Check IstioCNI status for IstioRevisions that depend on IstioCNI

Previously, when an IstioRevision depended on IstioCNI, either because the user enabled the use of IstioCNI through values.pilot.cni.enabled or because the platform profile enables it, the IstioRevision resource would show as healthy even though workloads would fail because IstioCNI hasn't been deployed. This commit adds a new `DependenciesHealthy` condition to `IstioRevision` and makes `IstioRevision.status.state` and the `STATUS` column report the fact that IstioCNI is missing or unhealthy. This makes it easier for users to see that their setup is misconfigured.

Signed-off-by: Marko Lukša <[email protected]>

Author: luksa

api/v1/istio_types.go

@@ -234,6 +234,23 @@ const (
 	IstioReasonReadinessCheckFailed IstioConditionReason = "ReadinessCheckFailed"
 )
 
+const (
+	// IstioConditionDependenciesHealthy signifies whether the dependencies required by this Istio are healthy.
+	// For example, an Istio with spec.values.pilot.cni.enabled=true requires the IstioCNI resource to be deployed
+	// and ready for the Istio revision to be considered healthy. The DependenciesHealthy condition is used to indicate that
+	// the IstioCNI resource is healthy.
+	IstioConditionDependenciesHealthy IstioConditionType = "DependenciesHealthy"
+
+	// IstioReasonIstioCNINotFound indicates that the IstioCNI resource is not found.
+	IstioReasonIstioCNINotFound IstioConditionReason = "IstioCNINotFound"
+
+	// IstioReasonIstioCNINotHealthy indicates that the IstioCNI resource is not healthy.
+	IstioReasonIstioCNINotHealthy IstioConditionReason = "IstioCNINotHealthy"
+
+	// IstioReasonDependencyCheckFailed indicates that the status of the dependencies could not be ascertained.
+	IstioReasonDependencyCheckFailed IstioConditionReason = "DependencyCheckFailed"
+)
+
 const (
 	// IstioReasonHealthy indicates that the control plane is fully reconciled and that all components are ready.
 	IstioReasonHealthy IstioConditionReason = "Healthy"

api/v1/istiorevision_types.go

@@ -168,6 +168,23 @@ const (
 	IstioRevisionReasonUsageCheckFailed IstioRevisionConditionReason = "UsageCheckFailed"
 )
 
+const (
+	// IstioRevisionConditionDependenciesHealthy signifies whether the dependencies required by this IstioRevision are healthy.
+	// For example, an IstioRevision with spec.values.pilot.cni.enabled=true requires the IstioCNI resource to be deployed
+	// and ready for the Istio revision to be considered healthy. The DependenciesHealthy condition is used to indicate that
+	// the IstioCNI resource is healthy.
+	IstioRevisionConditionDependenciesHealthy IstioRevisionConditionType = "DependenciesHealthy"
+
+	// IstioRevisionReasonIstioCNINotFound indicates that the IstioCNI resource is not found.
+	IstioRevisionReasonIstioCNINotFound IstioRevisionConditionReason = "IstioCNINotFound"
+
+	// IstioRevisionReasonIstioCNINotHealthy indicates that the IstioCNI resource is not healthy.
+	IstioRevisionReasonIstioCNINotHealthy IstioRevisionConditionReason = "IstioCNINotHealthy"
+
+	// IstioRevisionDependencyCheckFailed indicates that the status of the dependencies could not be ascertained.
+	IstioRevisionDependencyCheckFailed IstioRevisionConditionReason = "DependencyCheckFailed"
+)
+
 const (
 	// IstioRevisionReasonHealthy indicates that the control plane is fully reconciled and that all components are ready.
 	IstioRevisionReasonHealthy IstioRevisionConditionReason = "Healthy"

controllers/istio/istio_controller.go

@@ -257,6 +257,7 @@ func (r *Reconciler) determineStatus(ctx context.Context, istio *v1.Istio, recon
 		} else if err == nil {
 			status.SetCondition(convertCondition(rev.Status.GetCondition(v1.IstioRevisionConditionReconciled)))
 			status.SetCondition(convertCondition(rev.Status.GetCondition(v1.IstioRevisionConditionReady)))
+			status.SetCondition(convertCondition(rev.Status.GetCondition(v1.IstioRevisionConditionDependenciesHealthy)))
 			status.State = convertConditionReason(rev.Status.State)
 		} else {
 			activeRevisionGetFailed := func(conditionType v1.IstioConditionType) v1.IstioCondition {
@@ -326,6 +327,8 @@ func convertConditionType(condition v1.IstioRevisionCondition) v1.IstioCondition
 		return v1.IstioConditionReconciled
 	case v1.IstioRevisionConditionReady:
 		return v1.IstioConditionReady
+	case v1.IstioRevisionConditionDependenciesHealthy:
+		return v1.IstioConditionDependenciesHealthy
 	default:
 		panic(fmt.Sprintf("can't convert IstioRevisionConditionType: %s", condition.Type))
 	}
@@ -345,6 +348,12 @@ func convertConditionReason(reason v1.IstioRevisionConditionReason) v1.IstioCond
 		return v1.IstioReasonReconcileError
 	case v1.IstioRevisionReasonRemoteIstiodNotReady:
 		return v1.IstioReasonRemoteIstiodNotReady
+	case v1.IstioRevisionReasonIstioCNINotHealthy:
+		return v1.IstioReasonIstioCNINotHealthy
+	case v1.IstioRevisionReasonIstioCNINotFound:
+		return v1.IstioReasonIstioCNINotFound
+	case v1.IstioRevisionDependencyCheckFailed:
+		return v1.IstioReasonDependencyCheckFailed
 	default:
 		panic(fmt.Sprintf("can't convert IstioRevisionConditionReason: %s", reason))
 	}

controllers/istio/istio_controller_test.go

@@ -264,6 +264,7 @@ func TestDetermineStatus(t *testing.T) {
 				Conditions: []v1.IstioRevisionCondition{
 					{Type: v1.IstioRevisionConditionReconciled, Status: toConditionStatus(reconciled)},
 					{Type: v1.IstioRevisionConditionReady, Status: toConditionStatus(ready)},
+					{Type: v1.IstioRevisionConditionDependenciesHealthy, Status: toConditionStatus(true)},
 					{Type: v1.IstioRevisionConditionInUse, Status: toConditionStatus(inUse)},
 				},
 			},
@@ -329,6 +330,12 @@ func TestDetermineStatus(t *testing.T) {
 								Reason:  v1.IstioRevisionReasonHealthy,
 								Message: "ready message",
 							},
+							{
+								Type:    v1.IstioRevisionConditionDependenciesHealthy,
+								Status:  metav1.ConditionTrue,
+								Reason:  v1.IstioRevisionReasonHealthy,
+								Message: "dependencies healthy message",
+							},
 						},
 					},
 				},
@@ -375,6 +382,12 @@ func TestDetermineStatus(t *testing.T) {
 						Reason:  v1.IstioReasonHealthy,
 						Message: "ready message",
 					},
+					{
+						Type:    v1.IstioConditionDependenciesHealthy,
+						Status:  metav1.ConditionTrue,
+						Reason:  v1.IstioReasonHealthy,
+						Message: "dependencies healthy message",
+					},
 				},
 				ActiveRevisionName: istioKey.Name,
 				Revisions: v1.RevisionSummary{
@@ -407,6 +420,10 @@ func TestDetermineStatus(t *testing.T) {
 						Type:   v1.IstioConditionReady,
 						Status: metav1.ConditionTrue,
 					},
+					{
+						Type:   v1.IstioConditionDependenciesHealthy,
+						Status: metav1.ConditionTrue,
+					},
 				},
 				ActiveRevisionName: istioKey.Name,
 				Revisions: v1.RevisionSummary{
@@ -638,6 +655,11 @@ func TestUpdateStatus(t *testing.T) {
 							Message:            "ready message",
 							LastTransitionTime: *oneMinuteAgo,
 						},
+						{
+							Type:               v1.IstioConditionDependenciesHealthy,
+							Status:             metav1.ConditionTrue,
+							LastTransitionTime: *oneMinuteAgo,
+						},
 					},
 					ActiveRevisionName: istioKey.Name,
 				},
@@ -667,6 +689,11 @@ func TestUpdateStatus(t *testing.T) {
 								Message:            "ready message",
 								LastTransitionTime: *oneMinuteAgo,
 							},
+							{
+								Type:               v1.IstioRevisionConditionDependenciesHealthy,
+								Status:             metav1.ConditionTrue,
+								LastTransitionTime: *oneMinuteAgo,
+							},
 						},
 					},
 				},
@@ -687,6 +714,10 @@ func TestUpdateStatus(t *testing.T) {
 						Reason:  v1.IstioReasonHealthy,
 						Message: "ready message",
 					},
+					{
+						Type:   v1.IstioConditionDependenciesHealthy,
+						Status: metav1.ConditionTrue,
+					},
 				},
 				ActiveRevisionName: istioKey.Name,
 			},

controllers/istiorevision/istiorevision_controller.go

@@ -57,6 +57,8 @@ import (
 	"istio.io/istio/pkg/ptr"
 )
 
+const istioCniName = "default"
+
 // Reconciler reconciles an IstioRevision object
 type Reconciler struct {
 	client.Client
@@ -213,6 +215,8 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	// The handler triggers the reconciliation of the referenced IstioRevision CR so that its InUse condition is updated.
 	revisionTagHandler := wrapEventHandler(logger, handler.EnqueueRequestsFromMapFunc(r.mapRevisionTagToReconcileRequest))
 
+	istioCniHandler := wrapEventHandler(logger, handler.EnqueueRequestsFromMapFunc(r.mapIstioCniToReconcileRequests))
+
 	return ctrl.NewControllerManagedBy(mgr).
 		WithOptions(controller.Options{
 			LogConstructor: func(req *reconcile.Request) logr.Logger {
@@ -258,6 +262,9 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Watches(&admissionv1.MutatingWebhookConfiguration{}, ownedResourceHandler).
 		Watches(&admissionv1.ValidatingWebhookConfiguration{}, ownedResourceHandler, builder.WithPredicates(validatingWebhookConfigPredicate())).
 
+		// +lint-watches:ignore: IstioCNI (not found in charts, but this controller needs to watch it to update the IstioRevision status)
+		Watches(&v1.IstioCNI{}, istioCniHandler).
+
 		// +lint-watches:ignore: ValidatingAdmissionPolicy (TODO: fix this when CI supports golang 1.22 and k8s 1.30)
 		// +lint-watches:ignore: ValidatingAdmissionPolicyBinding (TODO: fix this when CI supports golang 1.22 and k8s 1.30)
 		// +lint-watches:ignore: CustomResourceDefinition (prevents `make lint-watches` from bugging us about CRDs)
@@ -269,6 +276,8 @@ func (r *Reconciler) determineStatus(ctx context.Context, rev *v1.IstioRevision,
 	reconciledCondition := r.determineReconciledCondition(reconcileErr)
 	readyCondition, err := r.determineReadyCondition(ctx, rev)
 	errs.Add(err)
+	dependenciesHealthyCondition, err := r.determineDependenciesHealthyCondition(ctx, rev)
+	errs.Add(err)
 
 	inUseCondition, err := r.determineInUseCondition(ctx, rev)
 	errs.Add(err)
@@ -277,8 +286,9 @@ func (r *Reconciler) determineStatus(ctx context.Context, rev *v1.IstioRevision,
 	status.ObservedGeneration = rev.Generation
 	status.SetCondition(reconciledCondition)
 	status.SetCondition(readyCondition)
+	status.SetCondition(dependenciesHealthyCondition)
 	status.SetCondition(inUseCondition)
-	status.State = deriveState(reconciledCondition, readyCondition)
+	status.State = deriveState(reconciledCondition, readyCondition, dependenciesHealthyCondition)
 	return status, errs.Error()
 }
 
@@ -298,11 +308,11 @@ func (r *Reconciler) updateStatus(ctx context.Context, rev *v1.IstioRevision, re
 	return errs.Error()
 }
 
-func deriveState(reconciledCondition, readyCondition v1.IstioRevisionCondition) v1.IstioRevisionConditionReason {
-	if reconciledCondition.Status != metav1.ConditionTrue {
-		return reconciledCondition.Reason
-	} else if readyCondition.Status != metav1.ConditionTrue {
-		return readyCondition.Reason
+func deriveState(conditions ...v1.IstioRevisionCondition) v1.IstioRevisionConditionReason {
+	for _, c := range conditions {
+		if c.Status != metav1.ConditionTrue {
+			return c.Reason
+		}
 	}
 	return v1.IstioRevisionReasonHealthy
 }
@@ -375,6 +385,43 @@ func (r *Reconciler) determineReadyCondition(ctx context.Context, rev *v1.IstioR
 	return c, nil
 }
 
+func (r *Reconciler) determineDependenciesHealthyCondition(ctx context.Context, rev *v1.IstioRevision) (v1.IstioRevisionCondition, error) {
+	if revision.DependsOnIstioCNI(rev) {
+		cni := v1.IstioCNI{}
+		if err := r.Client.Get(ctx, client.ObjectKey{Name: istioCniName}, &cni); err != nil {
+			if apierrors.IsNotFound(err) {
+				return v1.IstioRevisionCondition{
+					Type:    v1.IstioRevisionConditionDependenciesHealthy,
+					Status:  metav1.ConditionFalse,
+					Reason:  v1.IstioRevisionReasonIstioCNINotFound,
+					Message: "IstioCNI resource does not exist",
+				}, nil
+			}
+
+			return v1.IstioRevisionCondition{
+				Type:    v1.IstioRevisionConditionDependenciesHealthy,
+				Status:  metav1.ConditionUnknown,
+				Reason:  v1.IstioRevisionDependencyCheckFailed,
+				Message: fmt.Sprintf("failed to get IstioCNI status: %v", err),
+			}, fmt.Errorf("get failed: %w", err)
+		}
+
+		if cni.Status.State != v1.IstioCNIReasonHealthy {
+			return v1.IstioRevisionCondition{
+				Type:    v1.IstioRevisionConditionDependenciesHealthy,
+				Status:  metav1.ConditionFalse,
+				Reason:  v1.IstioRevisionReasonIstioCNINotHealthy,
+				Message: "IstioCNI resource status indicates that the component is not healthy",
+			}, nil
+		}
+	}
+
+	return v1.IstioRevisionCondition{
+		Type:   v1.IstioRevisionConditionDependenciesHealthy,
+		Status: metav1.ConditionTrue,
+	}, nil
+}
+
 func (r *Reconciler) determineInUseCondition(ctx context.Context, rev *v1.IstioRevision) (v1.IstioRevisionCondition, error) {
 	c := v1.IstioRevisionCondition{Type: v1.IstioRevisionConditionInUse}
 
@@ -550,6 +597,21 @@ func (r *Reconciler) mapRevisionTagToReconcileRequest(ctx context.Context, revis
 	return nil
 }
 
+// mapIstioCniToReconcileRequests returns reconcile requests for all IstioRevisions that depend on IstioCNI
+func (r *Reconciler) mapIstioCniToReconcileRequests(ctx context.Context, _ client.Object) []reconcile.Request {
+	list := v1.IstioRevisionList{}
+	if err := r.Client.List(ctx, &list); err != nil {
+		return nil
+	}
+	var reqs []reconcile.Request
+	for _, rev := range list.Items {
+		if revision.DependsOnIstioCNI(&rev) {
+			reqs = append(reqs, reconcile.Request{NamespacedName: types.NamespacedName{Name: rev.Name}})
+		}
+	}
+	return reqs
+}
+
 // ignoreStatusChange returns a predicate that ignores watch events where only the resource status changes; if
 // there are any other changes to the resource, the event is not ignored.
 // This ensures that the controller doesn't reconcile the entire IstioRevision every time the status of an owned

controllers/istiorevision/istiorevision_controller_test.go

@@ -205,47 +205,70 @@ func TestValidate(t *testing.T) {
 
 func TestDeriveState(t *testing.T) {
 	testCases := []struct {
-		name                string
-		reconciledCondition v1.IstioRevisionCondition
-		readyCondition      v1.IstioRevisionCondition
-		expectedState       v1.IstioRevisionConditionReason
+		name          string
+		conditions    []v1.IstioRevisionCondition
+		expectedState v1.IstioRevisionConditionReason
 	}{
 		{
-			name:                "healthy",
-			reconciledCondition: newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionTrue, ""),
-			readyCondition:      newCondition(v1.IstioRevisionConditionReady, metav1.ConditionTrue, ""),
-			expectedState:       v1.IstioRevisionReasonHealthy,
+			name: "healthy",
+			conditions: []v1.IstioRevisionCondition{
+				newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionTrue, ""),
+				newCondition(v1.IstioRevisionConditionReady, metav1.ConditionTrue, ""),
+				newCondition(v1.IstioRevisionConditionDependenciesHealthy, metav1.ConditionTrue, ""),
+			},
+			expectedState: v1.IstioRevisionReasonHealthy,
 		},
 		{
-			name:                "not reconciled",
-			reconciledCondition: newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionFalse, v1.IstioRevisionReasonReconcileError),
-			readyCondition:      newCondition(v1.IstioRevisionConditionReady, metav1.ConditionTrue, ""),
-			expectedState:       v1.IstioRevisionReasonReconcileError,
+			name: "not reconciled",
+			conditions: []v1.IstioRevisionCondition{
+				newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionFalse, v1.IstioRevisionReasonReconcileError),
+				newCondition(v1.IstioRevisionConditionReady, metav1.ConditionTrue, ""),
+				newCondition(v1.IstioRevisionConditionDependenciesHealthy, metav1.ConditionTrue, ""),
+			},
+			expectedState: v1.IstioRevisionReasonReconcileError,
 		},
 		{
-			name:                "not ready",
-			reconciledCondition: newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionTrue, ""),
-			readyCondition:      newCondition(v1.IstioRevisionConditionReady, metav1.ConditionFalse, v1.IstioRevisionReasonIstiodNotReady),
-			expectedState:       v1.IstioRevisionReasonIstiodNotReady,
+			name: "not ready",
+			conditions: []v1.IstioRevisionCondition{
+				newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionTrue, ""),
+				newCondition(v1.IstioRevisionConditionReady, metav1.ConditionFalse, v1.IstioRevisionReasonIstiodNotReady),
+				newCondition(v1.IstioRevisionConditionDependenciesHealthy, metav1.ConditionTrue, ""),
+			},
+			expectedState: v1.IstioRevisionReasonIstiodNotReady,
 		},
 		{
-			name:                "readiness unknown",
-			reconciledCondition: newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionTrue, ""),
-			readyCondition:      newCondition(v1.IstioRevisionConditionReady, metav1.ConditionUnknown, v1.IstioRevisionReasonReadinessCheckFailed),
-			expectedState:       v1.IstioRevisionReasonReadinessCheckFailed,
+			name: "readiness unknown",
+			conditions: []v1.IstioRevisionCondition{
+				newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionTrue, ""),
+				newCondition(v1.IstioRevisionConditionReady, metav1.ConditionUnknown, v1.IstioRevisionReasonReadinessCheckFailed),
+				newCondition(v1.IstioRevisionConditionDependenciesHealthy, metav1.ConditionTrue, ""),
+			},
+			expectedState: v1.IstioRevisionReasonReadinessCheckFailed,
 		},
 		{
-			name:                "not reconciled nor ready",
-			reconciledCondition: newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionFalse, v1.IstioRevisionReasonReconcileError),
-			readyCondition:      newCondition(v1.IstioRevisionConditionReady, metav1.ConditionFalse, v1.IstioRevisionReasonIstiodNotReady),
-			expectedState:       v1.IstioRevisionReasonReconcileError, // reconcile reason takes precedence over ready reason
+			name: "not reconciled nor ready",
+			conditions: []v1.IstioRevisionCondition{
+				newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionFalse, v1.IstioRevisionReasonReconcileError),
+				newCondition(v1.IstioRevisionConditionReady, metav1.ConditionFalse, v1.IstioRevisionReasonIstiodNotReady),
+				newCondition(v1.IstioRevisionConditionDependenciesHealthy, metav1.ConditionTrue, ""),
+			},
+			expectedState: v1.IstioRevisionReasonReconcileError, // reconcile reason takes precedence over ready reason
+		},
+		{
+			name: "dependencies not ready",
+			conditions: []v1.IstioRevisionCondition{
+				newCondition(v1.IstioRevisionConditionReconciled, metav1.ConditionTrue, ""),
+				newCondition(v1.IstioRevisionConditionReady, metav1.ConditionTrue, ""),
+				newCondition(v1.IstioRevisionConditionDependenciesHealthy, metav1.ConditionFalse, v1.IstioRevisionReasonIstioCNINotHealthy),
+			},
+			expectedState: v1.IstioRevisionReasonIstioCNINotHealthy,
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			g := NewWithT(t)
-			result := deriveState(tc.reconciledCondition, tc.readyCondition)
+			result := deriveState(tc.conditions...)
 			g.Expect(result).To(Equal(tc.expectedState))
 		})
 	}