maistra · SpectralHiss · Mar 16, 2022 · Mar 21, 2022 · Apr 5, 2022 · Apr 6, 2022
diff --git a/Makefile b/Makefile
@@ -100,7 +100,7 @@ update-1.0-charts: update-remote-maistra-1.0
 
 .PHONY: update-1.0-templates
 update-1.0-templates:
-	curl -L https://github.com/maistra/istio-operator/archive/maistra-1.0.tar.gz | tar -xzvC ${SOURCE_DIR}/resources/smcp-templates/v1.0 --strip-components 3 */deploy/smcp-templates
+	curl -L https://github.com/maistra/istio-operator/archive/maistra-1.0.tar.gz | tar --wildcards -xzvC ${SOURCE_DIR}/resources/smcp-templates/v1.0 --strip-components 3 */deploy/smcp-templates
 # XXX: for now, the templates for maistra-1.0 are stored in ./deploy/smcp-templates, so the following won't work
 #update-1.0-templates: update-remote-maistra-1.0
 #	git checkout ${GIT_UPSTREAM_REMOTE}/maistra-1.0 -- ${SOURCE_DIR}/resources/smcp-templates/v1.0
@@ -278,6 +278,7 @@ update-charts: update-1.0-charts update-1.1-charts update-2.0-charts update-2.1-
 .PHONY: update-templates
 update-templates: update-1.0-templates update-1.1-templates update-2.0-templates update-2.1-templates
 
+
 ################################################################################
 # resource collection
 ################################################################################

diff --git a/build/patch-charts.sh b/build/patch-charts.sh
@@ -432,6 +432,39 @@ function copyGlobalValues() {
   cp ${SOURCE_DIR}/resources/helm/overlays/global.yaml ${SOURCE_DIR}/resources/helm/v2.2/
 }
 
+# This hack is hopefully only needed for a few versions until this PR is merged: https://github.com/istio/istio/pull/37264
+# It essentially modifies the chart to have the exact same changes
+function patchPilotServingCert() {
+  # add extra values
+  sed_wrap -i -e '/traceSampling:/ a\
+  extraArgs: []\
+  extraVolumeMounts: []\
+  extraVolumes: []' ${HELM_DIR}/istio-control/istio-discovery/values.yaml
+
+  # add extra volume in deployments (prepend before end of file)
+  sed_wrap -i -e '/^---$/ i\
+{{- if .Values.pilot.extraVolumes }}\
+{{ toYaml .Values.pilot.extraVolumes | indent 6 }}\
+{{- end }}' ${HELM_DIR}/istio-control/istio-discovery/templates/deployment.yaml
+
+
+
+  # add extra volume mounts (by prepending to volumesMounts: block)
+  sed_wrap -i -e '/volumeMounts:/ a\
+{{- if .Values.pilot.extraVolumeMounts }}\
+{{ toYaml .Values.pilot.extraVolumeMounts | indent 10 }}\
+{{- end }}' ${HELM_DIR}/istio-control/istio-discovery/templates/deployment.yaml
+
+  # Add extraArgs (by appending after discovery argument)
+  sed_wrap -i -e '/- "discovery"/ a\
+{{- if .Values.pilot.extraArgs }}\
+  {{-  range .Values.pilot.extraArgs }}\
+          - {{ . | quote }}\
+  {{- end }}\
+{{- end }}'  ${HELM_DIR}/istio-control/istio-discovery/templates/deployment.yaml
+
+}
+
 function hacks() {
   sed_wrap -i -e '/containers:/,/name: discovery/ {
       /name: discovery/a\
@@ -449,5 +482,6 @@ patchGateways
 patchSidecarInjector
 moveEnvoyFiltersToMeshConfigChart
 copyGlobalValues
+patchPilotServingCert
 # TODO: remove this hack once the image is updated to include workingDir
 hacks
diff --git a/deploy-prototype/istio-csr-helm-values.yaml b/deploy-prototype/istio-csr-helm-values.yaml
@@ -0,0 +1,37 @@
+replicaCount: 3
+
+image:
+  repository: quay.io/jetstack/cert-manager-istio-csr
+  tag: v0.3.0
+
+app:
+
+  certmanager:
+    namespace: istio-system
+    preserveCertificateRequests: true
+    issuer:
+      group: cert-manager.io
+      kind: Issuer
+      name: istio-ca
+
+  tls:
+    trustDomain: cluster.local
+    certificateDuration: 3600s
+    certificateDNSNames:
+      # Name used by the e2e client
+      - istio-csr.cert-manager.svc
+      # Name used within the demo cluster
+      - cert-manager-istio-csr.cert-manager.svc
+
+  istio:
+    revisions: ["test-prototype"]
+  server:
+    maxCertificateDuration: 5m
+    serving:
+      address: 0.0.0.0
+      port: 6443
+
+  controller:
+    rootCAConfigMapName: istio-ca-root-cert
+
+
diff --git a/deploy-prototype/selfsigned-ca.yaml b/deploy-prototype/selfsigned-ca.yaml
@@ -0,0 +1,32 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: istio-ca
+spec:
+  isCA: true
+  duration: 2160h # 90d
+  secretName: istio-ca
+  commonName: istio-ca
+  subject:
+    organizations:
+      - cluster.local
+      - cert-manager
+  issuerRef:
+    name: selfsigned
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: istio-ca
+spec:
+  ca:
+    secretName: istio-ca
diff --git a/deploy-prototype/smcp.yaml b/deploy-prototype/smcp.yaml
@@ -0,0 +1,21 @@
+apiVersion: maistra.io/v2
+kind: ServiceMeshControlPlane
+metadata:
+  name: test-prototype
+  namespace: istio-system
+spec:
+  addons:
+    kiali:
+      enabled: false
+  profiles:
+    - small
+  security:
+    certificateAuthority:
+      cert-manager:
+        address: cert-manager-istio-csr.cert-manager.svc:443
+        pilotSecretName: istiod-tls
+        rootCAConfigMapName: "istio-ca-root-cert"
+      type: cert-manager
+  tracing:
+    type: None
+  version: v2.2
diff --git a/deploy-prototype/steps b/deploy-prototype/steps
@@ -0,0 +1,45 @@
+# manual end to end build steps
+
+make build
+make generate
+
+IMAGE=maistradev.azurecr.io/istio-operator:$(git rev-parse HEAD) make image
+
+docker push maistradev.azurecr.io/istio-operator:$(git rev-parse HEAD)
+
+# patch olm manifest with mirrored image location (using mirror script):
+
+eg:
+        olm.relatedImage.v2_2.cni: maistradev.azurecr.io/istio/install-cni:611dad93ddeae2e20b423e35fc2dedad1e4adc03
+        olm.relatedImage.v2_2.pilot: maistradev.azurecr.io/istio/pilot:611dad93ddeae2e20b423e35fc2dedad1e4adc03
+        olm.relatedImage.v2_2.proxyv2: maistradev.azurecr.io/istio/proxyv2:611dad93ddeae2e20b423e35fc2dedad1e4adc03
+        olm.relatedImage.v2_2.wasm-cacher: maistradev.azurecr.io/istio/pilot:611dad93ddeae2e20b423e35fc2dedad1e4adc03
+
+and image section with above image
+in deploy/servicemesh-operator.yaml
+
+apply the deploy/servicemesh-operator.yaml
+
+helm install \    
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.6.1 \
+   --set installCRDs=true
+
+kubectl create ns istio-system
+
+kubectl apply -f selfsigned-ca.yaml -n istio-system
+helm install -n cert-manager cert-manager-istio-csr jetstack/cert-manager-istio-csr -f deploy-prototype/istio-csr-helm-values.yaml"
+
+# apply smcp.yaml
+kubectl apply -f deploy-prototype/smcp.yaml
+
+# for some reason the deploy currently generates some junk env vars:
+INJECTION_WEBHOOK_CONFIG_NAME edit pilot deploy and delete those until this is fixed
+
+# the smcp should proceed and istio-csr should be configured properly!
+
+# can verify by seeing all mounts are correct on pilot, launching bookinfo and checking
+# istioctl pc s pod-name to see our self-signed ca is the issuer.
+# it's also important to verify that we used the right root configmap for the root of trust.
diff --git a/deploy/maistra-operator.yaml b/deploy/maistra-operator.yaml
@@ -4916,6 +4916,15 @@ spec:
                 properties:
                   certificateAuthority:
                     properties:
+                      cert-manager:
+                        properties:
+                          address:
+                            type: string
+                          pilotSecretName:
+                            type: string
+                          rootCAConfigMapName:
+                            type: string
+                        type: object
                       custom:
                         properties:
                           address:
@@ -9783,6 +9792,15 @@ spec:
                     properties:
                       certificateAuthority:
                         properties:
+                          cert-manager:
+                            properties:
+                              address:
+                                type: string
+                              pilotSecretName:
+                                type: string
+                              rootCAConfigMapName:
+                                type: string
+                            type: object
                           custom:
                             properties:
                               address:
@@ -10698,7 +10716,8 @@ spec:
       serviceAccountName: istio-operator
       containers:
       - name: istio-operator
-        image: quay.io/maistra/istio-ubi8-operator:2.2.0
+        #image: quay.io/maistra/istio-ubi8-operator:2.2.0
+        image: maistradev.azurecr.io/istio-operator:latest
         ports:
         - containerPort: 11999
           name: validation

diff --git a/deploy/servicemesh-operator.yaml b/deploy/servicemesh-operator.yaml
@@ -4916,6 +4916,15 @@ spec:
                 properties:
                   certificateAuthority:
                     properties:
+                      cert-manager:
+                        properties:
+                          address:
+                            type: string
+                          pilotSecretName:
+                            type: string
+                          rootCAConfigMapName:
+                            type: string
+                        type: object
                       custom:
                         properties:
                           address:
@@ -9783,6 +9792,15 @@ spec:
                     properties:
                       certificateAuthority:
                         properties:
+                          cert-manager:
+                            properties:
+                              address:
+                                type: string
+                              pilotSecretName:
+                                type: string
+                              rootCAConfigMapName:
+                                type: string
+                            type: object
                           custom:
                             properties:
                               address:
@@ -10702,7 +10720,8 @@ spec:
       serviceAccountName: istio-operator
       containers:
       - name: istio-operator
-        image: registry.redhat.io/openshift-service-mesh/istio-rhel8-operator:2.2.0
+        #image: registry.redhat.io/openshift-service-mesh/istio-rhel8-operator:2.2.0
+        image: maistradev.azurecr.io/istio-operator:latest
         ports:
         - containerPort: 11999
           name: validation

diff --git a/deploy/src/crd.yaml b/deploy/src/crd.yaml
@@ -4915,6 +4915,15 @@ spec:
                 properties:
                   certificateAuthority:
                     properties:
+                      cert-manager:
+                        properties:
+                          address:
+                            type: string
+                          pilotSecretName:
+                            type: string
+                          rootCAConfigMapName:
+                            type: string
+                        type: object
                       custom:
                         properties:
                           address:
@@ -9782,6 +9791,15 @@ spec:
                     properties:
                       certificateAuthority:
                         properties:
+                          cert-manager:
+                            properties:
+                              address:
+                                type: string
+                              pilotSecretName:
+                                type: string
+                              rootCAConfigMapName:
+                                type: string
+                            type: object
                           custom:
                             properties:
                               address:

diff --git a/deploy/src/deployment-maistra.yaml b/deploy/src/deployment-maistra.yaml
@@ -68,7 +68,8 @@ spec:
       serviceAccountName: istio-operator
       containers:
       - name: istio-operator
-        image: quay.io/maistra/istio-ubi8-operator:2.2.0
+        #image: quay.io/maistra/istio-ubi8-operator:2.2.0
+        image: maistradev.azurecr.io/istio-operator:latest
         ports:
         - containerPort: 11999
           name: validation

diff --git a/deploy/src/deployment-servicemesh.yaml b/deploy/src/deployment-servicemesh.yaml
@@ -72,7 +72,8 @@ spec:
       serviceAccountName: istio-operator
       containers:
       - name: istio-operator
-        image: registry.redhat.io/openshift-service-mesh/istio-rhel8-operator:2.2.0
+        #image: registry.redhat.io/openshift-service-mesh/istio-rhel8-operator:2.2.0
+        image: maistradev.azurecr.io/istio-operator:latest
         ports:
         - containerPort: 11999
           name: validation

diff --git a/manifests-maistra/2.1.1/maistraoperator.v2.1.1.clusterserviceversion.yaml b/manifests-maistra/2.1.1/maistraoperator.v2.1.1.clusterserviceversion.yaml
@@ -14,8 +14,8 @@ metadata:
     description: |-
       The Maistra Operator enables you to install, configure, and manage an instance of Maistra service mesh. Maistra is based on the open source Istio project.
 
-    containerImage: quay.io/maistra/istio-ubi8-operator:2.1.1
-    createdAt: 2022-01-03T10:28:03EST
+    containerImage: maistradev.azurecr.io/istio-operator:latest
+    createdAt: 2022-01-27T19:40:46GMT
     support: Red Hat, Inc. 
     olm.skipRange: ">=1.0.2 <2.1.1-0"
     operators.openshift.io/infrastructure-features: '[]'
@@ -591,7 +591,7 @@ spec:
               serviceAccountName: istio-operator
               containers:
                 - name: istio-operator
-                  image: quay.io/maistra/istio-ubi8-operator:2.1.1
+                  image: maistradev.azurecr.io/istio-operator:latest
                   ports:
                     - containerPort: 11999
                       name: validation

diff --git a/manifests-maistra/2.1.1/servicemeshcontrolplanes.crd.yaml b/manifests-maistra/2.1.1/servicemeshcontrolplanes.crd.yaml
@@ -4915,6 +4915,13 @@ spec:
                 properties:
                   certificateAuthority:
                     properties:
+                      cert-manager:
+                        properties:
+                          address:
+                            type: string
+                          pilotSecretName:
+                            type: string
+                        type: object
                       custom:
                         properties:
                           address:
@@ -9782,6 +9789,13 @@ spec:
                     properties:
                       certificateAuthority:
                         properties:
+                          cert-manager:
+                            properties:
+                              address:
+                                type: string
+                              pilotSecretName:
+                                type: string
+                            type: object
                           custom:
                             properties:
                               address: