Fix bug where Operator fails to connecting to Coherence Pods when using Istio (#691)

Author: thegridman

.dockerignore

@@ -1,4 +1,7 @@
 
+.github/
+.idea/
+artifacts/
 build/
 converter/
 dashboards/

.github/workflows/istio-tests.yaml

@@ -130,6 +130,7 @@ jobs:
         make deploy
         ISTIO_VERSION=${{ matrix.istioVersion }} make install-istio
         make e2e-client-test
+        make e2e-test
         make undeploy
         ISTIO_VERSION=${{ matrix.istioVersion }} make uninstall-istio
 

.github/workflows/release.yml

@@ -97,6 +97,17 @@ jobs:
         asset_name: coherence-operator.yaml
         asset_content_type: text/plain
 
+    - name: Upload Restricted Release Yaml
+      id: upload-release-yaml
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: /tmp/coherence-operator/_output/coherence-operator-restricted.yaml
+        asset_name: coherence-operator-restricted.yaml
+        asset_content_type: text/plain
+
     - name: Upload Release CRD
       id: upload-release-crd
       uses: actions/upload-release-asset@v1

.gitignore

@@ -26,6 +26,10 @@ bin/
 bundle/
 temp/
 
+# OpenShift pre-flight
+artifacts/
+preflight.log
+
 # licensed
 .licenses/
 meta/

Makefile

@@ -773,6 +773,7 @@ copyright:  ## Check copyright headers
 	@java -cp hack/glassfish-copyright-maven-plugin-2.1.jar \
 	  org.glassfish.copyright.Copyright -C hack/copyright.txt \
 	  -X .adoc \
+	  -X artifacts/ \
 	  -X bin/ \
 	  -X build/ \
 	  -X clientset/ \
@@ -812,6 +813,7 @@ copyright:  ## Check copyright headers
 	  -X mvnw \
 	  -X mvnw.cmd \
 	  -X .png \
+	  -X preflight.log \
 	  -X PROJECT \
 	  -X .sh \
 	  -X tanzu/package/package.yml \
@@ -1612,6 +1614,9 @@ $(BUILD_MANIFESTS_PKG): $(TOOLS_BIN)/kustomize $(TOOLS_BIN)/yq
 	cp config/namespace/namespace.yaml $(BUILD_OUTPUT)/coherence-operator.yaml
 	$(KUSTOMIZE) build $(BUILD_DEPLOY)/default >> $(BUILD_OUTPUT)/coherence-operator.yaml
 	$(SED) -e 's/name: coherence-operator-env-vars-.*/name: coherence-operator-env-vars/g' $(BUILD_OUTPUT)/coherence-operator.yaml
+	$(KUSTOMIZE) build $(BUILD_DEPLOY)/overlays/restricted >> $(BUILD_OUTPUT)/coherence-operator-restricted.yaml
+	$(SED) -e 's/name: coherence-operator-env-vars-.*/name: coherence-operator-env-vars/g' $(BUILD_OUTPUT)//coherence-operator-restricted.yaml
+	$(SED) -e 's/ClusterRole/Role/g' $(BUILD_OUTPUT)//coherence-operator-restricted.yaml
 	cd $(BUILD_MANIFESTS)/crd && $(TOOLS_BIN)/yq --no-doc -s '.metadata.name + ".yaml"' temp.yaml
 	rm $(BUILD_MANIFESTS)/crd/temp.yaml
 	mv $(BUILD_MANIFESTS)/crd/coherence.coherence.oracle.com.yaml $(BUILD_MANIFESTS)/crd/coherence.oracle.com_coherence.yaml
@@ -2404,15 +2409,23 @@ uninstall-metallb: ## Uninstall MetalLB
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: install-istio
 install-istio: delete-istio-config get-istio ## Install the latest version of Istio into k8s (or override the version using the ISTIO_VERSION env var)
+ifeq (true,$(ISTIO_USE_CONFIG))
 	$(ISTIO_HOME)/bin/istioctl install -f $(BUILD_OUTPUT)/istio-config.yaml -y
 	kubectl -n istio-system wait --for condition=available deployment.apps/istiod-$(ISTIO_REVISION)
+else
+	$(ISTIO_HOME)/bin/istioctl install --set profile=demo -y
+	kubectl -n istio-system wait --for condition=available deployment.apps/istiod
+endif
 	kubectl -n istio-system wait --for condition=available deployment.apps/istio-ingressgateway
 	kubectl -n istio-system wait --for condition=available deployment.apps/istio-egressgateway
 	kubectl apply -f $(SCRIPTS_DIR)/istio-strict.yaml
 	kubectl -n $(OPERATOR_NAMESPACE) apply -f $(SCRIPTS_DIR)/istio-operator.yaml
 	kubectl label namespace $(OPERATOR_NAMESPACE) istio-injection=enabled --overwrite=true
+	kubectl label namespace $(OPERATOR_NAMESPACE) istio.io/rev=$(ISTIO_REVISION) --overwrite=true
 	kubectl label namespace $(OPERATOR_NAMESPACE_CLIENT) istio-injection=enabled --overwrite=true
+	kubectl label namespace $(OPERATOR_NAMESPACE_CLIENT) istio.io/rev=$(ISTIO_REVISION) --overwrite=true
 	kubectl label namespace $(CLUSTER_NAMESPACE) istio-injection=enabled --overwrite=true
+	kubectl label namespace $(CLUSTER_NAMESPACE) istio.io/rev=$(ISTIO_REVISION) --overwrite=true
 	kubectl apply -f $(ISTIO_HOME)/samples/addons
 
 # ----------------------------------------------------------------------------------------------------------------------

api/v1/coherenceresourcespec_types.go

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2024, Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2025, Oracle and/or its affiliates.
  * Licensed under the Universal Permissive License v 1.0 as shown at
  * http://oss.oracle.com/licenses/upl.
  */
@@ -671,20 +671,16 @@ func (in *CoherenceResourceSpec) CreatePodTemplateSpec(deployment CoherenceResou
 		podLabels[k] = v
 	}
 
-	var annotations map[string]string
+	annotations := make(map[string]string)
+	// Add the default Istio config annotation.
+	// Adding this first allows it to be overridden in Coherence or CoherenceJob spec
+	annotations[AnnotationIstioConfig] = DefaultIstioConfigAnnotationValue
+
 	globalAnnotations := deployment.CreateGlobalAnnotations()
-	if globalAnnotations != nil {
-		if annotations == nil {
-			annotations = make(map[string]string)
-		}
-		for k, v := range globalAnnotations {
-			annotations[k] = v
-		}
+	for k, v := range globalAnnotations {
+		annotations[k] = v
 	}
 	if in.Annotations != nil {
-		if annotations == nil {
-			annotations = make(map[string]string)
-		}
 		for k, v := range in.Annotations {
 			annotations[k] = v
 		}

api/v1/common_test.go

@@ -450,9 +450,13 @@ func createMinimalExpectedPodSpec(deployment coh.CoherenceResource) corev1.PodTe
 		initContainer.Image = *operatorImage
 	}
 
+	annotations := make(map[string]string)
+	annotations[coh.AnnotationIstioConfig] = coh.DefaultIstioConfigAnnotationValue
+
 	podTemplate := corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
-			Labels: podLabels,
+			Labels:      podLabels,
+			Annotations: annotations,
 		},
 		Spec: corev1.PodSpec{
 			InitContainers: []corev1.Container{initContainer},

api/v1/constants.go

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2024, Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2025, Oracle and/or its affiliates.
  * Licensed under the Universal Permissive License v 1.0 as shown at
  * http://oss.oracle.com/licenses/upl.
  */
@@ -64,6 +64,12 @@ const (
 	AnnotationFeatureSuspend = "com.oracle.coherence.operator/feature.suspend"
 	// AnnotationOperatorVersion is the Operator version annotations
 	AnnotationOperatorVersion = "com.oracle.coherence.operator/version"
+	// AnnotationIstioConfig is the Istio config annotation applied to Pods.
+	AnnotationIstioConfig = "proxy.istio.io/config"
+	// DefaultIstioConfigAnnotationValue is the default for the istio config annotation.
+	// This makes the Istio Sidecar the first container in the Pod to allow it to ideally
+	// be started before the Coherence container
+	DefaultIstioConfigAnnotationValue = "{ \"holdApplicationUntilProxyStarts\": true }"
 
 	// DefaultServiceAccount is the default k8s service account name.
 	DefaultServiceAccount = "default"

config/manager/no-jobs-patch.yaml

@@ -0,0 +1,4 @@
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value:
+    - --install-job-crd=false

config/overlays/restricted/cluster_role.yaml

@@ -0,0 +1,9 @@
+# -------------------------------------------------------------
+# This is the Cluster Roles required by the Coherence Operator
+# to self-manage its CRDs and Web-Hooks.
+# -------------------------------------------------------------
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: crd-webhook-install-role
+$patch: delete