Gateway API: allow for OpenShift 4.19 CRD lockdown #4063
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OpenShift 4.19+ pre-installs some of the Gateway CRDs, but not all of them, and has a webhook that prevents us from installing the ones that OpenShift is missing. To work with this we distinguish between "essential" and "optional" CRDs. The "essential" set must be a subset of those that OpenShift installs and/or allows to be installed, and must also suffice for all of the Gateway-related feature that we consider important as part of Calico; and this controller will report an error and degraded status if any of those do not already exist and cannot be installed. The "optional" set is everything else that we would ideally install, to provide more options to our users; but this controller will only warn if any of those cannot be installed (and do not already exist). Fixes https://tigera.atlassian.net/browse/RS-2689 Fixes https://tigera.atlassian.net/browse/RS-2690
tmjd
reviewed
Jul 25, 2025
| return reconcile.Result{}, err | ||
| } | ||
| err = handler.CreateOrUpdateOrDelete(ctx, render.NewPassthrough(optionalCRDs...), nil) | ||
| if err != nil && !errors.IsAlreadyExists(err) { |
There was a problem hiding this comment.
Does CreateOrUpdateOrDelete ever return an error AlreadyExists? That doesn't seem like an error it would ever return.
There was a problem hiding this comment.
It can do with a "create-only" handler; please see https://github.com/tigera/operator/blob/master/pkg/controller/utils/component.go#L61-L69
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OpenShift 4.19+ pre-installs some of the Gateway CRDs, but not all of them, and has a webhook that prevents us from installing the ones that OpenShift is missing. To work with this we distinguish between "essential" and "optional" CRDs. The "essential" set must be a subset of those that OpenShift installs and/or allows to be installed, and must also suffice for all of the Gateway-related feature that we consider important as part of Calico; and this controller will report an error and degraded status if any of those do not already exist and cannot be installed. The "optional" set is everything else that we would ideally install, to provide more options to our users; but this controller will only warn if any of those cannot be installed (and do not already exist).
Fixes https://tigera.atlassian.net/browse/RS-2689
Fixes https://tigera.atlassian.net/browse/RS-2690
Release Note