openshift · openshift-merge-bot · Jul 31, 2025 · May 2, 2025 · Apr 1, 2025 · May 2, 2025
diff --git a/cmd/ingress-operator/start.go b/cmd/ingress-operator/start.go
@@ -34,7 +34,7 @@ const (
 	// that is mounted from configmap openshift-ingress-operator/trusted-ca.
 	defaultTrustedCABundle           = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
 	defaultGatewayAPIOperatorChannel = "stable"
-	defaultGatewayAPIOperatorVersion = "servicemeshoperator3.v3.0.0"
+	defaultGatewayAPIOperatorVersion = "servicemeshoperator3.v3.0.1"
 )
 
 type StartOptions struct {

diff --git a/manifests/02-deployment-ibm-cloud-managed.yaml b/manifests/02-deployment-ibm-cloud-managed.yaml
@@ -53,7 +53,7 @@ spec:
         - name: GATEWAY_API_OPERATOR_CHANNEL
           value: stable
         - name: GATEWAY_API_OPERATOR_VERSION
-          value: servicemeshoperator3.v3.0.0
+          value: servicemeshoperator3.v3.0.1
         image: openshift/origin-cluster-ingress-operator:latest
         imagePullPolicy: IfNotPresent
         name: ingress-operator

diff --git a/manifests/02-deployment.yaml b/manifests/02-deployment.yaml
@@ -82,7 +82,7 @@ spec:
             - name: GATEWAY_API_OPERATOR_CHANNEL
               value: stable
             - name: GATEWAY_API_OPERATOR_VERSION
-              value: servicemeshoperator3.v3.0.0
+              value: servicemeshoperator3.v3.0.1
           resources:
             requests:
               cpu: 10m

diff --git a/pkg/operator/controller/gatewayclass/istio.go b/pkg/operator/controller/gatewayclass/istio.go
@@ -83,18 +83,28 @@ func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference) *sa
 		// then our Istiod instance might try to reconcile gateways
 		// belonging to an unrelated Istiod instance.
 		"PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": controller.OpenShiftDefaultGatewayClassName,
-		// Watch Gateway API and Kubernetes resources in all namespaces,
-		// but ignore Istio resources that don't match our label
-		// selector.  (We do not specify the label selector, so this
-		// causes Istio to ignore all Istio resources.)
-		"PILOT_ENABLE_GATEWAY_CONTROLLER_MODE": "true",
 		// Only reconcile resources that are associated with
 		// gatewayclasses that have our controller name.
 		"PILOT_GATEWAY_API_CONTROLLER_NAME": controller.OpenShiftGatewayClassControllerName,
 		// Don't create an "istio-remote" gatewayclass for
 		// "multi-network gateways".  This is an Istio feature that I
 		// haven't really found any explanation for.
 		"PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false",
+		// Don't allow Istio's "manual deployment" feature, which would
+		// allow a gateway to specify an existing service.  Only allow
+		// "automated deployment", meaning Istio creates a new load-
+		// balancer service for each gateway.
+		"ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false",
+		// Only create CA Bundle CM in namespaces where there are
+		// Gateway API Gateways
+		"PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true",
+		// Don't copy labels or annotations from gateways to resources
+		// that Istiod creates for that gateway.  This is an Istio-
+		// specific behavior which might not be supported by other
+		// Gateway API implementations and that could allow the end-user
+		// to inject unsupported configuration, for example using
+		// service annotations.
+		"PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false",
 	}
 	return &sailv1.Istio{
 		ObjectMeta: metav1.ObjectMeta{
@@ -151,7 +161,7 @@ func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference) *sa
 					IngressControllerMode: sailv1.MeshConfigIngressControllerModeOff,
 				},
 			},
-			Version: "v1.24.3",
+			Version: "v1.24.4",
 		},
 	}
 }

diff --git a/pkg/operator/controller/names.go b/pkg/operator/controller/names.go
@@ -68,6 +68,11 @@ const (
 	// gatewayclass that Istio creates when it is installed.
 	OpenShiftDefaultGatewayClassName = "openshift-default"
 
+	// OpenShiftGatewayCARootCertName is the name of the configmap with the
+	// CA bundle that Istio creates for the Istio CR that this operator
+	// creates.
+	OpenShiftGatewayCARootCertName = "openshift-gw-ca-root-cert"
+
 	// IstioRevLabelKey is the key for the gateway label that Istio checks
 	// for to determine whether it should reconcile that gateway.
 	IstioRevLabelKey = "istio.io/rev"

diff --git a/test/e2e/gateway_api_test.go b/test/e2e/gateway_api_test.go
@@ -15,6 +15,7 @@ import (
 	iov1 "github.com/openshift/api/operatoringress/v1"
 	operatorclient "github.com/openshift/cluster-ingress-operator/pkg/operator/client"
 	operatorcontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
+	util "github.com/openshift/cluster-ingress-operator/pkg/util"
 
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -259,14 +260,22 @@ func testGatewayAPIManualDeployment(t *testing.T) {
 		t.Fatalf("Failed to create gateway %v: %v", gatewayName, err)
 	}
 	t.Cleanup(func() {
+		if t.Failed() {
+			t.Logf("Dumping gateway %q...", gatewayName)
+			var gateway gatewayapiv1.Gateway
+			if err := kclient.Get(context.Background(), gatewayName, &gateway); err != nil {
+				t.Errorf("Failed to get gateway %v: %v", gatewayName, err)
+			}
+			t.Log(util.ToYaml(gateway))
+		}
 		if err := kclient.Delete(context.Background(), &gateway); err != nil {
 			if !errors.IsNotFound(err) {
 				t.Errorf("Failed to delete gateway %v: %v", gatewayName, err)
 			}
 		}
 	})
 
-	interval, timeout := 5*time.Second, 1*time.Minute
+	interval, timeout := 5*time.Second, 5*time.Minute
 	t.Logf("Polling for up to %v to verify that the gateway is accepted...", timeout)
 	if err := wait.PollUntilContextTimeout(context.Background(), interval, timeout, false, func(context context.Context) (bool, error) {
 		if err := kclient.Get(context, gatewayName, &gateway); err != nil {

diff --git a/test/e2e/util_gatewayapi_test.go b/test/e2e/util_gatewayapi_test.go
@@ -1035,7 +1035,7 @@ func assertDNSRecord(t *testing.T, recordName types.NamespacedName) error {
 	t.Helper()
 	dnsRecord := &v1.DNSRecord{}
 
-	err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 1*time.Minute, false, func(context context.Context) (bool, error) {
+	err := wait.PollUntilContextTimeout(context.Background(), 10*time.Second, 10*time.Minute, false, func(context context.Context) (bool, error) {
 		if err := kclient.Get(context, recordName, dnsRecord); err != nil {
 			t.Logf("Failed to get DNSRecord %v: %v; retrying...", recordName, err)
 			return false, nil