From 44076655f7f4c3ad9eb1d7772fbebde2d60d1a2d Mon Sep 17 00:00:00 2001 From: Daniel Grimm Date: Mon, 7 Apr 2025 10:26:46 +0200 Subject: [PATCH] use downstream charts of Istio 1.24.4 Signed-off-by: Daniel Grimm --- .../servicemeshoperator3.clusterserviceversion.yaml | 2 +- pkg/istioversion/versions.ossm.yaml | 10 +++++----- .../istiod/files/gateway-injection-template.yaml | 2 +- resources/v1.24.4/charts/istiod/files/grpc-agent.yaml | 2 +- .../charts/istiod/files/injection-template.yaml | 2 +- .../v1.24.4/charts/istiod/files/kube-gateway.yaml | 2 +- resources/v1.24.4/charts/istiod/files/waypoint.yaml | 2 +- .../v1.24.4/charts/istiod/templates/deployment.yaml | 6 +++++- .../v1.24.4/charts/ztunnel/templates/daemonset.yaml | 2 +- 9 files changed, 17 insertions(+), 13 deletions(-) diff --git a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml index 86a1cdb3fb..a197ae7899 100644 --- a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml +++ b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:3.0-latest - createdAt: "2025-04-02T12:12:01Z" + createdAt: "2025-04-07T08:32:09Z" description: The OpenShift Service Mesh Operator enables you to install, configure, and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service Mesh is based on the open source Istio project. diff --git a/pkg/istioversion/versions.ossm.yaml b/pkg/istioversion/versions.ossm.yaml index 138bf691d9..14b99c79f0 100644 --- a/pkg/istioversion/versions.ossm.yaml +++ b/pkg/istioversion/versions.ossm.yaml @@ -18,11 +18,11 @@ versions: repo: https://github.com/istio/istio commit: 1.24.4 charts: - - https://istio-release.storage.googleapis.com/charts/base-1.24.4.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-1.24.4.tgz - - https://istio-release.storage.googleapis.com/charts/gateway-1.24.4.tgz - - https://istio-release.storage.googleapis.com/charts/cni-1.24.4.tgz - - https://istio-release.storage.googleapis.com/charts/ztunnel-1.24.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/e50a777f7977dc477dd380171b8beffed7394c90/1.24.4-redhat/helm/base-1.24.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/e50a777f7977dc477dd380171b8beffed7394c90/1.24.4-redhat/helm/istiod-1.24.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/e50a777f7977dc477dd380171b8beffed7394c90/1.24.4-redhat/helm/gateway-1.24.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/e50a777f7977dc477dd380171b8beffed7394c90/1.24.4-redhat/helm/cni-1.24.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/e50a777f7977dc477dd380171b8beffed7394c90/1.24.4-redhat/helm/ztunnel-1.24.4.tgz - name: v1.24.3 version: 1.24.3 repo: https://github.com/istio/istio diff --git a/resources/v1.24.4/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.24.4/charts/istiod/files/gateway-injection-template.yaml index dbd83cc57d..c330aa3001 100644 --- a/resources/v1.24.4/charts/istiod/files/gateway-injection-template.yaml +++ b/resources/v1.24.4/charts/istiod/files/gateway-injection-template.yaml @@ -232,7 +232,7 @@ spec: {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. diff --git a/resources/v1.24.4/charts/istiod/files/grpc-agent.yaml b/resources/v1.24.4/charts/istiod/files/grpc-agent.yaml index 7290fcdcac..4a292c8670 100644 --- a/resources/v1.24.4/charts/istiod/files/grpc-agent.yaml +++ b/resources/v1.24.4/charts/istiod/files/grpc-agent.yaml @@ -283,7 +283,7 @@ spec: {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. diff --git a/resources/v1.24.4/charts/istiod/files/injection-template.yaml b/resources/v1.24.4/charts/istiod/files/injection-template.yaml index 0ef948e6a3..6b8c1c9f11 100644 --- a/resources/v1.24.4/charts/istiod/files/injection-template.yaml +++ b/resources/v1.24.4/charts/istiod/files/injection-template.yaml @@ -477,7 +477,7 @@ spec: {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. diff --git a/resources/v1.24.4/charts/istiod/files/kube-gateway.yaml b/resources/v1.24.4/charts/istiod/files/kube-gateway.yaml index dbe158de1f..4a0966db21 100644 --- a/resources/v1.24.4/charts/istiod/files/kube-gateway.yaml +++ b/resources/v1.24.4/charts/istiod/files/kube-gateway.yaml @@ -300,7 +300,7 @@ spec: {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: diff --git a/resources/v1.24.4/charts/istiod/files/waypoint.yaml b/resources/v1.24.4/charts/istiod/files/waypoint.yaml index 07a4208786..18dce18315 100644 --- a/resources/v1.24.4/charts/istiod/files/waypoint.yaml +++ b/resources/v1.24.4/charts/istiod/files/waypoint.yaml @@ -284,7 +284,7 @@ spec: expirationSeconds: 43200 path: istio-token - configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} name: istiod-ca-cert {{- if .Values.global.imagePullSecrets }} imagePullSecrets: diff --git a/resources/v1.24.4/charts/istiod/templates/deployment.yaml b/resources/v1.24.4/charts/istiod/templates/deployment.yaml index 560933b51c..b781b93b55 100644 --- a/resources/v1.24.4/charts/istiod/templates/deployment.yaml +++ b/resources/v1.24.4/charts/istiod/templates/deployment.yaml @@ -189,6 +189,10 @@ spec: {{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - name: EXTERNAL_ISTIOD value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" {{- end }} - name: PILOT_ENABLE_ANALYSIS value: "{{ .Values.global.istiod.enableAnalysis }}" @@ -276,7 +280,7 @@ spec: optional: true - name: istio-csr-ca-configmap configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} defaultMode: 420 optional: true {{- if .Values.jwksResolverExtraRootCA }} diff --git a/resources/v1.24.4/charts/ztunnel/templates/daemonset.yaml b/resources/v1.24.4/charts/ztunnel/templates/daemonset.yaml index c6e2daf48a..15a9e7b7d3 100644 --- a/resources/v1.24.4/charts/ztunnel/templates/daemonset.yaml +++ b/resources/v1.24.4/charts/ztunnel/templates/daemonset.yaml @@ -184,7 +184,7 @@ spec: audience: istio-ca - name: istiod-ca-cert configMap: - name: istio-ca-root-cert + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - name: cni-ztunnel-sock-dir hostPath: path: /var/run/ztunnel