Skip to content

[WIP] NE-2471: Replace OLM-based Istio install with Sail Library#1354

Open
gcs278 wants to merge 4 commits intoopenshift:masterfrom
gcs278:gwapi-without-olm
Open

[WIP] NE-2471: Replace OLM-based Istio install with Sail Library#1354
gcs278 wants to merge 4 commits intoopenshift:masterfrom
gcs278:gwapi-without-olm

Conversation

@gcs278
Copy link
Contributor

@gcs278 gcs278 commented Feb 3, 2026
edited
Loading

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using the sail-operator library. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Uses Sail library (behind GatewayAPIWithoutOLM feature gate) to deploy istiod directly via Helm with Gateway API configuratio
  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 3, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 3, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 3, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress - testing and migration logic in development.

TODO:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 3, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress - testing and migration logic in development.

TODO:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 3, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress

TODO:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 3, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 3, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 3, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

  • [NID] Separate K8S bump to 1.35 into another commit
  • [NID] Remove all legacy OLM/OSSM subscription code, tests, and documentation
  • [NID] Implement a tech-preview feature flag (aka don't remove the OLM logic yet...whoops)
  • [NID] Get NE-2470: Gateway API without OLM enhancements#1933 agreed upon, and merged
  • [NID] Implement upgrade migration logic to handle transition from OLM-based to Helm-based installation (from [WIP] NE-2437: [POC] Install Istio via Helm charts instead of OLM subscription #1347)
  • [NID & OSSM] Add reconciliation watches for Helm-managed resources (requires sail library updates)
  • [NID & OSSM] Implement Istio CRD installation logic for layered product support (requires sail library updates)
  • [NID & OSSM] Move to downstream sail-operator library when available (right now is https://github.com/aslakknutsen/sail-operator/tree/sail_library)
  • [NID & OSSM] Configure Istio version and container pullspecs: set defaults from sail library but allow overrides for pre-release testing and custom registries (requires sail library updates)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@aslakknutsen aslakknutsen mentioned this pull request Feb 4, 2026
Closed
@gcs278 gcs278 force-pushed the gwapi-without-olm branch from 22cafc1 to 0a046e5 Compare February 4, 2026 11:04
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 4, 2026
gcs278 added 2 commits February 4, 2026 12:02
@gcs278
Bump vendored k8s libraries to 1.35
5411a68 
Bump Kubernetes packages to 0.35.0 and controller-runtime to 0.22.4,
required by the sail-operator library which will be used to replace
OLM-based Istio installation:

go get k8s.io/api@v0.35.0
go get k8s.io/apiextensions-apiserver@v0.35.0
go get k8s.io/apimachinery@v0.35.0
go get k8s.io/apiserver@v0.35.0
go get k8s.io/client-go@v0.35.0
go get sigs.k8s.io/controller-runtime@v0.22.4

The Kubernetes 0.35.0 dependencies require Go 1.25.0, which caused
go.mod to be automatically updated from go 1.24.0 to go 1.25.0

Update build toolchain to match the new go.mod version:
- `Dockerfile`: golang:1.24 to golang:1.25
- `.ci-operator.yaml`: rhel-9-release-golang-1.24-openshift-4.22 to
  rhel-9-release-golang-1.25-openshift-4.22
@gcs278
Bump api for GatewayAPIWithoutOLM feature gate
0211ac3 
Bump openshift/api to add the new GatewayAPIWithoutOLM feature gate.
This feature gate controls whether to use the Sail Library for direct
Helm-based installation of Istio.
@gcs278 gcs278 force-pushed the gwapi-without-olm branch from 0a046e5 to 500e267 Compare February 4, 2026 17:02
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 4, 2026
@gcs278 gcs278 force-pushed the gwapi-without-olm branch from 500e267 to 6b0b1af Compare February 4, 2026 17:22
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 4, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign candita for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gcs278 gcs278 force-pushed the gwapi-without-olm branch from 6b0b1af to 8baf8ef Compare February 4, 2026 17:27
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 4, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

  • [NID] Separate K8S bump to 1.35 into another commit
  • [NID] Remove all legacy OLM/OSSM subscription code, tests, and documentation
  • [NID] Implement a tech-preview feature flag (aka don't remove the OLM logic yet...whoops)
  • [NID] Get NE-2470: Gateway API without OLM enhancements#1933 agreed upon, and merged
  • [NID] Implement upgrade migration logic to handle transition from OLM-based to Helm-based installation (from [WIP] NE-2437: [POC] Install Istio via Helm charts instead of OLM subscription #1347)
  • [NID & OSSM] Add reconciliation watches for Helm-managed resources (requires sail library updates)
  • [NID & OSSM] Implement Istio CRD installation logic for layered product support (requires sail library updates)
  • [NID & OSSM] Move to downstream sail-operator library when available (right now is https://github.com/aslakknutsen/sail-operator/tree/sail_library)
  • [NID & OSSM] Configure Istio version and container pullspecs: set defaults from sail library but allow overrides for pre-release testing and custom registries (requires sail library updates)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 4, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

  • [NID] Separate K8S bump to 1.35 into another commit
  • [NID] Remove all legacy OLM/OSSM subscription code, tests, and documentation
  • [NID] Implement a tech-preview feature flag (aka don't remove the OLM logic yet...whoops)
  • [NID] Get NE-2470: Gateway API without OLM enhancements#1933 agreed upon, and merged
  • [NID] Implement upgrade migration logic to handle transition from OLM-based to Helm-based installation (from [WIP] NE-2437: [POC] Install Istio via Helm charts instead of OLM subscription #1347)
  • [NID & OSSM] Add reconciliation watches for Helm-managed resources (requires sail library updates)
  • [NID & OSSM] Implement Istio CRD installation logic for layered product support (requires sail library updates)
  • [NID & OSSM] Move to downstream sail-operator library when available (right now is https://github.com/aslakknutsen/sail-operator/tree/sail_library)
  • [NID & OSSM] Configure Istio version and container pullspecs: set defaults from sail library but allow overrides for pre-release testing and custom registries (requires sail library updates)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 4, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 5, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gcs278 gcs278 force-pushed the gwapi-without-olm branch from 8baf8ef to f6b8efd Compare February 5, 2026 05:49
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 5, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 5, 2026
edited by openshift-ci bot
Loading

@gcs278: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

🚧 Work in Progress 🚧

Replace OLM-based Istio installation with Sail Library

This PR implements the changes described in openshift/enhancements#1933 to remove the OLM dependency for Gateway API support.

Summary:

Replaces the OLM Subscription-based OSSM installation with direct Helm chart installation using sail-operator libraries. This change:

  • Eliminates OLM/Marketplace dependency, enabling Gateway API on clusters without these capabilities
  • Avoids conflicts with existing OSSM subscriptions created by cluster administrators
  • Simplifies Gateway API lifecycle management by removing Subscription/InstallPlan coordination
  • Reduces resource overhead by eliminating the sail-operator deployment when service mesh is not needed
  • Enables Gateway API on OKE clusters which do not include OSSM licensing

Implementation Details:

The cluster-ingress-operator now:

  • Vendors Helm charts via the sail-operator library (go.mod), which embeds charts as resources
  • Uses install.NewInstaller() with PresetGatewayAPI to deploy istiod directly via Helm
  • Sets the GatewayClass as ownerReference for Helm releases to enable automatic garbage collection
  • Add RBAC permissions for Helm-managed resources, webhooks, and Istio API groups
  • Bump k8s dependencies to v0.35.0 and controller-runtime to v0.22.4 (required by sail-operator library)
  • Remove all OLM-related logic, tests, documentation, flags, status, etc.
  • Handles automatic migration from 4.21 OLM-based installation by deleting the existing Istio CR, waiting for sail-operator cleanup, and reinstalling via Helm with no data plane downtime

Based on proof of concept work in:

Status: Work in progress:

TODO:

NID = NID Team Action
OSSM = OSSM Team Action

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 5, 2026

@gcs278: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-hypershift f6b8efd link true /test e2e-hypershift
ci/prow/e2e-azure-operator f6b8efd link true /test e2e-azure-operator
ci/prow/verify f6b8efd link true /test verify
ci/prow/e2e-vsphere-static-metallb-operator-gwapi f6b8efd link false /test e2e-vsphere-static-metallb-operator-gwapi
ci/prow/e2e-aws-ovn-serial-1of2 f6b8efd link true /test e2e-aws-ovn-serial-1of2
ci/prow/e2e-aws-ovn-hypershift-conformance f6b8efd link true /test e2e-aws-ovn-hypershift-conformance
ci/prow/verify-deps f6b8efd link true /test verify-deps
ci/prow/hypershift-e2e-aks f6b8efd link true /test hypershift-e2e-aks
ci/prow/e2e-aws-ovn-serial-2of2 f6b8efd link true /test e2e-aws-ovn-serial-2of2
ci/prow/e2e-aws-ovn-upgrade f6b8efd link true /test e2e-aws-ovn-upgrade
ci/prow/e2e-gcp-operator f6b8efd link true /test e2e-gcp-operator
ci/prow/e2e-aws-operator f6b8efd link true /test e2e-aws-operator
ci/prow/e2e-aws-ovn f6b8efd link true /test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

rikatz
rikatz reviewed Feb 5, 2026
View reviewed changes
manifests/00-cluster-role.yaml
- list
- watch

- apiGroups:
Copy link
Member

@rikatz rikatz Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this an Istio requirement @aslakknutsen @gcs278

Can Istio be started without it?

Copy link
Contributor

@aslakknutsen aslakknutsen Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm working on a new version; aslakknutsen/sail-operator@375b004, but basically to allow the library to install some of these for istio to use, the consumer(CIO Operator) has to have the same rbac else we run into escalation issues.

Copy link
Contributor

@aslakknutsen aslakknutsen Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rikatz Or are you referring specifically to the x-k8s.io ones?

@aslakknutsen @gcs278
NE-2471: Add Istio Install via Sail Library
b70f6a7 
Add support for installing Istio without OLM using the Sail Operator
library, which uses Helm directly. This simplifies the Gateway API
installation flow by eliminating the need for Subscription/InstallPlan
management and Istio CR lifecycle.

Key changes:
- Use install.NewInstaller() with PresetGatewayAPI to deploy Istio
- Pass GatewayClass as ownerReference for Helm release garbage collection
- Add RBAC cluster roles required by the Sail Library

The Sail Library embeds Istio Helm charts and provides a one-shot
installer API, making the installation idempotent and self-contained
without requiring external operator dependencies.
@gcs278
Add migration from OLM to Sail Library
b0a1817 
Add migration logic to handle the upgrade from OLM-based
Istio installation (4.21) to Helm-based installation via
Sail Library (4.22).

Migration approach:
 - Delete the old Istio CR created by sail-operator
 - Wait for Sail Operator to clean up IstioRevision and Helm resources
 - Continue with Sail Library install only when migration is complete
@gcs278 gcs278 force-pushed the gwapi-without-olm branch from f6b8efd to b0a1817 Compare February 5, 2026 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@candita candita Awaiting requested review from candita

@grzpiotrowski grzpiotrowski Awaiting requested review from grzpiotrowski

2 more reviewers

@aslakknutsen aslakknutsen aslakknutsen left review comments

@rikatz rikatz rikatz left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gcs278 @openshift-ci-robot @aslakknutsen @rikatz @openshift-merge-robot