oh!

dgn commented Mar 6, 2026

Uh oh!

sridhargaddam Mar 6, 2026

Choose a reason for hiding this comment

Uh oh!

dgn Mar 6, 2026

Choose a reason for hiding this comment

Uh oh!

sridhargaddam commented Mar 6, 2026

Uh oh!

dgn commented Mar 6, 2026

Uh oh!

dgn commented Mar 6, 2026

Uh oh!

istio-testing commented Mar 6, 2026

Uh oh!

dgn commented Mar 6, 2026

Uh oh!

Uh oh!

istio-testing commented Mar 6, 2026

Uh oh!

istio-testing commented Mar 6, 2026

Uh oh!

istio-testing commented Mar 6, 2026

Uh oh!

istio-testing commented Mar 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

codecov bot commented Mar 5, 2026 •

edited

Loading