Skip to content

feat(snc): add servicemesh profile with OpenShift Service Mesh 3 support#741

Merged
adrianriobo merged 1 commit intoredhat-developer:mainfrom
jangel97:feat/ocp-snc-istio-servicemesh
Mar 24, 2026
Merged

feat(snc): add servicemesh profile with OpenShift Service Mesh 3 support#741
adrianriobo merged 1 commit intoredhat-developer:mainfrom
jangel97:feat/ocp-snc-istio-servicemesh

Conversation

@jangel97
Copy link
Copy Markdown
Contributor

@jangel97 jangel97 commented Mar 6, 2026

Installs the Red Hat OpenShift Service Mesh 3 operator (servicemeshoperator3) via OLM and deploys cluster-scoped IstioCNI and Istio CRs using the sailoperator.io/v1 API. Also updates findResource to support cluster-scoped resource lookups when namespace is empty.

@jangel97
Copy link
Copy Markdown
Contributor Author

jangel97 commented Mar 6, 2026

Testing servicemesh profile

1. Create the SNC cluster with servicemesh profile

export AWS_SECRET_ACCESS_KEY=""
export AWS_ACCESS_KEY_ID=""
export PULUMI_CONFIG_PASSPHRASE=""

./out/mapt aws openshift-snc create \
  --project-name jmorenas-snc-test-istio \
  --backed-url file:///tmp/mapt-workspace-istio \
  --version 4.21.0 \
  --pull-secret-file /path/to/pull-secret \
  --conn-details-output /tmp/snc-istio \
  --spot \
  --tags owner=jmorenas \
  --profile servicemesh

2. Verify the service mesh control plane

export KUBECONFIG=/tmp/snc-istio/kubeconfig

oc get istiocni default -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
# True

oc get istio default -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
# True

oc get pods -n istio-system
# NAME                      READY   STATUS    RESTARTS   AGE
# istiod-8454464677-6djg8   1/1     Running   0          2m37s

oc get pods -n istio-cni
# NAME                   READY   STATUS    RESTARTS   AGE
# istio-cni-node-7p92t   1/1     Running   0          3m6s

3. Deploy a test app with sidecar injection

oc new-project bookinfo
oc label namespace bookinfo istio-injection=enabled
oc apply -n bookinfo -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/bookinfo/platform/kube/bookinfo.yaml
oc wait -n bookinfo --for=condition=Ready pods --all --timeout=120s
oc get pods -n bookinfo

4. Verify sidecars are injected

oc get pods -n bookinfo -o jsonpath='{range .items[*]}{.metadata.name}{" init: "}{range .spec.initContainers[*]}{.name}{" "}{end}{" containers: "}{range .spec.containers[*]}{.name}{" "}{end}{"\n"}{end}'

All 6 pods have istio-validation and istio-proxy init containers injected, demonstrating that the service mesh is working end-to-end.

5. Quick connectivity test

oc exec -n bookinfo deploy/ratings-v1 -c ratings -- curl -sI productpage:9080/productpage
HTTP/1.1 200 OK
server: envoy
date: Fri, 06 Mar 2026 17:13:38 GMT
content-type: text/html; charset=utf-8
content-length: 15072
vary: Cookie
x-envoy-upstream-service-time: 403

Traffic is flowing through the Envoy proxy (server: envoy).

6. Cleanup

./out/mapt aws openshift-snc destroy \
  --project-name jmorenas-snc-test-istio \
  --backed-url file:///tmp/mapt-workspace-istio

@jangel97 jangel97 force-pushed the feat/ocp-snc-istio-servicemesh branch from fa5e17b to f7504a9 Compare March 8, 2026 21:50
@jangel97 jangel97 force-pushed the feat/ocp-snc-istio-servicemesh branch from f7504a9 to a9ab09f Compare March 24, 2026 13:48
adrianriobo
adrianriobo reviewed Mar 24, 2026
View reviewed changes
pkg/provider/aws/action/snc/snc.go Outdated
}
ctx.Export(fmt.Sprintf("%s-%s", *r.prefix, apiSNC.OutputKubeconfig),
pulumi.ToSecret(kubeconfig))
// Write kubeconfig to disk early so it is available even if profile deployment fails
Copy link
Copy Markdown
Collaborator

@adrianriobo adrianriobo Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is not the same code to be deleted?

Copy link
Copy Markdown
Contributor Author

@jangel97 jangel97 Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just deleted it, thx!

@jangel97
feat(snc): add servicemesh profile with OpenShift Service Mesh 3 support
87acefc 
Installs the Red Hat OpenShift Service Mesh 3 operator (servicemeshoperator3)
via OLM and deploys cluster-scoped IstioCNI and Istio CRs using the
sailoperator.io/v1 API. Also updates findResource to support cluster-scoped
resource lookups when namespace is empty.
@jangel97 jangel97 force-pushed the feat/ocp-snc-istio-servicemesh branch from a9ab09f to 87acefc Compare March 24, 2026 15:25
adrianriobo
adrianriobo approved these changes Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@adrianriobo adrianriobo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM although if you can with the ai profile try to refactor the functions to deploy operators

@adrianriobo adrianriobo merged commit acf2ebf into redhat-developer:main Mar 24, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adrianriobo adrianriobo adrianriobo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jangel97 @adrianriobo