Skip to content

Update Ztunnel config CRD flags #1117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Ztunnel config CRD flags #1117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions api/v1/values_types_extra.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ type ZTunnelConfig struct {
// Image name to pull from. Image will be `Hub/Image:Tag-Variant`.
// If Image contains a "/", it will replace the entire `image` in the pod.
Image *string `json:"image,omitempty"`
// We keep the global namespace around for backward-compatibility
Global map[string]string `json:"global,omitempty"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this required? In any case, I think map[string]string is not the right type. It won't support nested fields

// resourceName, if set, will override the naming of resources. If not set, will default to the release name.
// It is recommended to not set this; this is primarily for backwards compatibility.
ResourceName *string `json:"resourceName,omitempty"`
Expand All @@ -60,12 +62,16 @@ type ZTunnelConfig struct {
VolumeMounts []k8sv1.VolumeMount `json:"volumeMounts,omitempty"`
// Additional volumes to add to the ztunnel Pod.
Volumes []k8sv1.Volume `json:"volumes,omitempty"`
// Tolerations for the ztunnel pod
Tolerations []k8sv1.Toleration `json:"tolerations,omitempty"`
// Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
// Additional labels to apply on the pod level.
PodLabels map[string]string `json:"podLabels,omitempty"`
// The k8s resource requests and limits for the ztunnel Pods.
Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"`
// The resource quotas configuration for ztunnel
ResourceQuotas *ResourceQuotas `json:"resourceQuotas,omitempty"`
// List of secret names to add to the service account as image pull secrets
// to use for pulling any images in pods that reference this ServiceAccount.
// Must be set for any cluster configured with private docker registry.
Expand Down Expand Up @@ -105,6 +111,11 @@ type ZTunnelConfig struct {
LogLevel *string `json:"logLevel,omitempty"`
// Specifies whether istio components should output logs in json format by adding --log_as_json argument to each container.
LogAsJSON *bool `json:"logAsJson,omitempty"`
// Set seLinux options for the ztunnel pod
SeLinuxOptions map[string]string `json:"seLinuxOptions,omitempty"`
Copy link
Collaborator

@dgn dgn Sep 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this also won't work. seLinuxOptions has nested fields. We'd need a struct here, but even better would be importing the k8s type

// K8s DaemonSet update strategy
// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
UpdateStrategy *IstioUpdateStrategy `json:"updateStrategy,omitempty"`
}

// ZTunnelGlobalConfig is a subset of the Global Configuration used in the Istio ztunnel chart.
Expand Down
31 changes: 31 additions & 0 deletions api/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

102 changes: 102 additions & 0 deletions bundle/manifests/sailoperator.io_ztunnels.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,11 @@ spec:
description: 'A `key: value` mapping of environment variables
to add to the pod'
type: object
global:
additionalProperties:
type: string
description: We keep the global namespace around for backward-compatibility
type: object
hub:
description: Hub to pull the container image from. Image will
be `Hub/Image:Tag-Variant`.
Expand Down Expand Up @@ -3832,6 +3837,19 @@ spec:
resourceName, if set, will override the naming of resources. If not set, will default to the release name.
It is recommended to not set this; this is primarily for backwards compatibility.
type: string
resourceQuotas:
description: The resource quotas configuration for ztunnel
properties:
enabled:
description: Controls whether to create resource quotas
or not for the CNI DaemonSet.
type: boolean
pods:
description: The hard limit on the number of pods in the
namespace where the CNI DaemonSet is deployed.
format: int64
type: integer
type: object
resources:
description: The k8s resource requests and limits for the
ztunnel Pods.
Expand Down Expand Up @@ -3896,6 +3914,11 @@ spec:
description: Configures the revision this control plane is
a part of
type: string
seLinuxOptions:
additionalProperties:
type: string
description: Set seLinux options for the ztunnel pod
type: object
tag:
description: The container image tag to pull. Image will be
`Hub/Image:Tag-Variant`.
Expand All @@ -3909,6 +3932,85 @@ spec:
format: int64
minimum: 0
type: integer
tolerations:
description: Tolerations for the ztunnel pod
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
updateStrategy:
description: |-
K8s DaemonSet update strategy
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
properties:
inactiveRevisionDeletionGracePeriodSeconds:
description: |-
Defines how many seconds the operator should wait before removing a non-active revision after all
the workloads have stopped using it. You may want to set this value on the order of minutes.
The minimum is 0 and the default value is 30.
format: int64
minimum: 0
type: integer
type:
default: InPlace
description: "Type of strategy to use. Can be \"InPlace\"
or \"RevisionBased\". When the \"InPlace\" strategy\nis
used, the existing Istio control plane is updated in-place.
The workloads therefore\ndon't need to be moved from
one control plane instance to another. When the \"RevisionBased\"\nstrategy
is used, a new Istio control plane instance is created
for every change to the\nIstio.spec.version field. The
old control plane remains in place until all workloads
have\nbeen moved to the new control plane instance.\n\nThe
\"InPlace\" strategy is the default.\tTODO: change default
to \"RevisionBased\""
enum:
- InPlace
- RevisionBased
type: string
updateWorkloads:
description: |-
Defines whether the workloads should be moved from one control plane instance to another
automatically. If updateWorkloads is true, the operator moves the workloads from the old
control plane instance to the new one after the new control plane is ready.
If updateWorkloads is false, the user must move the workloads manually by updating the
istio.io/rev labels on the namespace and/or the pods.
Defaults to false.
type: boolean
type: object
variant:
description: The container image variant to pull. Options
are "debug" or "distroless". Unset will use the default
Expand Down
Loading