openshift-service-mesh · openshift-merge-bot · Mar 6, 2025 · Mar 6, 2025 · Mar 6, 2025 · Mar 6, 2025
diff --git a/docs/README.md b/docs/README.md
@@ -77,7 +77,6 @@ kind: Istio
 metadata:
   name: default
 spec:
-  version: v1.23.2
   namespace: istio-system
   updateStrategy:
     type: InPlace
@@ -89,6 +88,8 @@ spec:
           memory: 1024Mi
 ```
 
+Note: If you need a specific Istio version, you can explicitly set it using `spec.version`. If not specified, the Operator will install the latest supported version.
+
 Istio uses a ConfigMap for its global configuration, called the MeshConfig. All of its settings are available through `spec.meshConfig`.
 
 To support canary updates of the control plane, Sail Operator includes support for multiple Istio versions. You can select a version by setting the `version` field in the `spec` to the version you would like to install, prefixed with a `v`. You can then update to a new version just by changing this field. An `vX.Y-latest` alias can be used for the latest z/patch versions of each supported y/minor versions. As per the example above, `v1.23-latest` can be specified in the `version` field. By doing so, the operator will keep the istio version with the latest `z` version of the same `y` version. 
@@ -129,7 +130,6 @@ kind: IstioCNI
 metadata:
   name: default
 spec:
-  version: v1.23.2
   namespace: istio-cni
   values:
     cni:
@@ -138,6 +138,8 @@ spec:
       - kube-system
 ```
 
+Note: If you need a specific Istio version, you can explicitly set it using `spec.version`. If not specified, the Operator will install the latest supported version.
+
 #### Updating the IstioCNI resource
 Updates for the `IstioCNI` resource are `Inplace` updates, this means that the `DaemonSet` will be updated with the new version of the CNI plugin once the resource is updated and the `istio-cni-node` pods are going to be replaced with the new version. 
 To update the CNI plugin, just change the `version` field to the version you want to install. Just like the `Istio` resource, it also has a `values` field that exposes all of the options provided in the `istio-cni` chart:
@@ -151,7 +153,7 @@ To update the CNI plugin, just change the `version` field to the version you wan
     metadata:
       name: default
     spec:
-      version: v1.23.2
+      version: v1.24.2
       namespace: istio-cni
       values:
         cni:
@@ -165,22 +167,22 @@ To update the CNI plugin, just change the `version` field to the version you wan
     ```bash
     $ kubectl get istiocni -n istio-cni
     NAME      READY   STATUS    VERSION   AGE
-    default   True    Healthy   v1.23.2   91m
+    default   True    Healthy   v1.24.2   91m
     $ kubectl get pods -n istio-cni
     NAME                   READY   STATUS    RESTARTS   AGE
     istio-cni-node-hd9zf   1/1     Running   0          90m
     ```
 3. Update the CNI plugin version.
 
     ```bash
-    kubectl patch istiocni default -n istio-cni --type='merge' -p '{"spec":{"version":"v1.23.3"}}'
+    kubectl patch istiocni default -n istio-cni --type='merge' -p '{"spec":{"version":"v1.24.3"}}'
     ```
 4. Confirm the CNI plugin version was updated.
 
     ```bash
     $ kubectl get istiocni -n istio-cni
     NAME      READY   STATUS    VERSION   AGE
-    default   True    Healthy   v1.23.3   93m
+    default   True    Healthy   v1.24.3   93m
     $ kubectl get pods -n istio-cni
     NAME                   READY   STATUS    RESTARTS   AGE
     istio-cni-node-jz4lg   1/1     Running   0          44s
@@ -1104,7 +1106,7 @@ These steps are common to every multi-cluster deployment and should be completed
       -in root-cert.csr \
       -out root-cert.pem
     ```
-5. Create intermediate certiciates.
+5. Create intermediate certificates.
 
     ```sh
     for cluster in west east; do
@@ -1869,7 +1871,6 @@ Note: If you installed the KinD cluster using the command above, install the [Sa
          ipFamilyPolicy: RequireDualStack
          env:
            ISTIO_DUAL_STACK: "true"
-     version: v1.23.2
      namespace: istio-system
    EOF
    kubectl wait --for=jsonpath='{.status.revisions.ready}'=1 istios/default --timeout=3m
@@ -1885,7 +1886,6 @@ Note: If you installed the KinD cluster using the command above, install the [Sa
    metadata:
      name: default
    spec:
-     version: v1.23.2
      namespace: istio-cni
    EOF
    kubectl wait --for=condition=Ready pod -n istio-cni -l k8s-app=istio-cni-node --timeout=60s

diff --git a/docs/common/istio-ambient-mode.md b/docs/common/istio-ambient-mode.md
@@ -26,13 +26,14 @@ metadata:
   name: default
 spec:
   profile: ambient
-  version: v1.24.0
   namespace: ztunnel
   values:
     ztunnel:
       image: docker.io/istio/ztunnel:1.24.0
 ```
 
+Note: If you need a specific Istio version, you can explicitly set it using `spec.version`. If not specified, the Operator will install the latest supported version.
+
 ### API Reference documentation
 
 The ZTunnel resource API reference documentation can be found [here](https://github.com/istio-ecosystem/sail-operator/blob/main/docs/api-reference/sailoperator.io.md#ztunnel).

diff --git a/tests/e2e/ambient/ambient_test.go b/tests/e2e/ambient/ambient_test.go
@@ -247,10 +247,8 @@ spec:
 						Expect(k.CreateNamespace(common.HttpbinNamespace)).To(Succeed(), "Failed to create httpbin namespace")
 
 						// Add the necessary ambient labels on the namespaces.
-						Expect(k.Patch("namespace", common.SleepNamespace, "merge", `{"metadata":{"labels":{"istio.io/dataplane-mode":"ambient"}}}`)).
-							To(Succeed(), "Error patching sleep namespace")
-						Expect(k.Patch("namespace", common.HttpbinNamespace, "merge", `{"metadata":{"labels":{"istio.io/dataplane-mode":"ambient"}}}`)).
-							To(Succeed(), "Error patching httpbin namespace")
+						Expect(k.Label("namespace", common.SleepNamespace, "istio.io/dataplane-mode", "ambient")).To(Succeed(), "Error labeling sleep namespace")
+						Expect(k.Label("namespace", common.HttpbinNamespace, "istio.io/dataplane-mode", "ambient")).To(Succeed(), "Error labeling httpbin namespace")
 
 						// Deploy the test pods.
 						Expect(k.WithNamespace(common.SleepNamespace).Apply(common.GetSampleYAML(version, "sleep"))).To(Succeed(), "error deploying sleep pod")

diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go
@@ -208,8 +208,7 @@ spec:
 						}
 
 						Expect(k.CreateNamespace(sampleNamespace)).To(Succeed(), "Sample namespace failed to be created")
-						Expect(k.Patch("namespace", sampleNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-							To(Succeed(), "Error patching sample namespace")
+						Expect(k.Label("namespace", sampleNamespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling sample namespace")
 						Expect(k.WithNamespace(sampleNamespace).
 							ApplyWithLabels(common.GetSampleYAML(version, sampleNamespace), "version=v1")).
 							To(Succeed(), "Error deploying sample")

diff --git a/tests/e2e/controlplane/control_plane_update_test.go b/tests/e2e/controlplane/control_plane_update_test.go
@@ -137,8 +137,6 @@ spec:
 				BeforeAll(func(ctx SpecContext) {
 					Expect(k.CreateNamespace(sampleNamespace)).To(Succeed(), "Sample namespace failed to be created")
 					Expect(k.Label("namespace", sampleNamespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling sample namespace")
-					Expect(k.Patch("namespace", sampleNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-						To(Succeed(), "Error patching sample namespace")
 					Expect(k.WithNamespace(sampleNamespace).
 						ApplyWithLabels(common.GetSampleYAML(istioversion.Map[baseVersion], sampleNamespace), "version=v1")).
 						To(Succeed(), "Error deploying sample")

diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go
@@ -185,14 +185,10 @@ spec:
 						Expect(k.CreateNamespace(IPv6Namespace)).To(Succeed(), "Failed to create ipv6 namespace")
 						Expect(k.CreateNamespace(SleepNamespace)).To(Succeed(), "Failed to create sleep namespace")
 
-						Expect(k.Patch("namespace", DualStackNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-							To(Succeed(), "Error patching dual-stack namespace")
-						Expect(k.Patch("namespace", IPv4Namespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-							To(Succeed(), "Error patching ipv4 namespace")
-						Expect(k.Patch("namespace", IPv6Namespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-							To(Succeed(), "Error patching ipv6 namespace")
-						Expect(k.Patch("namespace", SleepNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-							To(Succeed(), "Error patching sleep namespace")
+						Expect(k.Label("namespace", DualStackNamespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling dual-stack namespace")
+						Expect(k.Label("namespace", IPv4Namespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling ipv4 namespace")
+						Expect(k.Label("namespace", IPv6Namespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling ipv6 namespace")
+						Expect(k.Label("namespace", SleepNamespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling sleep namespace")
 
 						Expect(k.WithNamespace(DualStackNamespace).Apply(common.GetSampleYAML(version, "tcp-echo-dual-stack"))).To(Succeed(), "error deploying tcpDualStack pod")
 						Expect(k.WithNamespace(IPv4Namespace).Apply(common.GetSampleYAML(version, "tcp-echo-ipv4"))).To(Succeed(), "error deploying ipv4 pod")

diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go
@@ -206,10 +206,8 @@ spec:
 						Expect(k2.CreateNamespace(sampleNamespace)).To(Succeed(), "Namespace failed to be created on Cluster #2")
 
 						// Label the namespace
-						Expect(k1.Patch("namespace", sampleNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-							To(Succeed(), "Error patching sample namespace")
-						Expect(k2.Patch("namespace", sampleNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-							To(Succeed(), "Error patching sample namespace")
+						Expect(k1.Label("namespace", sampleNamespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling sample namespace")
+						Expect(k2.Label("namespace", sampleNamespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling sample namespace")
 
 						// Deploy the sample app in both clusters
 						deploySampleAppToClusters(sampleNamespace, version, []ClusterDeployment{

diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go
@@ -189,13 +189,7 @@ spec:
 								"merge",
 								`{"metadata":{"annotations":{"topology.istio.io/controlPlaneClusters":"cluster1"}}}`)).
 							To(Succeed(), "Error patching istio-system namespace")
-						Expect(
-							k2.Patch(
-								"namespace",
-								controlPlaneNamespace,
-								"merge",
-								`{"metadata":{"labels":{"topology.istio.io/network":"network2"}}}`)).
-							To(Succeed(), "Error patching istio-system namespace")
+						Expect(k2.Label("namespace", controlPlaneNamespace, "topology.istio.io/network", "network2")).To(Succeed(), "Error labeling istio-system namespace")
 
 						// To be able to access the remote cluster from the primary cluster, we need to create a secret in the primary cluster
 						// Remote Istio resource will not be Ready until the secret is created
@@ -250,10 +244,8 @@ spec:
 						Expect(k2.CreateNamespace(sampleNamespace)).To(Succeed(), "Namespace failed to be created on Cluster #2")
 
 						// Label the namespace
-						Expect(k1.Patch("namespace", sampleNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-							To(Succeed(), "Error patching sample namespace")
-						Expect(k2.Patch("namespace", sampleNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
-							To(Succeed(), "Error patching sample namespace")
+						Expect(k1.Label("namespace", sampleNamespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling sample namespace")
+						Expect(k2.Label("namespace", sampleNamespace, "istio-injection", "enabled")).To(Succeed(), "Error labeling sample namespace")
 
 						// Deploy the sample app in both clusters
 						deploySampleAppToClusters(sampleNamespace, v, []ClusterDeployment{

diff --git a/tests/e2e/util/certs/certs.go b/tests/e2e/util/certs/certs.go
@@ -227,7 +227,7 @@ func PushIntermediateCA(k kubectl.Kubectl, ns, zone, network, basePath string, c
 	_, err := common.GetObject(context.Background(), cl, kube.Key("cacerts", ns), &corev1.Secret{})
 	if err != nil {
 		// Label the namespace with the network
-		err = k.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"topology.istio.io/network":"`+network+`"}}}`)
+		err = k.Label("namespace", ns, "topology.istio.io/network", network)
 		if err != nil {
 			return fmt.Errorf("failed to label namespace: %w", err)
 		}