Skip to content

OCPBUGS-84834: Bump GWAPI CRDs to v1.4.1 OSSM 3.3.1 and Istio v1.28.5 #1444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rhamini3 wants to merge 3 commits into
base: release-4.21
Choose a base branch
from
Open

OCPBUGS-84834: Bump GWAPI CRDs to v1.4.1 OSSM 3.3.1 and Istio v1.28.5 #1444

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fcc0306
Bump GWAPI CRDs to v1.4.1 OSSM 3.3.1 and Istio v1.28.5
rhamini3 May 12, 2026
dcaf2ff
revert istio version back to v1.28.5
rhamini3 Jun 1, 2026
2bfb440
update go.mod comment
rhamini3 Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions cmd/ingress-operator/start.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,11 @@ const (
defaultTrustedCABundle = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
defaultGatewayAPIOperatorCatalog = "redhat-operators"
defaultGatewayAPIOperatorChannel = "stable"
defaultGatewayAPIOperatorVersion = "servicemeshoperator3.v3.2.0"
defaultIstioVersion = "v1.27.3"
defaultGatewayAPIOperatorVersion = "servicemeshoperator3.v3.3.1"
// OSSM 3.3.1 ships Istio 1.28.5.
// Using floating z-stream tag to avoid breaking clusters with
// customer-managed subscriptions on a different OSSM minor version.
defaultIstioVersion = "v1.28.5"
)

type StartOptions struct {
Expand Down
7 changes: 5 additions & 2 deletions hack/gatewayapi-conformance.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,10 @@ go mod vendor
# Also, GRPCRouteListenerHostnameMatching tests are taking longer than 150s to converge to passing.
sed -i -e '/MaxTimeToConsistency:/ s/30/360/' conformance/utils/config/timeout.go

SUPPORTED_FEATURES="Gateway,GRPCRoute,HTTPRoute,ReferenceGrant,GatewayPort8080,HTTPRouteQueryParamMatching,HTTPRouteMethodMatching,HTTPRouteResponseHeaderModification,HTTPRoutePortRedirect,HTTPRouteSchemeRedirect,HTTPRoutePathRedirect,HTTPRouteHostRewrite,HTTPRoutePathRewrite,HTTPRouteRequestMirror,HTTPRouteRequestMultipleMirrors,HTTPRouteBackendProtocolH2C,HTTPRouteBackendProtocolWebSocket,HTTPRouteRequestPercentageMirror,HTTPRouteBackendRequestHeaderModification"
SUPPORTED_FEATURES="BackendTLSPolicy,BackendTLSPolicySANValidation,GRPCRoute,Gateway,GatewayAddressEmpty,GatewayHTTPListenerIsolation,GatewayInfrastructurePropagation,GatewayPort8080,HTTPRoute,HTTPRouteBackendProtocolH2C,HTTPRouteBackendProtocolWebSocket,HTTPRouteBackendRequestHeaderModification,HTTPRouteBackendTimeout,HTTPRouteCORS,HTTPRouteDestinationPortMatching,HTTPRouteHostRewrite,HTTPRouteMethodMatching,HTTPRouteNamedRouteRule,HTTPRouteParentRefPort,HTTPRoutePathRedirect,HTTPRoutePathRewrite,HTTPRoutePortRedirect,HTTPRouteQueryParamMatching,HTTPRouteRequestMirror,HTTPRouteRequestMultipleMirrors,HTTPRouteRequestPercentageMirror,HTTPRouteRequestTimeout,HTTPRouteResponseHeaderModification,HTTPRouteSchemeRedirect,ReferenceGrant"
# skipping BackendTLSPolicyConflictResolution confornance test because upstream istio is not supporting this at the moment: https://github.com/istio/istio/blob/ba49f7398a8542c3612788e9bd0371c079e44165/tests/integration/pilot/gateway_conformance_test.go#L67
SKIPPED_TESTS="HTTPRouteCORSAllowCredentialsBehavior,GatewayStaticAddresses,BackendTLSPolicyConflictResolution"

echo "Start Gateway API Conformance Testing"
go test ./conformance -v -timeout 60m -run TestConformance -args "--supported-features=${SUPPORTED_FEATURES}" "--gateway-class=${GATEWAYCLASS_NAME}"
go test ./conformance -v -timeout 60m -run TestConformance -args "--gateway-class=conformance" "--report-output=openshift.yaml" "--organization=Red Hat" "--project=Openshift Service Mesh" "--version=3.3.1" "--url=https://www.redhat.com/en/technologies/cloud-computing/openshift/container-platform" "--conformance-profiles=GATEWAY-HTTP,GATEWAY-GRPC" "--supported-features=${SUPPORTED_FEATURES}" "--skip-tests=${SKIPPED_TESTS}"
cat conformance/openshift.yaml
4 changes: 2 additions & 2 deletions manifests/02-deployment-ibm-cloud-managed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ spec:
- name: GATEWAY_API_OPERATOR_CHANNEL
value: stable
- name: GATEWAY_API_OPERATOR_VERSION
value: servicemeshoperator3.v3.2.0
value: servicemeshoperator3.v3.3.1
- name: ISTIO_VERSION
value: v1.27.3
value: v1.28.5
image: openshift/origin-cluster-ingress-operator:latest
imagePullPolicy: IfNotPresent
name: ingress-operator
Expand Down
4 changes: 2 additions & 2 deletions manifests/02-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,9 +88,9 @@ spec:
- name: GATEWAY_API_OPERATOR_CHANNEL
value: stable
- name: GATEWAY_API_OPERATOR_VERSION
value: servicemeshoperator3.v3.2.0
value: servicemeshoperator3.v3.3.1
- name: ISTIO_VERSION
value: v1.27.3
value: v1.28.5
resources:
requests:
cpu: 10m
Expand Down
1,333 changes: 1,333 additions & 0 deletions pkg/manifests/assets/gateway-api/gateway.networking.k8s.io_backendtlspolicies.yaml
View file
Open in desktop

Large diffs are not rendered by default.

42 changes: 40 additions & 2 deletions pkg/manifests/assets/gateway-api/gateway.networking.k8s.io_gatewayclasses.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: standard
creationTimestamp: null
name: gatewayclasses.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
Expand Down Expand Up @@ -237,6 +236,25 @@ spec:
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
supportedFeatures:
description: |-
SupportedFeatures is the set of features the GatewayClass support.
It MUST be sorted in ascending alphabetical order by the Name key.
items:
properties:
name:
description: |-
FeatureName is used to describe distinct features that are covered by
conformance tests.
type: string
required:
- name
type: object
maxItems: 64
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
required:
- spec
Expand Down Expand Up @@ -462,6 +480,25 @@ spec:
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
supportedFeatures:
description: |-
SupportedFeatures is the set of features the GatewayClass support.
It MUST be sorted in ascending alphabetical order by the Name key.
items:
properties:
name:
description: |-
FeatureName is used to describe distinct features that are covered by
conformance tests.
type: string
required:
- name
type: object
maxItems: 64
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
required:
- spec
Expand All @@ -476,3 +513,4 @@ status:
plural: ""
conditions: null
storedVersions: null

54 changes: 34 additions & 20 deletions pkg/manifests/assets/gateway-api/gateway.networking.k8s.io_gateways.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: standard
creationTimestamp: null
name: gateways.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
Expand Down Expand Up @@ -65,7 +64,7 @@ spec:
Addresses requested for this Gateway. This is optional and behavior can
depend on the implementation. If a value is set in the spec and the
requested address is invalid or unavailable, the implementation MUST
indicate this in the associated entry in GatewayStatus.Addresses.
indicate this in an associated entry in GatewayStatus.Conditions.

The Addresses field represents a request for the address(es) on the
"outside of the Gateway", that traffic bound for this Gateway will use.
Expand Down Expand Up @@ -120,19 +119,22 @@ spec:
type: string
type: object
x-kubernetes-validations:
- message: Hostname value must only contain valid characters (matching
^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
- message: Hostname value must be empty or contain only valid characters
(matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")):
true'
maxItems: 16
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: IPAddress values must be unique
rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
a2.type == a1.type && a2.value == a1.value) : true )'
rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ?
self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value
== a1.value) : true )'
- message: Hostname values must be unique
rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
a2.type == a1.type && a2.value == a1.value) : true )'
rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ?
self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value
== a1.value) : true )'
gatewayClassName:
description: |-
GatewayClassName used for this Gateway. This is the name of a
Expand Down Expand Up @@ -488,6 +490,7 @@ spec:
type: object
maxItems: 8
type: array
x-kubernetes-list-type: atomic
namespaces:
default:
from: Same
Expand Down Expand Up @@ -655,7 +658,7 @@ spec:
the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
if the Protocol field is "HTTP", "TCP", or "UDP".

The association of SNIs to Certificate defined in GatewayTLSConfig is
The association of SNIs to Certificate defined in ListenerTLSConfig is
defined based on the Hostname field for this listener.

The GatewayClass MUST use the longest matching SNI out of all
Expand Down Expand Up @@ -742,6 +745,7 @@ spec:
type: object
maxItems: 64
type: array
x-kubernetes-list-type: atomic
mode:
default: Terminate
description: |-
Expand Down Expand Up @@ -894,6 +898,7 @@ spec:
true'
maxItems: 16
type: array
x-kubernetes-list-type: atomic
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
Expand Down Expand Up @@ -1107,6 +1112,7 @@ spec:
type: object
maxItems: 8
type: array
x-kubernetes-list-type: atomic
required:
- attachedRoutes
- conditions
Expand Down Expand Up @@ -1171,7 +1177,7 @@ spec:
Addresses requested for this Gateway. This is optional and behavior can
depend on the implementation. If a value is set in the spec and the
requested address is invalid or unavailable, the implementation MUST
indicate this in the associated entry in GatewayStatus.Addresses.
indicate this in an associated entry in GatewayStatus.Conditions.

The Addresses field represents a request for the address(es) on the
"outside of the Gateway", that traffic bound for this Gateway will use.
Expand Down Expand Up @@ -1226,19 +1232,22 @@ spec:
type: string
type: object
x-kubernetes-validations:
- message: Hostname value must only contain valid characters (matching
^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
- message: Hostname value must be empty or contain only valid characters
(matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")):
true'
maxItems: 16
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: IPAddress values must be unique
rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
a2.type == a1.type && a2.value == a1.value) : true )'
rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ?
self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value
== a1.value) : true )'
- message: Hostname values must be unique
rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
a2.type == a1.type && a2.value == a1.value) : true )'
rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ?
self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value
== a1.value) : true )'
gatewayClassName:
description: |-
GatewayClassName used for this Gateway. This is the name of a
Expand Down Expand Up @@ -1594,6 +1603,7 @@ spec:
type: object
maxItems: 8
type: array
x-kubernetes-list-type: atomic
namespaces:
default:
from: Same
Expand Down Expand Up @@ -1761,7 +1771,7 @@ spec:
the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
if the Protocol field is "HTTP", "TCP", or "UDP".

The association of SNIs to Certificate defined in GatewayTLSConfig is
The association of SNIs to Certificate defined in ListenerTLSConfig is
defined based on the Hostname field for this listener.

The GatewayClass MUST use the longest matching SNI out of all
Expand Down Expand Up @@ -1848,6 +1858,7 @@ spec:
type: object
maxItems: 64
type: array
x-kubernetes-list-type: atomic
mode:
default: Terminate
description: |-
Expand Down Expand Up @@ -2000,6 +2011,7 @@ spec:
true'
maxItems: 16
type: array
x-kubernetes-list-type: atomic
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
Expand Down Expand Up @@ -2213,6 +2225,7 @@ spec:
type: object
maxItems: 8
type: array
x-kubernetes-list-type: atomic
required:
- attachedRoutes
- conditions
Expand All @@ -2238,3 +2251,4 @@ status:
plural: ""
conditions: null
storedVersions: null

24 changes: 22 additions & 2 deletions pkg/manifests/assets/gateway-api/gateway.networking.k8s.io_grpcroutes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
gateway.networking.k8s.io/bundle-version: v1.3.0
gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: standard
creationTimestamp: null
name: grpcroutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
Expand Down Expand Up @@ -151,6 +150,7 @@ spec:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: atomic
parentRefs:
description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
Expand Down Expand Up @@ -334,6 +334,7 @@ spec:
type: object
maxItems: 32
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: sectionName must be specified when parentRefs includes
2 or more references to the same parent
Expand Down Expand Up @@ -937,6 +938,7 @@ spec:
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
maxItems: 16
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
Expand Down Expand Up @@ -1033,6 +1035,7 @@ spec:
? has(self.port) : true'
maxItems: 16
type: array
x-kubernetes-list-type: atomic
filters:
description: |-
Filters define the filters that are applied to requests that match
Expand Down Expand Up @@ -1583,6 +1586,7 @@ spec:
rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
maxItems: 16
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: RequestHeaderModifier filter cannot be repeated
rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
Expand Down Expand Up @@ -1760,9 +1764,20 @@ spec:
type: object
maxItems: 64
type: array
x-kubernetes-list-type: atomic
name:
description: |-
Name is the name of the route rule. This name MUST be unique within a Route if it is set.

Support: Extended
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
maxItems: 16
type: array
x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: While 16 rules and 64 matches per rule are allowed, the
total number of matches across all rules in a route must be less
Expand Down Expand Up @@ -2030,14 +2045,18 @@ spec:
- name
type: object
required:
- conditions
- controllerName
- parentRef
type: object
maxItems: 32
type: array
x-kubernetes-list-type: atomic
required:
- parents
type: object
required:
- spec
type: object
served: true
storage: true
Expand All @@ -2049,3 +2068,4 @@ status:
plural: ""
conditions: null
storedVersions: null

Loading