content/en/blog/2025/sail-operator-ga/index.md
The Sail Operator is a community project launched by Red Hat to build a modern operator for Istio. First announced in August 2024, we are pleased to announce Sail Operator is now GA with a clear mission: to simplify and streamline Istio management in your cluster.
The Sail Operator is engineered to cut down the complexity of installing and running Istio. It automates manual tasks, ensuring a consistent, reliable, and uncomplicated experience from initial installation to ongoing maintenance and upgrades of Istio versions in your cluster. The Sail Operator APIs are built around Istio’s Helm chart APIs, which means that all the Istio configurations are available through the Sail Operator CRD’s values.
We encourage users to go through our documentation to learn more about this new way to manage your Istio environment.
The main resources that are part of the Sail Operator are:
Istio: manages an Istio control plane.IstioRevision: represents a revision of the control plane.IstioRevisionTag: represents a stable revision tag, which functions as an alias for an Istio control plane revision.IstioCNI: manages Istio's CNI node agent.ZTunnel: manage the ambient mode ztunnel DaemonSet (Alpha feature).{{< idea >}}
If you are migrating from the since-removed Istio in-cluster operator, you can check this section in our documentation where we explain the equivalence of resources, or you can also try our resource converter to easily convert your IstioOperator resource to an Istio resource.
{{< /idea >}}
Istio, IstioCNI, and ZTunnel, allowing you to configure, manage, and upgrade them individually. Additionally, there are CRDs for IstioRevision and IstioRevisionTag to manage Istio control plane revisions.InPlace and RevisionBased. Check our documentation for more information about the update types supported.As cloud native architectures continue to evolve, we feel a robust and user-friendly operator for Istio is more essential than ever. The Sail Operator offers developers and operations teams a consistent, secure, and efficient solution that feels familiar to those used to working with operators. Its GA release signals a mature solution, ready to support even the most demanding production environments.
Would you like to try out Sail Operator? This example will show you how to safely do an update of your Istio control plane by using the revision-based upgrade strategy. This means you will have two Istio control planes running at the same time, allowing you to migrate workloads easily, minimizing the risk of traffic disruptions.
Prerequisites:
{{< text bash >}} $ helm repo add sail-operator https://istio-ecosystem.github.io/sail-operator $ helm repo update $ kubectl create namespace sail-operator $ helm install sail-operator sail-operator/sail-operator --version 1.0.0 -n sail-operator {{< /text >}}
The operator is now installed in your cluster:
{{< text plain >}} NAME: sail-operator LAST DEPLOYED: Tue Mar 18 12:00:46 2025 NAMESPACE: sail-operator STATUS: deployed REVISION: 1 TEST SUITE: None {{< /text >}}
Check the operator pod is running:
{{< text bash >}} $ kubectl get pods -n sail-operator NAME READY STATUS RESTARTS AGE sail-operator-56bf994f49-j67ft 1/1 Running 0 87s {{< /text >}}
Istio and IstioRevisionTag resourcesCreate an Istio resource with the version v1.24.2 and an IstioRevisionTag:
apiVersion: sailoperator.io/v1 kind: IstioRevisionTag metadata: name: default spec: targetRef: kind: Istio name: default EOF {{< /text >}}
Note that the IstioRevisionTag has a target reference to the Istio resource with the name default
Check the state of the resources created:
istiod pods are running
{{< text bash >}} $ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istiod-default-v1-24-2-bd8458c4-jl8zm 1/1 Running 0 3m45s {{< /text >}}
Istio resource created
{{< text bash >}} $ kubectl get istio NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE default 1 1 1 default-v1-24-2 Healthy v1.24.2 4m27s {{< /text >}}
IstioRevisionTag resource created
{{< text bash >}} $ kubectl get istiorevisiontag NAME STATUS IN USE REVISION AGE default NotReferencedByAnything False default-v1-24-2 4m43s {{< /text >}}
Note that the IstioRevisionTag status is NotReferencedByAnything. This is because there are currently no resources using the revision default-v1-24-2.
Create a namespace and label it to enable Istio injection:
{{< text bash >}} $ kubectl create namespace sample $ kubectl label namespace sample istio-injection=enabled {{< /text >}}
After labeling the namespace you will see that the IstioRevisionTag resource status will change to 'In Use: True', because there is now a resource using the revision default-v1-24-2:
{{< text bash >}} $ kubectl get istiorevisiontag NAME STATUS IN USE REVISION AGE default Healthy True default-v1-24-2 6m24s {{< /text >}}
Deploy the sample application:
{{< text bash >}} $ kubectl apply -f {{< github_file >}}/samples/sleep/sleep.yaml -n sample {{< /text >}}
Confirm the proxy version of the sample app matches the control plane version:
{{< text bash >}} $ istioctl proxy-status NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION sleep-5fcd8fd6c8-q4c9x.sample Kubernetes SYNCED (78s) SYNCED (78s) SYNCED (78s) SYNCED (78s) IGNORED istiod-default-v1-24-2-bd8458c4-jl8zm 1.24.2 {{< /text >}}
Update the Istio resource with the new version:
{{< text bash >}} $ kubectl patch istio default -n istio-system --type='merge' -p '{"spec":{"version":"v1.24.3"}}' {{< /text >}}
Check the Istio resource. You will see that there are two revisions and they are both 'ready':
{{< text bash >}} $ kubectl get istio NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE default 2 2 2 default-v1-24-3 Healthy v1.24.3 10m {{< /text >}}
The IstioRevisiontag now references the new revision:
{{< text bash >}} $ kubectl get istiorevisiontag NAME STATUS IN USE REVISION AGE default Healthy True default-v1-24-3 11m {{< /text >}}
There are two IstioRevisions, one for each Istio version:
{{< text bash >}} $ kubectl get istiorevision NAME TYPE READY STATUS IN USE VERSION AGE default-v1-24-2 True Healthy True v1.24.2 11m default-v1-24-3 True Healthy True v1.24.3 92s {{< /text >}}
The Sail Operator automatically detects whether a given Istio control plane is being used and writes this information in the "In Use" status condition that you see above. Right now, all IstioRevisions and our IstioRevisionTag are considered "In Use":
default-v1-24-2 is considered in use because it is referenced by the sample application’s sidecar.default-v1-24-3 is considered in use because it is referenced by the tag.Confirm there are two control plane pods running, one for each revision:
{{< text bash >}} $ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istiod-default-v1-24-2-bd8458c4-jl8zm 1/1 Running 0 16m istiod-default-v1-24-3-68df97dfbb-v7ndm 1/1 Running 0 6m32s {{< /text >}}
Confirm the proxy sidecar version remains the same:
{{< text bash >}} $ istioctl proxy-status NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION sleep-5fcd8fd6c8-q4c9x.sample Kubernetes SYNCED (6m40s) SYNCED (6m40s) SYNCED (6m40s) SYNCED (6m40s) IGNORED istiod-default-v1-24-2-bd8458c4-jl8zm 1.24.2 {{< /text >}}
Restart the sample pod:
{{< text bash >}} $ kubectl rollout restart deployment -n sample {{< /text >}}
Confirm the proxy sidecar version is updated:
{{< text bash >}} $ istioctl proxy-status NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION sleep-6f87fcf556-k9nh9.sample Kubernetes SYNCED (29s) SYNCED (29s) SYNCED (29s) SYNCED (29s) IGNORED istiod-default-v1-24-3-68df97dfbb-v7ndm 1.24.3 {{< /text >}}
When an IstioRevision is no longer in use and is not the active revision of an Istio resource (for example, when it is not the version that is set in the spec.version field), the Sail Operator will delete it after a grace period, which defaults to 30 seconds. Confirm the deletion of the old control plane and IstioRevision:
The old control plane pod is deleted
{{< text bash >}} $ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istiod-default-v1-24-3-68df97dfbb-v7ndm 1/1 Running 0 10m {{< /text >}}
The old IstioRevision is deleted
{{< text bash >}} $ kubectl get istiorevision NAME TYPE READY STATUS IN USE VERSION AGE default-v1-24-3 True Healthy True v1.24.3 13m {{< /text >}}
The Istio resource now only has one revision
{{< text bash >}} $ kubectl get istio NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE default 1 1 1 default-v1-24-3 Healthy v1.24.3 24m {{< /text >}}
Congratulations! You have successfully updated your Istio control plane using the revision-based upgrade strategy.
{{< idea >}} To check the latest Sail Operator version, visit our releases page. As this example may evolve over time, please refer to our documentation to ensure you’re reading the most up-to-date version. {{< /idea >}}
The Sail Operator automates manual tasks, ensuring a consistent, reliable, and uncomplicated experience from initial installation to ongoing maintenance and upgrades of Istio in your cluster. The Sail Operator is an istio-ecosystem project, and we encourage you to try it out and provide feedback to help us improve it, you can check our contribution guide for more information about how to contribute to the project.