[release-4.19] NE-2103: Bump to OSSM 3.0.1 and Istio 1.24.4

[Miciah]

Bump to OSSM 3.0.1 and Istio 1.24.4

Bump from OSSM v3.0.0 to v3.0.1 and from Istio v1.24.3 to v1.24.4.

Also, explicitly set ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT to "false" on the Istio CR. For Istio 1.24.3, OSSM has a vendor override that sets this option. However, for Istio 1.24.4, the option must be explicitly set.

(cherry picked from 47d4152)

Enable Gateway only CA Bundles

Configure Istio to inject the configmaps only into namespaces where gateways exist in order to avoid polluting the whole cluster.

Set one new environment variable in the Istio CR:

PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY

In the future, we will set the Istio CR's trustBundleName global value to specify a custom configmap name. However, we cannot do that yet as the trustBundleName field only exists in OSSM 3.1.

This change is related to OSSM-9076.

Modified-by: Miciah Masters miciah.masters@gmail.com

(cherry picked from 41d7add)

Don't copy labels or annotations

Configure Istiod not to copy annotations or labels from gateways onto associated resources, such as the proxy deployment and load-balancer service for a gateway.

This copying behavior is Istio-specific, not part of the Gateway API spec, and could be used to inject unsupported configuration. For example, an end-user could set a service annotation on the gateway in order to configure a load-balancer. Setting annotations on the gateway to configure the load-balancer would not be portable to other Gateway API implementations and would complicate product support.

One new environment variable is set:

PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS

This change is related to OSSM-8989.

(cherry picked from 05417af)

Delete old controller-mode setting

Delete the obsolete PILOT_ENABLE_GATEWAY_CONTROLLER_MODE environment variable from the Istiod configuration. This environment variable is no longer recognized in OSSM 3, and the variable has been superseded by EnhancedResourceScoping.

(cherry picked from e05309e)

assertDNSRecord: Increase timeout to 10m

Increase the timeout in assertDNSRecord for polling for the DNSRecord CR from 1 minute to 10 minutes.

The cloud provider can easily take over a minute to provision the load balancer, and the operator cannot create the DNSRecord CR before the load balancer has been provisioned and assigned a host name or address. Consequently, the polling loop could easily reach the 1-minute timeout just on account of the time that it takes to provision the load balancer.

(cherry picked from 2f7da77)

testGatewayAPIManualDeployment: Increase timeout

Increase the timeout for polling the gateway, and dump the gateway if the test fails.

(cherry picked from f1e445d)

---

This is manual cherry-pick of #1227 that incorporates #1243 and drops the sailv1 vendor bump, which would bring in a dependency on Go 1.24.

[openshift-ci-robot]

@Miciah: This pull request references NE-2103 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.z" version, but no target version was set.

Details

In response to this:

Bump to OSSM 3.0.1 and Istio 1.24.4

Bump from OSSM v3.0.0 to v3.0.1 and from Istio v1.24.3 to v1.24.4.

Also, explicitly set ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT to "false" on the Istio CR. For Istio 1.24.3, OSSM has a vendor override that sets this option. However, for Istio 1.24.4, the option must be explicitly set.

(cherry picked from 47d4152)

Enable Gateway only CA Bundles

Configure Istio to inject the configmaps only into namespaces where gateways exist in order to avoid polluting the whole cluster.

Set one new environment variable in the Istio CR:

PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY

In the future, we will set the Istio CR's trustBundleName global value to specify a custom configmap name. However, we cannot do that yet as the trustBundleName field only exists in OSSM 3.1.

This change is related to OSSM-9076.

Modified-by: Miciah Masters miciah.masters@gmail.com

(cherry picked from 41d7add)

Don't copy labels or annotations

Configure Istiod not to copy annotations or labels from gateways onto associated resources, such as the proxy deployment and load-balancer service for a gateway.

This copying behavior is Istio-specific, not part of the Gateway API spec, and could be used to inject unsupported configuration. For example, an end-user could set a service annotation on the gateway in order to configure a load-balancer. Setting annotations on the gateway to configure the load-balancer would not be portable to other Gateway API implementations and would complicate product support.

One new environment variable is set:

PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS

This change is related to OSSM-8989.

(cherry picked from 05417af)

Delete old controller-mode setting

Delete the obsolete PILOT_ENABLE_GATEWAY_CONTROLLER_MODE environment variable from the Istiod configuration. This environment variable is no longer recognized in OSSM 3, and the variable has been superseded by EnhancedResourceScoping.

(cherry picked from e05309e)

assertDNSRecord: Increase timeout to 10m

Increase the timeout in assertDNSRecord for polling for the DNSRecord CR from 1 minute to 10 minutes.

The cloud provider can easily take over a minute to provision the load balancer, and the operator cannot create the DNSRecord CR before the load balancer has been provisioned and assigned a host name or address. Consequently, the polling loop could easily reach the 1-minute timeout just on account of the time that it takes to provision the load balancer.

(cherry picked from 2f7da77)

testGatewayAPIManualDeployment: Increase timeout

Increase the timeout for polling the gateway, and dump the gateway if the test fails.

(cherry picked from f1e445d)

---

This is manual cherry-pick of #1227 that incorporates #1243 and drops the sailv1 vendor bump, which would bring in a dependency on Go 1.24.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

/assign

[lihongan]

/test e2e-aws-gatewayapi-conformance

cc @rhamini3

[Miciah]

This is a medium-risk backport that bumps OSSM 3.0.0 to 3.0.1 and Istio v1.24.3 to v1.24.4 to get some CVE fixes as well as a fix not to copy labels from gateways to associated resources (such as the service) and a fix not to inject Istio's CA certificate configmap into namespaces other than the gateway's.

/label backport-risk-assessed

[Miciah]

e2e-hypershift failed because TestCreateClusterCustomConfig/EnsureHostedCluster/EnsureAllContainersHaveTerminationMessagePolicyFallbackToLogsOnError failed:

{Failed  === RUN   TestCreateClusterCustomConfig/EnsureHostedCluster/EnsureAllContainersHaveTerminationMessagePolicyFallbackToLogsOnError
    util.go:890: ns/e2e-clusters-q8t8v-custom-config-d67p5 pod/olm-collect-profiles-29224677-62r6c container/collect-profiles has doesn't have terminationMessagePolicy FallbackToLogsOnError but File
    util.go:890: ns/e2e-clusters-q8t8v-custom-config-d67p5 pod/olm-collect-profiles-29224677-dzb8m container/collect-profiles has doesn't have terminationMessagePolicy FallbackToLogsOnError but File
    util.go:890: ns/e2e-clusters-q8t8v-custom-config-d67p5 pod/olm-collect-profiles-29224677-wnwqn container/collect-profiles has doesn't have terminationMessagePolicy FallbackToLogsOnError but File
    util.go:890: ns/e2e-clusters-q8t8v-custom-config-d67p5 pod/olm-collect-profiles-29224677-xc6zr container/collect-profiles has doesn't have terminationMessagePolicy FallbackToLogsOnError but File
        --- FAIL: TestCreateClusterCustomConfig/EnsureHostedCluster/EnsureAllContainersHaveTerminationMessagePolicyFallbackToLogsOnError (0.03s)
}

Let's see if the same error occurs twice.
/test e2e-hypershift

[rhamini3]

Pre-merge-verified on a 4.19 cluster, Gatewayclass installs OSSM 3.0.1 and Istio 1.24.4

iamin@iamin-mac openshift-tests-private % oc -n openshift-operators get sub,csv,pod
NAME                                                     PACKAGE                SOURCE             CHANNEL
subscription.operators.coreos.com/servicemeshoperator3   servicemeshoperator3   redhat-operators   stable

NAME                                                                     DISPLAY                            VERSION   REPLACES                      PHASE
clusterserviceversion.operators.coreos.com/servicemeshoperator3.v3.0.1   Red Hat OpenShift Service Mesh 3   3.0.1     servicemeshoperator3.v3.0.0   Succeeded

NAME                                         READY   STATUS    RESTARTS   AGE
pod/servicemesh-operator3-786b8f77f9-k9g22   1/1     Running   0          29m
iamin@iamin-mac openshift-tests-private % oc get istio                             
NAME                REVISIONS   READY   IN USE   ACTIVE REVISION     STATUS    VERSION   AGE
openshift-gateway   1           1       1        openshift-gateway   Healthy   v1.24.4   8m9s
iamin@iamin-mac openshift-tests-private % oc get gatewayclass
NAME                CONTROLLER                           ACCEPTED   AGE
openshift-default   openshift.io/gateway-controller/v1   True       51s
iamin@iamin-mac openshift-tests-private % oc get gateway -A
NAMESPACE           NAME      CLASS               ADDRESS                                                                  PROGRAMMED   AGE
openshift-ingress   gateway   openshift-default   a475e3dc2331d425a8de451bd50638eb-600116918.us-west-1.elb.amazonaws.com   True         42s

/label qe-approved

[openshift-ci-robot]

@Miciah: This pull request references NE-2103 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.z" version, but no target version was set.

Details

In response to this:

Bump to OSSM 3.0.1 and Istio 1.24.4

Bump from OSSM v3.0.0 to v3.0.1 and from Istio v1.24.3 to v1.24.4.

Also, explicitly set ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT to "false" on the Istio CR. For Istio 1.24.3, OSSM has a vendor override that sets this option. However, for Istio 1.24.4, the option must be explicitly set.

(cherry picked from 47d4152)

Enable Gateway only CA Bundles

Configure Istio to inject the configmaps only into namespaces where gateways exist in order to avoid polluting the whole cluster.

Set one new environment variable in the Istio CR:

PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY

In the future, we will set the Istio CR's trustBundleName global value to specify a custom configmap name. However, we cannot do that yet as the trustBundleName field only exists in OSSM 3.1.

This change is related to OSSM-9076.

Modified-by: Miciah Masters miciah.masters@gmail.com

(cherry picked from 41d7add)

Don't copy labels or annotations

Configure Istiod not to copy annotations or labels from gateways onto associated resources, such as the proxy deployment and load-balancer service for a gateway.

This copying behavior is Istio-specific, not part of the Gateway API spec, and could be used to inject unsupported configuration. For example, an end-user could set a service annotation on the gateway in order to configure a load-balancer. Setting annotations on the gateway to configure the load-balancer would not be portable to other Gateway API implementations and would complicate product support.

One new environment variable is set:

PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS

This change is related to OSSM-8989.

(cherry picked from 05417af)

Delete old controller-mode setting

Delete the obsolete PILOT_ENABLE_GATEWAY_CONTROLLER_MODE environment variable from the Istiod configuration. This environment variable is no longer recognized in OSSM 3, and the variable has been superseded by EnhancedResourceScoping.

(cherry picked from e05309e)

assertDNSRecord: Increase timeout to 10m

Increase the timeout in assertDNSRecord for polling for the DNSRecord CR from 1 minute to 10 minutes.

The cloud provider can easily take over a minute to provision the load balancer, and the operator cannot create the DNSRecord CR before the load balancer has been provisioned and assigned a host name or address. Consequently, the polling loop could easily reach the 1-minute timeout just on account of the time that it takes to provision the load balancer.

(cherry picked from 2f7da77)

testGatewayAPIManualDeployment: Increase timeout

Increase the timeout for polling the gateway, and dump the gateway if the test fails.

(cherry picked from f1e445d)

---

This is manual cherry-pick of #1227 that incorporates #1243 and drops the sailv1 vendor bump, which would bring in a dependency on Go 1.24.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [alebedev87]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[candita]

Had some DNS timing failures.

/test e2e-aws-operator-techpreview

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-cluster-ingress-operator
This PR has been included in build ose-cluster-ingress-operator-container-v4.19.0-202508010139.p0.g97e023f.assembly.stream.el9.
All builds following this will include this PR.