diff --git a/apps.yaml b/apps.yaml index 380d460249..100babfd68 100644 --- a/apps.yaml +++ b/apps.yaml @@ -87,7 +87,7 @@ appsInfo: integration: Harbor can be enabled to provide each team with a private registry. Harbor has been made user and tenant aware. App Platform runs automated tasks that take care of creating a project in Harbor for each team, creating a bot-account for each team, and creating a Kubernetes pull secret in the team namespace to enable pulling of images out of the local registry. istio: title: Istio - appVersion: 1.29.2 + appVersion: 1.30.0 repo: https://github.com/istio/istio maintainers: Istio relatedLinks: diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 299577e1e0..d5571193ff 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -42,14 +42,14 @@ dependencies: repository: https://helm.goharbor.io - name: base alias: istio-base - version: 1.29.2 + version: 1.30.0 repository: https://istio-release.storage.googleapis.com/charts - name: gateway alias: istio-gateway - version: 1.29.2 + version: 1.30.0 repository: https://istio-release.storage.googleapis.com/charts - name: istiod - version: 1.29.2 + version: 1.30.0 repository: https://istio-release.storage.googleapis.com/charts - name: keycloakx alias: keycloak diff --git a/charts/istio-base/Chart.yaml b/charts/istio-base/Chart.yaml index 488c71f9a7..cbff257ca7 100644 --- a/charts/istio-base/Chart.yaml +++ b/charts/istio-base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.29.2 +appVersion: 1.30.0 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.29.2 +version: 1.30.0 diff --git a/charts/istio-base/files/crd-all.gen.yaml b/charts/istio-base/files/crd-all.gen.yaml index 2055db0036..7318e07ffd 100644 --- a/charts/istio-base/files/crd-all.gen.yaml +++ b/charts/istio-base/files/crd-all.gen.yaml @@ -1,6 +1,367 @@ # DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: trafficextensions.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: TrafficExtension + listKind: TrafficExtensionList + plural: trafficextensions + singular: trafficextension + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly or Lua filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/traffic_extension.html' + oneOf: + - not: + anyOf: + - required: + - wasm + - required: + - lua + - required: + - wasm + - required: + - lua + properties: + lua: + description: Lua filter configuration. + properties: + inlineCode: + description: The inline Lua code to be executed. + maxLength: 65536 + minLength: 1 + type: string + required: + - inlineCode + type: object + match: + description: Specifies the criteria to determine which traffic is + passed to TrafficExtension. + items: + properties: + mode: + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + maximum: 65535 + minimum: 1 + type: integer + required: + - number + type: object + type: array + x-kubernetes-list-map-keys: + - number + x-kubernetes-list-type: map + type: object + type: array + phase: + description: |- + Determines where in the filter chain this `TrafficExtension` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + priority: + description: Determines ordering of `TrafficExtensions` in the same + `phase`. + format: int32 + nullable: true + type: integer + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + maxItems: 16 + type: array + wasm: + description: WebAssembly filter configuration. + properties: + failStrategy: + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN, FAIL_RELOAD + enum: + - FAIL_CLOSE + - FAIL_OPEN + - FAIL_RELOAD + type: string + imagePullPolicy: + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + maxLength: 253 + minLength: 1 + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + description: The plugin name to be used in the Envoy configuration + (used to be called `rootID`). + maxLength: 256 + minLength: 1 + type: string + sha256: + description: SHA256 checksum that will be used to verify Wasm + module or OCI container. + pattern: (^$|^[a-f0-9]{64}$) + type: string + type: + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK + enum: + - UNSPECIFIED_PLUGIN_TYPE + - HTTP + - NETWORK + type: string + url: + description: URL of a Wasm module or OCI container. + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have schema one of [http, https, file, oci] + rule: |- + isURL(self) ? (url(self).getScheme() in ["", "http", "https", "file", "oci"]) : (isURL("http://" + self) && + url("http://" + self).getScheme() in ["", "http", "https", "file", "oci"]) + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected + to this VM. + items: + properties: + name: + description: Name of the environment variable. + maxLength: 256 + minLength: 1 + type: string + value: + description: Value for the environment variable. + maxLength: 2048 + type: string + valueFrom: + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST + enum: + - INLINE + - HOST + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: value may only be set when valueFrom is INLINE + rule: '(has(self.valueFrom) ? self.valueFrom : "") != + "HOST" || !has(self.value)' + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - url + type: object + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRefs) ? 1 : 0) + <= 1' + - message: exactly one of wasm or lua must be set + rule: has(self.wasm) != has(self.lua) + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep @@ -6650,7 +7011,7 @@ spec: type: integer x-kubernetes-validations: - message: port must be between 1-65535 - rule: 0 < self && self <= 6553 + rule: 0 < self && self <= 65535 route: description: Match a specific route. properties: @@ -15287,6 +15648,11 @@ spec: type: string maxItems: 16 type: array + notTrustDomains: + description: Optional. + items: + type: string + type: array principals: description: Optional. items: @@ -15309,6 +15675,11 @@ spec: type: string maxItems: 16 type: array + trustDomains: + description: Optional. + items: + type: string + type: array type: object x-kubernetes-validations: - message: Cannot set serviceAccounts with namespaces @@ -15657,6 +16028,11 @@ spec: type: string maxItems: 16 type: array + notTrustDomains: + description: Optional. + items: + type: string + type: array principals: description: Optional. items: @@ -15679,6 +16055,11 @@ spec: type: string maxItems: 16 type: array + trustDomains: + description: Optional. + items: + type: string + type: array type: object x-kubernetes-validations: - message: Cannot set serviceAccounts with namespaces @@ -17244,6 +17625,12 @@ spec: type: object description: Optional. type: object + disableContextPropagation: + description: Controls whether trace context headers (e.g., `traceparent`/`tracestate` + for W3C, `X-B3-*` for Zipkin) are propagated in forwarded + requests. + nullable: true + type: boolean disableSpanReporting: description: Controls span reporting. nullable: true @@ -17708,6 +18095,12 @@ spec: type: object description: Optional. type: object + disableContextPropagation: + description: Controls whether trace context headers (e.g., `traceparent`/`tracestate` + for W3C, `X-B3-*` for Zipkin) are propagated in forwarded + requests. + nullable: true + type: boolean disableSpanReporting: description: Controls span reporting. nullable: true diff --git a/charts/istio-base/files/profile-compatibility-version-1.25.yaml b/charts/istio-base/files/profile-compatibility-version-1.25.yaml index 842aaf17de..d95bc500f4 100644 --- a/charts/istio-base/files/profile-compatibility-version-1.25.yaml +++ b/charts/istio-base/files/profile-compatibility-version-1.25.yaml @@ -11,6 +11,8 @@ pilot: PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istio-base/files/profile-compatibility-version-1.26.yaml b/charts/istio-base/files/profile-compatibility-version-1.26.yaml index f30e143133..0bcda2336e 100644 --- a/charts/istio-base/files/profile-compatibility-version-1.26.yaml +++ b/charts/istio-base/files/profile-compatibility-version-1.26.yaml @@ -11,6 +11,8 @@ pilot: PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istio-base/files/profile-compatibility-version-1.27.yaml b/charts/istio-base/files/profile-compatibility-version-1.27.yaml index b842b0914c..fd8c9c18a2 100644 --- a/charts/istio-base/files/profile-compatibility-version-1.27.yaml +++ b/charts/istio-base/files/profile-compatibility-version-1.27.yaml @@ -9,6 +9,8 @@ pilot: PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istio-base/files/profile-compatibility-version-1.28.yaml b/charts/istio-base/files/profile-compatibility-version-1.28.yaml index 3d378691a2..046f09a357 100644 --- a/charts/istio-base/files/profile-compatibility-version-1.28.yaml +++ b/charts/istio-base/files/profile-compatibility-version-1.28.yaml @@ -6,6 +6,8 @@ pilot: env: # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istio-base/files/profile-compatibility-version-1.29.yaml b/charts/istio-base/files/profile-compatibility-version-1.29.yaml new file mode 100644 index 0000000000..b44c38a18c --- /dev/null +++ b/charts/istio-base/files/profile-compatibility-version-1.29.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" diff --git a/charts/istio-base/templates/reader-serviceaccount.yaml b/charts/istio-base/templates/reader-serviceaccount.yaml index bb7a74ff48..bef05482ea 100644 --- a/charts/istio-base/templates/reader-serviceaccount.yaml +++ b/charts/istio-base/templates/reader-serviceaccount.yaml @@ -1,8 +1,8 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if and (or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace")) (dig "global" "enableReaderRBAC" true .Values) }} # This singleton service account aggregates reader permissions for the revisions in a given cluster # ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, # as otherwise compromising the token for this SA would give you access to *every* installed revision. -# Should be used for remote secret creation. +# Should be used for multicluster remote secret creation. apiVersion: v1 kind: ServiceAccount {{- if .Values.global.imagePullSecrets }} diff --git a/charts/istio-base/values.yaml b/charts/istio-base/values.yaml index 8353c57d6d..24b286d7f0 100644 --- a/charts/istio-base/values.yaml +++ b/charts/istio-base/values.yaml @@ -18,6 +18,10 @@ _internal_defaults_do_not_set: # - cluster: only cluster-scoped resources are processed # - namespace: only namespace-scoped resources are processed resourceScope: all + + # If true, install the istio-reader ServiceAccount and associated ClusterRole/ClusterRoleBinding. + # These are only needed for multicluster remote-secret workflows. + enableReaderRBAC: true base: # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. diff --git a/charts/istio-gateway/Chart.yaml b/charts/istio-gateway/Chart.yaml index 1a39e0c16a..3f2486680e 100644 --- a/charts/istio-gateway/Chart.yaml +++ b/charts/istio-gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.29.2 +appVersion: 1.30.0 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.29.2 +version: 1.30.0 diff --git a/charts/istio-gateway/files/profile-compatibility-version-1.25.yaml b/charts/istio-gateway/files/profile-compatibility-version-1.25.yaml index 842aaf17de..d95bc500f4 100644 --- a/charts/istio-gateway/files/profile-compatibility-version-1.25.yaml +++ b/charts/istio-gateway/files/profile-compatibility-version-1.25.yaml @@ -11,6 +11,8 @@ pilot: PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istio-gateway/files/profile-compatibility-version-1.26.yaml b/charts/istio-gateway/files/profile-compatibility-version-1.26.yaml index f30e143133..0bcda2336e 100644 --- a/charts/istio-gateway/files/profile-compatibility-version-1.26.yaml +++ b/charts/istio-gateway/files/profile-compatibility-version-1.26.yaml @@ -11,6 +11,8 @@ pilot: PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istio-gateway/files/profile-compatibility-version-1.27.yaml b/charts/istio-gateway/files/profile-compatibility-version-1.27.yaml index b842b0914c..fd8c9c18a2 100644 --- a/charts/istio-gateway/files/profile-compatibility-version-1.27.yaml +++ b/charts/istio-gateway/files/profile-compatibility-version-1.27.yaml @@ -9,6 +9,8 @@ pilot: PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istio-gateway/files/profile-compatibility-version-1.28.yaml b/charts/istio-gateway/files/profile-compatibility-version-1.28.yaml index 3d378691a2..046f09a357 100644 --- a/charts/istio-gateway/files/profile-compatibility-version-1.28.yaml +++ b/charts/istio-gateway/files/profile-compatibility-version-1.28.yaml @@ -6,6 +6,8 @@ pilot: env: # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istio-gateway/files/profile-compatibility-version-1.29.yaml b/charts/istio-gateway/files/profile-compatibility-version-1.29.yaml new file mode 100644 index 0000000000..b44c38a18c --- /dev/null +++ b/charts/istio-gateway/files/profile-compatibility-version-1.29.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" diff --git a/charts/istio-gateway/templates/_helpers.tpl b/charts/istio-gateway/templates/_helpers.tpl index 9d3cfa2ce8..fd1cb2f869 100644 --- a/charts/istio-gateway/templates/_helpers.tpl +++ b/charts/istio-gateway/templates/_helpers.tpl @@ -39,6 +39,18 @@ istio.io/rev: {{ . | quote }} {{- end }} {{- end }} +{{/* +Render a single network gateway port entry with validation. +Expects a dict with keys: ports (the networkGatewayPorts map), name (port name), defaultTargetPort (fallback). +*/}} +{{- define "gateway.networkGatewayPort" -}} +{{- $cfg := index .ports .name | required (printf "networkGatewayPorts.%s is required when networkGateway is set" .name) -}} +- name: {{ .name }} + port: {{ $cfg.port }} + targetPort: {{ $cfg.targetPort | default .defaultTargetPort }} + protocol: {{ $cfg.protocol | default "TCP" }} +{{- end -}} + {{/* Render resource requirements, omitting any nil values. */}} diff --git a/charts/istio-gateway/templates/deployment.yaml b/charts/istio-gateway/templates/deployment.yaml index 6daec4927b..1cd7997a6c 100644 --- a/charts/istio-gateway/templates/deployment.yaml +++ b/charts/istio-gateway/templates/deployment.yaml @@ -84,10 +84,6 @@ spec: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} runAsNonRoot: true {{- end }} env: diff --git a/charts/istio-gateway/templates/networkpolicy.yaml b/charts/istio-gateway/templates/networkpolicy.yaml index 3d7c5cfb69..cd02d82027 100644 --- a/charts/istio-gateway/templates/networkpolicy.yaml +++ b/charts/istio-gateway/templates/networkpolicy.yaml @@ -22,13 +22,11 @@ spec: - Egress ingress: # Status/health check port - - from: [] - ports: + - ports: - protocol: TCP port: 15021 # Metrics endpoints for monitoring/prometheus - - from: [] - ports: + - ports: - protocol: TCP port: 15020 - protocol: TCP @@ -36,8 +34,7 @@ spec: # Main gateway traffic ports {{- if .Values.service.ports }} {{- range .Values.service.ports }} - - from: [] - ports: + - ports: - protocol: {{ .protocol | default "TCP" }} port: {{ .targetPort | default .port }} {{- end }} diff --git a/charts/istio-gateway/templates/service.yaml b/charts/istio-gateway/templates/service.yaml index d172364d0e..deb2c475e2 100644 --- a/charts/istio-gateway/templates/service.yaml +++ b/charts/istio-gateway/templates/service.yaml @@ -50,19 +50,14 @@ spec: {{- end }} ports: {{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 + {{- include "gateway.networkGatewayPort" (dict "ports" .Values.networkGatewayPorts "name" "status-port" "defaultTargetPort" 15021) | nindent 2 }} + {{- include "gateway.networkGatewayPort" (dict "ports" .Values.networkGatewayPorts "name" "tls" "defaultTargetPort" 15443) | nindent 2 }} + {{- include "gateway.networkGatewayPort" (dict "ports" .Values.networkGatewayPorts "name" "tls-istiod" "defaultTargetPort" 15012) | nindent 2 }} + {{- include "gateway.networkGatewayPort" (dict "ports" .Values.networkGatewayPorts "name" "tls-webhook" "defaultTargetPort" 15017) | nindent 2 }} {{- else }} + {{- if not .Values.service.ports }} + {{- fail "service.ports must not be empty when networkGateway is not set" }} + {{- end }} {{ .Values.service.ports | toYaml | indent 4 }} {{- end }} {{- if .Values.service.externalIPs }} diff --git a/charts/istio-gateway/values.schema.json b/charts/istio-gateway/values.schema.json index 553de55439..c92fe0c593 100644 --- a/charts/istio-gateway/values.schema.json +++ b/charts/istio-gateway/values.schema.json @@ -271,6 +271,24 @@ "networkGateway": { "type": "string" }, + "networkGatewayPorts": { + "type": "object", + "additionalProperties": { + "type": "object", + "properties": { + "port": { + "type": "integer" + }, + "targetPort": { + "type": "integer" + }, + "protocol": { + "type": "string" + } + }, + "required": ["port"] + } + }, "imagePullPolicy": { "type": "string", "enum": [ diff --git a/charts/istio-gateway/values.yaml b/charts/istio-gateway/values.yaml index d463634ec4..044c92af92 100644 --- a/charts/istio-gateway/values.yaml +++ b/charts/istio-gateway/values.yaml @@ -132,6 +132,21 @@ _internal_defaults_do_not_set: # If specified, the gateway will act as a network gateway for the given network. networkGateway: "" + # Ports for the network gateway service. Only used when networkGateway is set. + networkGatewayPorts: + status-port: + port: 15021 + targetPort: 15021 + tls: + port: 15443 + targetPort: 15443 + tls-istiod: + port: 15012 + targetPort: 15012 + tls-webhook: + port: 15017 + targetPort: 15017 + # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent imagePullPolicy: "" diff --git a/charts/istiod/Chart.yaml b/charts/istiod/Chart.yaml index 07fa6feae5..3c1a726615 100644 --- a/charts/istiod/Chart.yaml +++ b/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.29.2 +appVersion: 1.30.0 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.29.2 +version: 1.30.0 diff --git a/charts/istiod/files/agentgateway.yaml b/charts/istiod/files/agentgateway.yaml index 8ed6d8fbbd..f0238444f2 100644 --- a/charts/istiod/files/agentgateway.yaml +++ b/charts/istiod/files/agentgateway.yaml @@ -162,6 +162,12 @@ spec: {{- end }} - name: XDS_ADDRESS value: {{ .ProxyConfig.DiscoveryAddress | quote }} + - name: CA_ADDRESS + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} startupProbe: failureThreshold: 30 httpGet: @@ -186,19 +192,30 @@ spec: - mountPath: /var/run/secrets/xds name: istiod-ca-cert - mountPath: /var/run/secrets/xds-tokens - name: istio-token + name: xds-token - mountPath: /tmp name: tmp + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token volumes: - emptyDir: {} name: tmp - - name: istio-token + - name: xds-token projected: sources: - serviceAccountToken: path: xds-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} diff --git a/charts/istiod/files/injection-template.yaml b/charts/istiod/files/injection-template.yaml index f8efd03b1a..4b7762e3e1 100644 --- a/charts/istiod/files/injection-template.yaml +++ b/charts/istiod/files/injection-template.yaml @@ -345,6 +345,11 @@ spec: value: "{{ $value }}" {{- end }} {{- end }} + {{- $otelResAttrs := otelResourceAttributes .MeshConfig .ObjectMeta.Annotations .ObjectMeta.Labels .DeploymentMeta.Namespace .Spec.Containers }} + {{- if $otelResAttrs }} + - name: OTEL_RESOURCE_ATTRIBUTES + value: "{{ $otelResAttrs }}" + {{- end }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - name: {{ $key }} value: "{{ $value }}" diff --git a/charts/istiod/files/profile-compatibility-version-1.25.yaml b/charts/istiod/files/profile-compatibility-version-1.25.yaml index 842aaf17de..d95bc500f4 100644 --- a/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ b/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -11,6 +11,8 @@ pilot: PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istiod/files/profile-compatibility-version-1.26.yaml b/charts/istiod/files/profile-compatibility-version-1.26.yaml index f30e143133..0bcda2336e 100644 --- a/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ b/charts/istiod/files/profile-compatibility-version-1.26.yaml @@ -11,6 +11,8 @@ pilot: PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istiod/files/profile-compatibility-version-1.27.yaml b/charts/istiod/files/profile-compatibility-version-1.27.yaml index b842b0914c..fd8c9c18a2 100644 --- a/charts/istiod/files/profile-compatibility-version-1.27.yaml +++ b/charts/istiod/files/profile-compatibility-version-1.27.yaml @@ -9,6 +9,8 @@ pilot: PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istiod/files/profile-compatibility-version-1.28.yaml b/charts/istiod/files/profile-compatibility-version-1.28.yaml index 3d378691a2..046f09a357 100644 --- a/charts/istiod/files/profile-compatibility-version-1.28.yaml +++ b/charts/istiod/files/profile-compatibility-version-1.28.yaml @@ -6,6 +6,8 @@ pilot: env: # 1.29 behavioral changes DISABLE_TRACK_REMAINING_CB_METRICS: "false" + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" cni: ambient: diff --git a/charts/istiod/files/profile-compatibility-version-1.29.yaml b/charts/istiod/files/profile-compatibility-version-1.29.yaml new file mode 100644 index 0000000000..b44c38a18c --- /dev/null +++ b/charts/istiod/files/profile-compatibility-version-1.29.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.30 behavioral changes + PILOT_SIDECAR_PICK_BEST_SERVICE_NAMESPACE: "false" diff --git a/charts/istiod/templates/clusterrole.yaml b/charts/istiod/templates/clusterrole.yaml index 3280c96b54..5e7b6554cb 100644 --- a/charts/istiod/templates/clusterrole.yaml +++ b/charts/istiod/templates/clusterrole.yaml @@ -146,7 +146,6 @@ rules: - apiGroups: ["gateway.networking.x-k8s.io"] resources: - xbackendtrafficpolicies/status - - xlistenersets/status verbs: ["update", "patch"] - apiGroups: ["gateway.networking.k8s.io"] resources: @@ -159,6 +158,7 @@ rules: - tcproutes/status - tlsroutes/status - udproutes/status + - listenersets/status verbs: ["update", "patch"] - apiGroups: ["gateway.networking.k8s.io"] resources: ["gatewayclasses"] diff --git a/charts/istiod/templates/deployment.yaml b/charts/istiod/templates/deployment.yaml index 94e3e4ed87..c21f15639a 100644 --- a/charts/istiod/templates/deployment.yaml +++ b/charts/istiod/templates/deployment.yaml @@ -192,6 +192,10 @@ spec: - name: PILOT_TRACE_SAMPLING value: "{{ .Values.traceSampling }}" {{- end }} +{{- if .Values.taint.enabled }} + - name: PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS + value: "true" +{{- end }} # If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then # don't set it here to avoid duplication. # TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 diff --git a/charts/istiod/templates/networkpolicy.yaml b/charts/istiod/templates/networkpolicy.yaml index 831b558ef1..b93578483e 100644 --- a/charts/istiod/templates/networkpolicy.yaml +++ b/charts/istiod/templates/networkpolicy.yaml @@ -24,13 +24,11 @@ spec: - Egress ingress: # Webhook from kube-apiserver - - from: [] - ports: + - ports: - protocol: TCP port: 15017 # xDS from potentially anywhere - - from: [] - ports: + - ports: - protocol: TCP port: 15010 - protocol: TCP diff --git a/charts/istiod/templates/reader-clusterrole.yaml b/charts/istiod/templates/reader-clusterrole.yaml index af795f1f5a..c3ac9ed0c0 100644 --- a/charts/istiod/templates/reader-clusterrole.yaml +++ b/charts/istiod/templates/reader-clusterrole.yaml @@ -1,5 +1,5 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +# Created if cluster resources are not omitted. Used for multicluster remote secret workflows. +{{- if and (or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster")) (dig "global" "enableReaderRBAC" true .Values) }} {{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/istiod/templates/reader-clusterrolebinding.yaml b/charts/istiod/templates/reader-clusterrolebinding.yaml index 624f00dce6..4af482c28f 100644 --- a/charts/istiod/templates/reader-clusterrolebinding.yaml +++ b/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -1,5 +1,5 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +# Created if cluster resources are not omitted. Used for multicluster remote secret workflows. +{{- if and (or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster")) (dig "global" "enableReaderRBAC" true .Values) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/istiod/templates/remote-istiod-endpointslices.yaml b/charts/istiod/templates/remote-istiod-endpointslices.yaml index e2f4ff03b6..a6b738b127 100644 --- a/charts/istiod/templates/remote-istiod-endpointslices.yaml +++ b/charts/istiod/templates/remote-istiod-endpointslices.yaml @@ -1,7 +1,7 @@ {{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} {{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +# if the remotePilotAddress is an IP addr (IPv4 or IPv6) +{{- if or (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) (regexMatch "^([0-9a-fA-F]*:)+[0-9a-fA-F]*$" .Values.global.remotePilotAddress) }} apiVersion: discovery.k8s.io/v1 kind: EndpointSlice metadata: @@ -25,7 +25,7 @@ metadata: {{- end }} app.kubernetes.io/name: "istiod" {{- include "istio.labels" . | nindent 4 }} -addressType: IPv4 +addressType: {{ if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}IPv4{{ else }}IPv6{{ end }} endpoints: - addresses: - {{ .Values.global.remotePilotAddress }} diff --git a/charts/istiod/templates/remote-istiod-service.yaml b/charts/istiod/templates/remote-istiod-service.yaml index ab14497bac..aa66b10e64 100644 --- a/charts/istiod/templates/remote-istiod-service.yaml +++ b/charts/istiod/templates/remote-istiod-service.yaml @@ -24,8 +24,8 @@ spec: targetPort: 15017 name: tcp-webhook protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName + {{- if and .Values.global.remotePilotAddress (not (or (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) (regexMatch "^([0-9a-fA-F]*:)+[0-9a-fA-F]*$" .Values.global.remotePilotAddress))) }} + # if the remotePilotAddress is not an IP addr (IPv4 or IPv6), we use ExternalName type: ExternalName externalName: {{ .Values.global.remotePilotAddress }} {{- end }} diff --git a/charts/istiod/values.yaml b/charts/istiod/values.yaml index 41dff2db06..796814d8a0 100644 --- a/charts/istiod/values.yaml +++ b/charts/istiod/values.yaml @@ -43,6 +43,7 @@ _internal_defaults_do_not_set: # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes taint: # Controls whether or not the untaint controller is active + # When enabled, this automatically sets PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS environment variable to true in the istiod deployment. enabled: false # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod namespace: "" @@ -251,10 +252,10 @@ _internal_defaults_do_not_set: # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio + # Dev builds from prow are on registry.istio.io/testing. + hub: registry.istio.io/release # Default tag for Istio images. - tag: 1.29.2 + tag: 1.30.0 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" @@ -367,7 +368,7 @@ _internal_defaults_do_not_set: #If set to true, istio-proxy container will have privileged securityContext privileged: false - + seccompProfile: {} # The number of successive failed probes before indicating readiness failure. @@ -576,7 +577,7 @@ _internal_defaults_do_not_set: # type: ClusterIP # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. gatewayClasses: {} - + pdb: # -- Minimum available pods set in PodDisruptionBudget. # Define either 'minAvailable' or 'maxUnavailable', never both.