{"id":16826758,"url":"https://github.com/retocode/oss-ossm-3-integration","last_synced_at":"2026-01-04T00:15:59.203Z","repository":{"id":248522062,"uuid":"828804134","full_name":"ReToCode/oss-ossm-3-integration","owner":"ReToCode","description":null,"archived":false,"fork":false,"pushed_at":"2024-10-14T12:48:41.000Z","size":17,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-24T07:08:05.878Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ReToCode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-15T06:56:12.000Z","updated_at":"2024-10-14T12:48:44.000Z","dependencies_parsed_at":"2024-11-24T04:02:43.203Z","dependency_job_id":null,"html_url":"https://github.com/ReToCode/oss-ossm-3-integration","commit_stats":null,"previous_names":["retocode/oss-ossm-3-integration"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReToCode%2Foss-ossm-3-integration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReToCode%2Foss-ossm-3-integration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReToCode%2Foss-ossm-3-integration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReToCode%2Foss-ossm-3-integration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ReToCode","download_url":"https://codeload.github.com/ReToCode/oss-ossm-3-integration/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244101930,"owners_count":20398378,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T11:18:19.519Z","updated_at":"2026-01-04T00:15:59.156Z","avatar_url":"https://github.com/ReToCode.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenShift Serverless + OpenShift Service Mesh 3.0 integration\n\n## Resources\n\n* [Latest blogpost about OSSM 3.x](https://www.redhat.com/en/blog/red-hat-openshift-service-mesh-3-developer-preview-update)\n* [3.0 installation readme](https://github.com/maistra/istio-operator/blob/maistra-3.0/bundle/README.md)\n* [OSSM 3.x code base](https://github.com/openshift-service-mesh)\n* [Using gateway injection](https://docs.openshift.com/container-platform/4.14/service_mesh/v2x/ossm-traffic-manage.html#ossm-automatic-gateway-injection_traffic-management)\n* [sail-operator](https://github.com/openshift-service-mesh/sail-operator)\n* [tech preview announcement](https://www.redhat.com/en/blog/red-hat-openshift-service-mesh-3-now-technology-preview)\n* [OSSM 3.x docs](https://docs.openshift.com/service-mesh/3.0.0tp1/about/ossm-about-openshift-service-mesh.html)\n\n\n## Future things to look at\n\n* [x] Enable mTLS set-up\n* [x] Check if we can move the gateways, OCP routes and so on to our own namespace `knative-serving-ingress` instead of `istio-system`\n* [x] Make all Serverless-Operator tests pass (Serving only)\n* [ ] For the future: Relying on Gateway API resources with net-gateway-api instead of net-istio\n* [x] Update all usages of istio-inject annotation to the label, as per [docs](https://istio.io/latest/docs/reference/config/analysis/ist0135/) \n\n## Contents\n* [Installing OSSM 3.x](./INSTALLING.md)\n* [Analysis of injection](INJECTION.md)\n\n## Findings\n\n* Basically, it is upstream istio with a helm operator to install it. You can use all helm values to configure istio.\n* The injection is different to OSSM 2.x. We will need to have the `istio-injection: enabled` label [on namespaces](https://github.com/openshift-knative/serverless-operator/pull/2928/files#diff-6f53748a4c1bbc532051365399170074ece61e7cb5832f7198756f506d065bb7R2) where we want proxies. This has the \"downside\" that all pods are injected with the `istio-proxy`. Where this is not applicable, we need to [opt-out](https://github.com/openshift-knative/serverless-operator/pull/2928/files#diff-b9d9613f9d1dfc50ee86295849a277240a6a425454367e619c75c575c51e7cd1R228) of it using the `sidecar.istio.io/inject: 'false'` label (or annotation on the StatefulSets of Eventing). More [here](https://redhat-internal.slack.com/archives/C019EPZ233P/p1727684613070569?thread_ts=1727347316.725149\u0026cid=C019EPZ233P).\n* The changes to make tests pass are here: https://github.com/openshift-knative/serverless-operator/pull/2928.\n* We will probably need to CI jobs to test OSSM 2.x and OSSM 3.x as these are very different. To be decided by PM.\n* To enforce mTLS on the mesh, we need a [PeerAuthentication](https://github.com/openshift-knative/serverless-operator/pull/2928/files#diff-1b15bf3976fab69ecbc170e056aa14195a7daff3327bb61a56182bd00f0d3f4aR1).\n* We need a new [DestinationRule](https://github.com/openshift-knative/serverless-operator/pull/2928/files#diff-4afa9b5b369a5c0020ccc20f415d2b60c2e74ad49491b369c60488ec689068b7R13) to make mTLS (as there is no `mtls: true` anymore) work with DomainMappings.\n* OSSM 3.x has no default `istio-ingressgateway`, we need to create our own [deployment and RBAC for it](https://github.com/openshift-knative/serverless-operator/pull/2928/files#diff-c6ba409ee99952aca11d97ec6dae9679ffa845d67ff7002b0ab0334e43d8ffe7R1). But with that, we can now host this in `knative-serving-ingress` namespace instead of `istio-system`. With that, this is aligned with Kourier.\n* We need to deploy an [istio-cni](https://github.com/openshift-knative/serverless-operator/pull/2928/files#diff-0c1927f3034a63aee6874a0b346eba0f8cbed57f170ff41d197a5802a703e3e5R1) instance, otherwise OSSM 3.x does not work.\n* The configuration is migrated from `SMCP` to [Istio CR](https://github.com/openshift-knative/serverless-operator/pull/2928/files#diff-4050713807eceecbb622535f0ec7ec7033fbccc189f9d4bcd23baf2092746105R1).\n* As per discussion with the Service Mesh and RHOAI team, [we omit the creation](https://github.com/openshift-knative/serverless-operator/pull/2928/files#diff-b9d9613f9d1dfc50ee86295849a277240a6a425454367e619c75c575c51e7cd1R208) of `NetworkPolices` per default. If we add those, it becomes a \"catch-all\" policy, which denies everything else. As we don't know the setup up of a customer, we should rather document what communication paths we need and let the customer create the Policies as needed. \n\nMore details in the linked PR.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fretocode%2Foss-ossm-3-integration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fretocode%2Foss-ossm-3-integration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fretocode%2Foss-ossm-3-integration/lists"}