Automated merge

* upstream/main: Remove kube-rbac-proxy (istio-ecosystem#556) Remove automatic channel prefix detection (istio-ecosystem#574) Create IstioRevisionTag documentation (istio-ecosystem#511) # Conflicts: # bundle/manifests/sail-operator-metrics-service_v1_service.yaml # bundle/manifests/sailoperator.clusterserviceversion.yaml
openshift-service-mesh-bot · Jan 22, 2025 · 709d5b6 · 709d5b6
2 parents 5ff1248 + 7c54546
commit 709d5b6
Show file tree

Hide file tree

Showing 19 changed files with 457 additions and 115 deletions.
diff --git a/Makefile.core.mk b/Makefile.core.mk
@@ -80,9 +80,6 @@ GINKGO_FLAGS := $(if $(VERBOSE),-v) $(if $(CI),--no-color) $(if $(COVERAGE),-cov
 # - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable)
 # - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable")
 CHANNEL_PREFIX := dev
-ifneq (,$(findstring release-,$(shell git rev-parse --abbrev-ref HEAD)))
-CHANNEL_PREFIX = stable
-endif
 
 CHANNELS ?= $(CHANNEL_PREFIX)-$(MINOR_VERSION)
 ifneq ($(origin CHANNELS), undefined)

diff --git a/api/v1alpha1/istiorevisiontags_types.go b/api/v1alpha1/istiorevisiontags_types.go
@@ -31,7 +31,7 @@ type IstioRevisionTagSpec struct {
 	TargetRef IstioRevisionTagTargetReference `json:"targetRef"`
 }
 
-// IstioRevisionTagTargetReference can reference either Istio or IstioRevision objects in the cluster.
+// IstioRevisionTagTargetReference can reference either Istio or IstioRevision objects in the cluster. In the case of referencing an Istio object, the Sail Operator will automatically update the reference to the Istio object's Active Revision.
 type IstioRevisionTagTargetReference struct {
 	// Kind is the kind of the target resource.
 	//
@@ -181,7 +181,7 @@ const (
 // +kubebuilder:printcolumn:name="Revision",type="string",JSONPath=".status.istioRevision",description="The IstioRevision this object is referencing."
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object"
 
-// IstioRevisionTag references a Istio or IstioRevision object and serves as an alias for sidecar injection.
+// IstioRevisionTag references an Istio or IstioRevision object and serves as an alias for sidecar injection. It can be used to manage stable revision tags without having to use istioctl or helm directly. See https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels for more information on the concept.
 type IstioRevisionTag struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -192,7 +192,7 @@ type IstioRevisionTag struct {
 
 // +kubebuilder:object:root=true
 
-// IstioRevisionList contains a list of IstioRevision
+// IstioRevisionTagList contains a list of IstioRevisionTags
 type IstioRevisionTagList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

diff --git a/bundle/manifests/sailoperator.io_istiorevisiontags.yaml b/bundle/manifests/sailoperator.io_istiorevisiontags.yaml
@@ -38,8 +38,10 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: IstioRevisionTag references a Istio or IstioRevision object and
-          serves as an alias for sidecar injection.
+        description: IstioRevisionTag references an Istio or IstioRevision object
+          and serves as an alias for sidecar injection. It can be used to manage stable
+          revision tags without having to use istioctl or helm directly. See https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels
+          for more information on the concept.
         properties:
           apiVersion:
             description: |-
@@ -63,7 +65,9 @@ spec:
             properties:
               targetRef:
                 description: IstioRevisionTagTargetReference can reference either
-                  Istio or IstioRevision objects in the cluster.
+                  Istio or IstioRevision objects in the cluster. In the case of referencing
+                  an Istio object, the Sail Operator will automatically update the
+                  reference to the Istio object's Active Revision.
                 properties:
                   kind:
                     description: Kind is the kind of the target resource.

diff --git a/bundle/manifests/servicemesh-operator3-metrics-service_v1_service.yaml b/bundle/manifests/servicemesh-operator3-metrics-service_v1_service.yaml
@@ -3,11 +3,11 @@ kind: Service
 metadata:
   creationTimestamp: null
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: sail-operator
     app.kubernetes.io/created-by: servicemeshoperator3
-    app.kubernetes.io/instance: servicemesh-operator3-metrics-service
+    app.kubernetes.io/instance: servicemesh-operator3
     app.kubernetes.io/managed-by: helm
-    app.kubernetes.io/name: service
+    app.kubernetes.io/name: deployment
     app.kubernetes.io/part-of: servicemeshoperator3
     control-plane: servicemesh-operator3
   name: servicemesh-operator3-metrics-service
@@ -17,10 +17,8 @@ spec:
   - name: https
     port: 8443
     protocol: TCP
-    targetPort: https
+    targetPort: 8443
   selector:
-    app.kubernetes.io/created-by: servicemeshoperator3
-    app.kubernetes.io/part-of: servicemeshoperator3
     control-plane: servicemesh-operator3
 status:
   loadBalancer: {}
diff --git a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml
@@ -34,7 +34,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: OpenShift Optional, Integration & Delivery, Networking, Security
     containerImage: quay.io/maistra-dev/sail-operator:3.0-latest
-    createdAt: "2025-01-20T12:15:21Z"
+    createdAt: "2025-01-22T18:11:47Z"
     description: The OpenShift Service Mesh Operator enables you to install, configure,
       and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service
       Mesh is based on the open source Istio project.
@@ -218,8 +218,10 @@ spec:
         displayName: Helm Values
         path: values
       version: v1alpha1
-    - description: IstioRevisionTag references a Istio or IstioRevision object and
-        serves as an alias for sidecar injection.
+    - description: IstioRevisionTag references an Istio or IstioRevision object and
+        serves as an alias for sidecar injection. It can be used to manage stable
+        revision tags without having to use istioctl or helm directly. See https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels
+        for more information on the concept.
       displayName: Istio Revision Tag
       kind: IstioRevisionTag
       name: istiorevisiontags.sailoperator.io
@@ -667,32 +669,9 @@ spec:
                         values:
                         - linux
               containers:
-              - args:
-                - --secure-listen-address=:8443
-                - --upstream=http://127.0.0.1:8080/
-                - --logtostderr=true
-                - --v=0
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
-                name: kube-rbac-proxy
-                ports:
-                - containerPort: 8443
-                  name: https
-                  protocol: TCP
-                resources:
-                  limits:
-                    cpu: 500m
-                    memory: 128Mi
-                  requests:
-                    cpu: 5m
-                    memory: 64Mi
-                securityContext:
-                  allowPrivilegeEscalation: false
-                  capabilities:
-                    drop:
-                    - ALL
               - args:
                 - --health-probe-bind-address=:8081
-                - --metrics-bind-address=127.0.0.1:8080
+                - --metrics-bind-address=:8443
                 - --zap-log-level=info
                 command:
                 - /sail-operator

diff --git a/chart/crds/sailoperator.io_istiorevisiontags.yaml b/chart/crds/sailoperator.io_istiorevisiontags.yaml
@@ -38,8 +38,10 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: IstioRevisionTag references a Istio or IstioRevision object and
-          serves as an alias for sidecar injection.
+        description: IstioRevisionTag references an Istio or IstioRevision object
+          and serves as an alias for sidecar injection. It can be used to manage stable
+          revision tags without having to use istioctl or helm directly. See https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels
+          for more information on the concept.
         properties:
           apiVersion:
             description: |-
@@ -63,7 +65,9 @@ spec:
             properties:
               targetRef:
                 description: IstioRevisionTagTargetReference can reference either
-                  Istio or IstioRevision objects in the cluster.
+                  Istio or IstioRevision objects in the cluster. In the case of referencing
+                  an Istio object, the Sail Operator will automatically update the
+                  reference to the Istio object's Active Revision.
                 properties:
                   kind:
                     description: Kind is the kind of the target resource.

diff --git a/chart/templates/auth_proxy_service.yaml b/chart/templates/auth_proxy_service.yaml
@@ -2,11 +2,11 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/component: sail-operator
     app.kubernetes.io/created-by: {{ .Values.name }}
-    app.kubernetes.io/instance: {{ .Values.deployment.name }}-metrics-service
+    app.kubernetes.io/instance: {{ .Values.deployment.name }}
     app.kubernetes.io/managed-by: helm
-    app.kubernetes.io/name: service
+    app.kubernetes.io/name: deployment
     app.kubernetes.io/part-of: {{ .Values.name }}
     control-plane: {{ .Values.deployment.name }}
   name: {{ .Values.deployment.name }}-metrics-service
@@ -17,8 +17,6 @@ spec:
   - name: https
     port: 8443
     protocol: TCP
-    targetPort: https
+    targetPort: 8443
   selector:
-    app.kubernetes.io/created-by: {{ .Values.name }}
-    app.kubernetes.io/part-of: {{ .Values.name }}
     control-plane: {{ .Values.deployment.name }}
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -48,40 +48,14 @@ spec:
                 values:
                 - linux
       containers:
-      - args:
-        - --secure-listen-address=:8443
-        - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
-        - --v=0
-        image: {{ .Values.proxy.image }}
-{{- if .Values.proxy.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.proxy.imagePullPolicy }}
-{{- end }}
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 8443
-          name: https
-          protocol: TCP
-        resources:
-          limits:
-            cpu: {{ .Values.proxy.resources.limits.cpu }}
-            memory: {{ .Values.proxy.resources.limits.memory }}
-          requests:
-            cpu: {{ .Values.proxy.resources.requests.cpu }}
-            memory: {{ .Values.proxy.resources.requests.memory }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
       - args:
         - --health-probe-bind-address=:8081
-        - --metrics-bind-address=127.0.0.1:8080
+        - --metrics-bind-address=:8443
         - --zap-log-level={{ .Values.operatorLogLevel }}
         command:
         - /sail-operator
         image: {{ .Values.image }}
-{{- if .Values.proxy.imagePullPolicy }}
+{{- if .Values.imagePullPolicy }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
 {{- end }}
         livenessProbe:

diff --git a/chart/templates/rbac/auth_proxy_role_binding.yaml b/chart/templates/rbac/auth_proxy_role_binding.yaml
@@ -13,5 +13,5 @@ roleRef:
   name: {{ .Values.name }}-proxy-role
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.deployment.name }}
+  name: {{ .Values.serviceAccountName }}
   namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/rbac/leader_election_role_binding.yaml b/chart/templates/rbac/leader_election_role_binding.yaml
@@ -14,5 +14,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.deployment.name }}
+  name: {{ .Values.serviceAccountName }}
   namespace: {{ .Release.Namespace }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -54,17 +54,6 @@ csv:
 image: quay.io/maistra-dev/sail-operator:3.0-latest
 # We're commenting out the imagePullPolicy to use k8s defaults
 # imagePullPolicy: Always
-proxy:
-  image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
-  # We're commenting out the imagePullPolicy to use k8s defaults
-  # imagePullPolicy: IfNotPresent
-  resources:
-    limits:
-      cpu: 500m
-      memory: 128Mi
-    requests:
-      cpu: 5m
-      memory: 64Mi
 operator:
   resources:
     limits:

diff --git a/cmd/main.go b/cmd/main.go
@@ -15,6 +15,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"net/http"
@@ -36,6 +37,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 )
 
@@ -50,7 +52,7 @@ func main() {
 	var leaderElectionEnabled bool
 	var reconcilerCfg config.ReconcilerConfig
 
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8443", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.StringVar(&configFile, "config-file", "/etc/sail-operator/config.properties", "Location of the config file, propagated by k8s downward APIs")
 	flag.StringVar(&reconcilerCfg.ResourceDirectory, "resource-directory", "/var/lib/sail-operator/resources", "Where to find resources (e.g. charts)")
@@ -100,9 +102,32 @@ func main() {
 		})
 	}
 
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	tlsOpts := []func(*tls.Config){
+		// disable http/2 because of https://github.com/kubernetes/kubernetes/issues/121197
+		disableHTTP2,
+	}
+
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:    metricsAddr,
+		SecureServing:  true,
+		FilterProvider: filters.WithAuthenticationAndAuthorization,
+		TLSOpts:        tlsOpts,
+	}
+
 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
 		Scheme:                  scheme.Scheme,
-		Metrics:                 metricsserver.Options{BindAddress: metricsAddr},
+		Metrics:                 metricsServerOptions,
 		HealthProbeBindAddress:  probeAddr,
 		LeaderElection:          leaderElectionEnabled,
 		LeaderElectionID:        "sail-operator-lock",