[release-4.19] NE-2286: Backport noOLM / Sail Library to release-4.19

[gcs278]

Summary

Backport of the noOLM / Sail Library installation path (NE-2286, shipped in 4.22) to release-4.19. Same pattern as 4.21 (PR #1442) and 4.20 (PR #1459). The primary driver is OCPBUGS-86778, which blocks all OSSM z-stream upgrades via OLM on 4.19-4.21, preventing CVE fixes from shipping.

This PR is intended to merge with the GatewayAPIWithoutOLM feature gate disabled, making it a no-op on merge. The goal is to subsequently enable the gate by default (via openshift/api) to activate the Sail Library path and resolve the OLM issues.

Cherry-picked PRs

Prerequisites (4.19→4.20 changes the noOLM code depends on)

PR	Title	Why
#1217	OCPBUGS-54745: Conditionally add CRDs to relatedObjects	Adds CRD resource constants, GatewayAPIControllerEnabled config field, ctx parameter to getOperatorState, relatedObjects namespace fixes
#1268	NE-2066: Set degraded=true when OSSM 3 can't be installed	Adds subscriptionCache, ossmSubscriptions conflict detection, compareVersionNums, GatewayAPIOperatorVersion, GatewayClassIndexFieldName, computeGatewayAPIInstallDegradedCondition

Main noOLM PRs

PR	Title	Why
#1354	NE-2471: Replace OLM-based Istio install with Sail Library	Core change — adds istio_sail_installer.go, istio_olm.go refactor, migration.go, status.go, CRD manifests, Sail Library RBAC manifests
#1402	OCPBUGS-79467: Change default log level from DEBUG to INFO	Sail Library generates ~2,000 debug logs/hour; without this fix, enabling noOLM floods the logs
#1404	NE-2519: Move Sail Library to official release branch	Moves from dev Sail Library branch to official OSSM 3.3.1 release

Note: #1393 (OCPBUGS-79667: Use feature-gate annotation for Sail Library RBAC) was also a dependency but is being skipped because CVO on this release does not support the release.openshift.io/feature-gate annotation (openshift/cluster-version-operator#1273 was not backported). As a result, the Sail Library RBAC manifests use the release.openshift.io/feature-set annotation and a separate PR will be needed to remove this annotation before promoting the feature gate to GA.

Versioning

This backport does not bump the Gateway API CRDs (remain at v1.3.0) or the Istio version (remains at v1.26.2). When the GatewayAPIWithoutOLM feature gate is enabled, the Sail Library will install Istio using the same v1.26.2 version that the OLM path currently uses.

Dependency Pinning Approach

Same approach as the 4.20 backport (PR #1459). The sail-operator (OSSM 3.3.1) requires k8s 0.34 and controller-runtime 0.22, but its pkg/install package only uses basic CRUD operations unchanged in older versions.

Module	Pinned Version
k8s.io/api	v0.32.2
k8s.io/apimachinery	v0.32.2
k8s.io/client-go	v0.32.1
k8s.io/apiextensions-apiserver	v0.32.0
k8s.io/apiserver	v0.32.0
k8s.io/component-base	v0.32.0
k8s.io/kube-openapi	v0.0.0-20250304...
sigs.k8s.io/controller-runtime	v0.20.3
sigs.k8s.io/gateway-api	v1.2.1
github.com/google/gnostic-models	v0.6.9

Risk assessment: The sail-operator install package uses only stable controller-runtime interfaces (client.Client CRUD, pkg/log, pkg/scheme). No APIs from newer versions are used. The structured-merge-diff/v4 vs v6 incompatibility is avoided entirely.

Conflicts resolved

• go.mod: Kept 4.19 openshift/api fork replace, added sail-operator replace for aslakknutsen's dev branch (later switched to OSSM official in NE-2519 commit)
• pkg/operator/operator.go: Added GatewayAPIWithoutOLM gate alongside existing 4.19 gates including PrivateHostedZoneAWS (sharedVPCEnabled), which was removed in 4.20
• test/e2e/util_gatewayapi_test.go: Took incoming gateway condition checking and service status logging
• go.mod / vendor/: Re-vendored with 4.19 dependency pins

Merge Order

1. Merge openshift/api PR — FG as disabled, allows CI to start
2. TODO: Backport noOLM E2E tests to origin release-4.19
3. Merge this PR — Sail Library code lands, gate still OFF
4. Merge [release-4.19] NE-2480: Promote GatewayAPIWithoutOLM feature gate to TechPreview api#2875 — FG promotion to TechPreview, allows CI soak
5. Verify CI is green
6. TODO: Merge CIO PR to remove release.openshift.io/feature-set annotation from Sail Library RBAC manifests
7. Merge [release-4.19] WIP: NE-2480: Promote GatewayAPIWithoutOLM feature gate to Default api#2870 — FG promotion to Default GA, activates noOLM
8. Verify CI is green

Verification

• make builds successfully
• No unresolved merge conflict markers in any commit
• Full CI (blocked on openshift/api dependency)

🤖 Generated with Claude Code

[openshift-ci-robot]

@gcs278: This pull request references NE-2286 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "4.19." or "openshift-4.19.", but it targets "openshift-4.22" instead.

Details

In response to this:

Summary

Backport of the noOLM / Sail Library installation path (NE-2286, shipped in 4.22) to release-4.19. Same pattern as 4.21 (PR #1442) and 4.20 (PR #1459). The primary driver is OCPBUGS-86778, which blocks all OSSM z-stream upgrades via OLM on 4.19-4.21, preventing CVE fixes from shipping.

This PR is intended to merge with the GatewayAPIWithoutOLM feature gate disabled, making it a no-op on merge. The goal is to subsequently enable the gate by default (via openshift/api) to activate the Sail Library path and resolve the OLM issues.

Cherry-picked PRs

PR	Title	Why
#1354	NE-2471: Replace OLM-based Istio install with Sail Library	Core change — adds istio_sail_installer.go, istio_olm.go refactor, migration.go, status.go, CRD manifests, Sail Library RBAC manifests
#1393	OCPBUGS-79667: Use feature-gate annotation for Sail Library RBAC	Conditionally deploys Sail Library RBAC based on GatewayAPIWithoutOLM feature gate
#1402	OCPBUGS-79467: Change default log level from DEBUG to INFO	Sail Library generates ~2,000 debug logs/hour; without this fix, enabling noOLM floods the logs
#1404	NE-2519: Move Sail Library to official release branch	Moves from dev Sail Library branch to official OSSM 3.3.1 release

Versioning

This backport does not bump the Gateway API CRDs (remain at v1.3.0) or the Istio version (remains at v1.26.2). When the GatewayAPIWithoutOLM feature gate is enabled, the Sail Library will install Istio using the same v1.26.2 version that the OLM path currently uses.

Dependency Pinning Approach

Same approach as the 4.20 backport (PR #1459). The sail-operator (OSSM 3.3.1) requires k8s 0.34 and controller-runtime 0.22, but its pkg/install package only uses basic CRUD operations unchanged in older versions.

Module	Pinned Version
k8s.io/api	v0.32.2
k8s.io/apimachinery	v0.32.2
k8s.io/client-go	v0.32.1
k8s.io/apiextensions-apiserver	v0.32.0
k8s.io/apiserver	v0.32.0
k8s.io/component-base	v0.32.0
k8s.io/kube-openapi	v0.0.0-20250304...
sigs.k8s.io/controller-runtime	v0.20.3
sigs.k8s.io/gateway-api	v1.2.1
github.com/google/gnostic-models	v0.6.9

Risk assessment: The sail-operator install package uses only stable controller-runtime interfaces (client.Client CRUD, pkg/log, pkg/scheme). No APIs from newer versions are used. The structured-merge-diff/v4 vs v6 incompatibility is avoided entirely.

Additional changes for 4.19

4.19 required additional changes beyond what 4.20 needed, because several status controller features that existed on 4.20 were not yet present on 4.19:

• Added subscriptionCache (all-namespace OLM subscription watch)
• Added CRD resource name constants and relatedObjectsCRDs set
• Added GatewayAPIOperatorVersion config field
• Added compareVersionNums function
• Added GatewayClassIndexFieldName constant
• Added ctx parameter to getOperatorState

These were part of the 4.19→4.20 base diff that the noOLM code depends on.

Conflicts resolved

• pkg/operator/operator.go: Added GatewayAPIWithoutOLM gate alongside existing 4.19 gates including PrivateHostedZoneAWS (sharedVPCEnabled), which was removed in 4.20
• pkg/operator/controller/status/controller.go: Added noOLM logic within existing GatewayAPIEnabled guard (4.19 doesn't have the GatewayAPIControllerEnabled guard added in 4.20). Added missing definitions from 4.19→4.20 diff.
• test/e2e/util_gatewayapi_test.go: Resolved gateway condition checking conflict
• go.mod / vendor/: Re-vendored with 4.19 dependency pins

Merge Order

1. Merge openshift/api PR — FG as disabled, allows CI to start
2. TODO: Backport noOLM E2E tests to origin release-4.19
3. Merge this PR — Sail Library code lands, gate still OFF
4. Merge [release-4.19] WIP: NE-2480: Promote GatewayAPIWithoutOLM feature gate to Default api#2870 — FG promotion to Default GA, activates noOLM
5. Verify CI is green

Verification

• make builds successfully
• No unresolved merge conflict markers in any commit
• Full CI (blocked on openshift/api dependency)

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d2b75a8b-eec8-4d7a-9ce5-ade56d23e9de

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign gcs278 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gcs278]

/test unit
/test images
/test verify
/test verify-deps

[gcs278]

/test e2e-aws-operator

[openshift-ci]

@gcs278: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	82ca5a5	link	true	/test images
ci/prow/e2e-aws-operator	82ca5a5	link	true	/test e2e-aws-operator
ci/prow/unit	82ca5a5	link	true	/test unit
ci/prow/verify	82ca5a5	link	true	/test verify
ci/prow/verify-deps	82ca5a5	link	true	/test verify-deps

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.