From 3ece6473de48bc7a76c9eb6f806ee38ca09d4d7c Mon Sep 17 00:00:00 2001 From: Brian Mangoenpawiro Date: Thu, 12 Sep 2024 16:44:36 +0200 Subject: [PATCH 01/68] Add release workflow (#332) * Add release workflow Signed-off-by: bmangoen * Use github.actor vars Signed-off-by: bmangoen * Workflow in the right directory Signed-off-by: bmangoen --------- Signed-off-by: bmangoen --- .github/workflows/release.yaml | 89 ++++++++++++++++++++++++++++++ hack/operatorhub/publish-bundle.sh | 11 ++++ 2 files changed, 100 insertions(+) create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 000000000..89a72465c --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,89 @@ +name: Release workflow + +on: + workflow_dispatch: + inputs: + release_version: + description: "Release version" + required: true + bundle_channels: + description: "Bundle channels" + required: true + default: "candidates" + is_draft_release: + description: "Draft release" + type: boolean + required: false + default: true + is_pre_release: + description: "Pre-release" + type: boolean + required: false + default: false + +run-name: Release ${{ inputs.release_version }} + +env: + GIT_USER: ${{ secrets.GIT_USER }} + GITHUB_TOKEN: ${{ secrets.GIT_TOKEN }} + VERSION: ${{ inputs.release_version }} + +jobs: + release: + runs-on: ubuntu-latest + + steps: + - name: Login to quay.io + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_USER }} + password: ${{ secrets.QUAY_PWD }} + + - uses: actions/checkout@v4 + + - name: Build and push operator image + run: | + make docker-buildx \ + -e TAG=$VERSION + + - name: Generate bundle metadata + run: | + make bundle \ + -e CHANNELS=$CHANNELS + env: + CHANNELS: ${{ inputs.bundle_channels }} + + - name: Publish bundle in operatorhub.io + run: | + make bundle-publish \ + -e GIT_CONFIG_USER_NAME="$GIT_CONFIG_USER_NAME" \ + -e GIT_CONFIG_USER_EMAIL="$GIT_CONFIG_USER_EMAIL" \ + -e OPERATOR_VERSION=$VERSION \ + -e OPERATOR_HUB=community-operators \ + -e OWNER=k8s-operatorhub \ + -e FORK=maistra + env: + GIT_CONFIG_USER_NAME: "${{ github.actor }}" + GIT_CONFIG_USER_EMAIL: "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" + + - name: Publish bundle in OpenShift OperatorHub + run: | + make bundle-publish \ + -e GIT_CONFIG_USER_NAME="$GIT_CONFIG_USER_NAME" \ + -e GIT_CONFIG_USER_EMAIL="$GIT_CONFIG_USER_EMAIL" \ + -e OPERATOR_VERSION=$VERSION \ + -e OWNER=redhat-openshift-ecosystem \ + -e FORK=maistra + env: + GIT_CONFIG_USER_NAME: "${{ github.actor }}" + GIT_CONFIG_USER_EMAIL: "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" + + - name: Create GitHub release + run: | + make create-gh-release \ + -e GH_PRE_RELEASE=$GH_PRE_RELEASE \ + -e GH_RELEASE_DRAFT=$GH_RELEASE_DRAFT + env: + GH_PRE_RELEASE: ${{ github.event.inputs.is_pre_release == 'true' }} + GH_RELEASE_DRAFT: ${{ github.event.inputs.is_draft_release == 'true' }} \ No newline at end of file diff --git a/hack/operatorhub/publish-bundle.sh b/hack/operatorhub/publish-bundle.sh index 59fbe2785..e72e12858 100755 --- a/hack/operatorhub/publish-bundle.sh +++ b/hack/operatorhub/publish-bundle.sh @@ -23,6 +23,9 @@ source "${CUR_DIR}"/../validate_semver.sh GITHUB_TOKEN="${GITHUB_TOKEN:-}" GIT_USER="${GIT_USER:-}" +GIT_CONFIG_USER_NAME="${GIT_CONFIG_USER_NAME:-}" +GIT_CONFIG_USER_EMAIL="${GIT_CONFIG_USER_EMAIL:-}" + # The OPERATOR_NAME is defined in Makefile : "${OPERATOR_NAME:?"Missing OPERATOR_NAME variable"}" : "${OPERATOR_VERSION:?"Missing OPERATOR_VERSION variable"}" @@ -96,6 +99,14 @@ BUNDLE_DIR="${CUR_DIR}"/../../bundle mkdir -p "${OPERATORS_DIR}" cp -a "${BUNDLE_DIR}"/. "${OPERATORS_DIR}" +if ! git config --global user.name; then + skipInDryRun git config --global user.name "${GIT_CONFIG_USER_NAME}" +fi + +if ! git config --global user.email; then + skipInDryRun git config --global user.email "${GIT_CONFIG_USER_EMAIL}" +fi + TITLE="operator ${OPERATOR_NAME} (${OPERATOR_VERSION})" skipInDryRun git add . skipInDryRun git commit -s -m"${TITLE}" From 468f457c70f68054bc1ad7a50847513c4ea9dd24 Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Mon, 16 Sep 2024 20:12:15 +0530 Subject: [PATCH 02/68] Fix setup-multi-primary script (#340) Currently, running the script simply hangs and there was also a typo in the apiVersion. This PR fixes both the issues. Signed-off-by: Sridhar Gaddam --- docs/multicluster/setup-multi-primary.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/multicluster/setup-multi-primary.sh b/docs/multicluster/setup-multi-primary.sh index 4463c3719..53589089f 100755 --- a/docs/multicluster/setup-multi-primary.sh +++ b/docs/multicluster/setup-multi-primary.sh @@ -25,6 +25,7 @@ while [ $# -gt 0 ]; do exit 0 ;; esac + shift done set -euo pipefail @@ -96,7 +97,7 @@ kubectl get secret -n istio-system --context "${CTX_CLUSTER2}" cacerts || kubect # 4. Create Sail CR on east kubectl apply --context "${CTX_CLUSTER1}" -f - < Date: Tue, 17 Sep 2024 11:48:15 +0300 Subject: [PATCH 03/68] Add README file for Helm charts section (#338) - Add instructions on deploying the sail-operator by using the helm charts defined within the repository. - Rearrange the following guides to avoid duplication. Place them within 'docs/common' directory and reference them from the relevant docs guides. - create-and-configure-gateways.md - install-bookinfo-app.md - install-istioctl-tool.md - istio-addons-integrations.md Signed-off-by: Maxim Babushkin --- bundle/README.md | 262 +------------------ chart/README.md | 248 ++++++++++++++++++ docs/README.md | 4 +- docs/common/create-and-configure-gateways.md | 84 ++++++ docs/common/install-bookinfo-app.md | 30 +++ docs/common/install-istioctl-tool.md | 52 ++++ docs/common/istio-addons-integrations.md | 119 +++++++++ 7 files changed, 539 insertions(+), 260 deletions(-) create mode 100644 chart/README.md create mode 100644 docs/common/create-and-configure-gateways.md create mode 100644 docs/common/install-bookinfo-app.md create mode 100644 docs/common/install-istioctl-tool.md create mode 100644 docs/common/istio-addons-integrations.md diff --git a/bundle/README.md b/bundle/README.md index e2878edf1..50aaf7008 100644 --- a/bundle/README.md +++ b/bundle/README.md @@ -151,53 +151,7 @@ Alternatively, refer to [Istio's artifacthub chart documentation](https://artifa The `istioctl` tool is a configuration command line utility that allows service operators to debug and diagnose Istio service mesh deployments. - -### Prerequisites - -Use an `istioctl` version that is the same version as the Istio control plane -for the Service Mesh deployment. See [Istio Releases](https://github.com/istio/istio/releases) for a list of valid -releases, including Beta releases. - - -### Procedure - -1. Confirm if you have `istioctl` installed, and if so which version, by running -the following command at the terminal: - - ```sh - $ istioctl version - ``` - -1. Confirm the version of Istio you are using by running the following command -at the terminal: - - ```sh - $ oc -n istio-system get istio - ``` - -1. Install `istioctl` by running the following command at the terminal: - - ```sh - $ curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION= sh - - ``` - Replace `` with the version of Istio you are using. - -1. Put the `istioctl` directory on path by running the following command at the terminal: - - ```sh - $ export PATH=$HOME/.istioctl/bin:$PATH - ``` - -1. Confirm that the `istioctl` client version and the Istio control plane -version now match (or are within one version) by running the following command -at the terminal: - - ```sh - $ istioctl version - ``` - - -*Note*: `istioctl install` is not supported. The Sail Operator installs Istio. +For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.md). ## Installing the Bookinfo Application @@ -205,30 +159,7 @@ You can use the `bookinfo` example application to explore service mesh features. Using the `bookinfo` application, you can easily confirm that requests from a web browser pass through the mesh and reach the application. -The `bookinfo` application displays information about a book, similar to a -single catalog entry of an online book store. The application displays a page -that describes the book, lists book details (ISBN, number of pages, and other -information), and book reviews. - -The `bookinfo` application is exposed through the mesh, and the mesh configuration -determines how the microservices comprising the application are used to serve -requests. The review information comes from one of three services: `reviews-v1`, -`reviews-v2` or `reviews-v3`. If you deploy the `bookinfo` application without -defining the `reviews` virtual service, then the mesh uses a round-robin rule to -route requests to a service. - -By deploying the `reviews` virtual service, you can specify a different behavior. -For example, you can specify that if a user logs into the `bookinfo` application, -then the mesh routes requests to the `reviews-v2` service, and the application -displays reviews with black stars. If a user does not log into the `bookinfo` -application, then the mesh routes requests to the `reviews-v3` service, and the -application displays reviews with red stars. - -For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation. - -After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you -will need to create and configure a gateway** for the `bookinfo` application to -be accessible outside the cluster. +For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.md). ## Creating and Configuring Gateways @@ -240,81 +171,7 @@ contains the control plane. You can deploy gateways using either the Gateway API or Gateway Injection methods. - -### Option 1: Istio Gateway Injection - -Gateway Injection uses the same mechanisms as Istio sidecar injection to create -a gateway from a `Deployment` resource that is paired with a `Service` resource -that can be made accessible from outside the cluster. For more information, see -[Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). - -To configure gateway injection with the `bookinfo` application, we have provided -a [sample gateway configuration](../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace -where the application is installed: - -1. Create the `istio-ingressgateway` deployment and service: - - ```sh - $ oc apply -f -n ingress-gateway.yaml - ``` - -2. Configure the `bookinfo` application with the new gateway: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml - ``` - -3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally: - - ```sh - $ oc expose service istio-ingressgateway - ``` - -4. Finally, obtain the gateway host name and the URL of the product page: - - ```sh - $ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}') - $ echo http://$HOST/productpage - ``` - -Verify that the `productpage` is accessible from a web browser. - - -### Option 2: Kubernetes Gateway API - -Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it -the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more -information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page. - -As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are -not available by default and must be enabled to be used. This can be done with -the command: - -```sh -$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | oc apply -f -; } -``` - -To configure `bookinfo` with a gateway using `Gateway API`: - -1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml - ``` - -2. Retrieve the host, port and gateway URL: - - ```sh - $ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}') - $ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}') - $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT - ``` - -3. Obtain the `productpage` URL and check that you can visit it from a browser: - - ```sh - $ echo "http://${GATEWAY_URL}/productpage" - ``` +For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.md). ## Istio Addons Integrations @@ -324,118 +181,7 @@ Istio can be integrated with other software to provide additional functionality The following addons are for demonstration or development purposes only and should not be used in production environments: - -### Prometheus - -`Prometheus` is an open-source systems monitoring and alerting toolkit. You can -use `Prometheus` with the Sail Operator to keep an eye on how healthy Istio and -the apps in the service mesh are, for more information, see [Prometheus](https://istio.io/latest/docs/ops/integrations/prometheus/). - -To install Prometheus, perform the following steps: - -1. Deploy `Prometheus`: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml - ``` -2. Access to `Prometheus`console: - - * Expose the `Prometheus` service externally: - - ```sh - $ oc expose service prometheus -n istio-system - ``` - * Get the route of the service and open the URL in the web browser - - ```sh - $ oc get route prometheus -o jsonpath='{.spec.host}' -n istio-system - ``` - - -### Grafana - -`Grafana` is an open-source platform for monitoring and observability. You can -use `Grafana` with the Sail Operator to configure dashboards for istio, see -[Grafana](https://istio.io/latest/docs/ops/integrations/grafana/) for more information. - -To install Grafana, perform the following steps: - -1. Deploy `Grafana`: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml - ``` - -2. Access to `Grafana`console: - - * Expose the `Grafana` service externally - - ```sh - $ oc expose service grafana -n istio-system - ``` - * Get the route of the service and open the URL in the web browser - - ```sh - $ oc get route grafana -o jsonpath='{.spec.host}' -n istio-system - ``` - - -### Jaeger - -`Jaeger` is an open-source end-to-end distributed tracing system. You can use -`Jaeger` with the Sail Operator to monitor and troubleshoot transactions in -complex distributed systems, see [Jaeger](https://istio.io/latest/docs/ops/integrations/jaeger/) for more information. - -To install Jaeger, perform the following steps: - -1. Deploy `Jaeger`: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/jaeger.yaml - ``` -2. Access to `Jaeger` console: - - * Expose the `Jaeger` service externally: - - ```sh - $ oc expose svc/tracing -n istio-system - ``` - - * Get the route of the service and open the URL in the web browser - - ```sh - $ oc get route tracing -o jsonpath='{.spec.host}' -n istio-system - ``` -*Note*: if you want to see some traces you can refresh several times the product -page of bookinfo app to start generating traces. - - -### Kiali - -`Kiali` is an open-source project that provides a graphical user interface to -visualize the service mesh topology, see [Kiali](https://istio.io/latest/docs/ops/integrations/kiali/) for more information. - -To install Kiali, perform the following steps: - -1. Deploy `Kiali`: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml - ``` - -2. Access to `Kiali` console: - - * Expose the `Kiali` service externally: - - ```sh - $ oc expose service kiali -n istio-system - ``` - - * Get the route of the service and open the URL in the web browser - - ```sh - $ oc get route kiali -o jsonpath='{.spec.host}' -n istio-system - ``` +For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.md). ## Undeploying Istio and the Sail Operator diff --git a/chart/README.md b/chart/README.md new file mode 100644 index 000000000..c2e4cf792 --- /dev/null +++ b/chart/README.md @@ -0,0 +1,248 @@ +# Deploy Sail Operator by using Helm charts + +Follow this guide to install and configure Sail Operator by using [Helm](https://helm.sh/docs/) + +## Prerequisites + +Kubernetes: +* You have deployed a cluster on Kubernetes platform 1.27 or later. +* You are logged in to the Kubernetes cluster with admin permissions level user. + +OpenShift: +* You have deployed a cluster on OpenShift Container Platform 4.14 or later. +* You are logged in to the OpenShift Container Platform web console as a user with the `cluster-admin` role. + +[Install the Helm client](https://helm.sh/docs/intro/install/), version 3.6 or above. + +## Prepare the Helm charts + +**Note** - `Sail Operator` could be installed by downloading the release artifacts from the [release page](https://github.com/istio-ecosystem/sail-operator/releases). + +* Download the required release artifact +* Extract it locally. + + ```sh + $ tar -xvf /tmp/sail-operator-.tgz + ``` + +The extract command will create the `sail-operator` directory with the helm charts in it. + +## Installation steps + +This section describes the procedure to install `Sail Operator` using Helm. The general syntax for helm installation is: + + ```sh + helm install --create-namespace --namespace [--set ] + ``` + +The variables specified in the command are as follows: +* `` - A name to identify and manage the Helm chart once installed. +* `` - A path to a packaged chart, a path to an unpacked chart directory or a URL. +* `` - The namespace in which the chart is to be installed. + +Default configuration values can be changed using one or more `--set =` arguments. Alternatively, you can specify several parameters in a custom values file using the `--values ` argument. + +1. Create the namespace, `sail-operator`, for the Sail Operator components: + + ```sh + $ kubectl create namespace sail-operator + ``` + +**Note** - This step could be skipped by using the `--create-namespace` argument in step 2. + +2. Install the Sail Operator base charts which will manage all the Custom Resource Definitions(CRDs) to be able to deploy the Istio control plane: + +* Kubernetes + + ```sh + $ helm install sail-operator sail-operator/ --namespace sail-operator + ``` + +* OpenShift + + ```sh + $ helm install sail-operator sail-operator/ --namespace sail-operator --set platform=openshift + ``` + +3. Validate the CRD installation with the `helm ls` command: + + ```sh + $ helm ls -n sail-operator + + NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION + sail-operator sail-operator 1 2024-09-16 12:43:18.786846217 +0300 IDT deployed sail-operator-0.1.0-rc.1 0.1.0-rc.1 + ``` + +4. Get the status of the installed helm chart to ensure it is deployed: + + ```bash + $ helm status sail-operator -n sail-operator + + NAME: sail-operator + LAST DEPLOYED: Mon Sep 16 12:43:18 2024 + NAMESPACE: sail-operator + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + +5. Check `sail-operator` deployment is successfully installed and its pods are running: + + ```sh + $ kubectl -n sail-operator get deployment --output wide + + NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR + sail-operator 1/1 1 1 19m kube-rbac-proxy,manager gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0,quay.io/maistra-dev/sail-operator:0.1.0-rc.1 app.kubernetes.io/created-by=sailoperator,app.kubernetes.io/part-of=sailoperator,control-plane=sail-operator + + $ kubectl -n sail-operator get pods -o wide + + NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES + sail-operator-666f84b6f4-9hw4t 2/2 Running 0 43s 10.244.0.8 sail-control-plane + ``` + +## Deploying Istio + +To deploy Istio, you must create the following resources: +* `Istio`. +* If you are using OpenShift, the `IstioCNI` must also be created. + +The `Istio` resource deploys and configures the Istio Control Plane, whereas the `IstioCNI` resource (in OpenShift) deploys and configures the Istio CNI plugin. You should create these resources in separate projects. + +### Create a namespace for Istio project. + +* Kubernetes + + ```sh + $ kubectl create namespace istio-system + ``` + +* OpenShift + + ```sh + $ kubectl create namespace istio-system + $ kubectl create namespace istio-cni + ``` + +### Create the Istio resource + +The `sail-operator` charts directory contains `samples` directory, which contains manifests that could be used for Istio deployment. + +* Kubernetes + + ```sh + $ kubectl apply -f sail-operator/samples/istio-sample-kubernetes.yaml + ``` + +* OpenShift + + ```sh + $ kubectl apply -f sail-operator/samples/istio-sample-openshift.yaml + $ kubectl apply -f sail-operator/samples/istiocni-sample.yaml + ``` + +**Note** - The version can be specified by modifying the `version` field within `Istio` and `IstioCNI` manifests. + +### Customizing Istio configuration + +The `spec.values` field of the `Istio` and `IstioCNI` resource can be used to customize Istio and Istio CNI plugin configuration using Istio's `Helm` configuration values. + +An example configuration: + + ```yaml + apiVersion: sailoperator.io/v1alpha1 + kind: Istio + metadata: + name: example + spec: + version: v1.23.0 + values: + global: + mtls: + enabled: true + trustDomainAliases: + - example.net + meshConfig: + trustDomain: example.com + trustDomainAliases: + - example.net + ``` + +For a list of available configuration for the `spec.values` field, run the following command: + + ```sh + $ kubectl explain istio.spec.values + ``` + +For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above. + +Alternatively, refer to [Istio's artifacthub chart documentation](https://artifacthub.io/packages/search?org=istio&sort=relevance&page=1) for: + +- [Base parameters](https://artifacthub.io/packages/helm/istio-official/base?modal=values) +- [Istiod parameters](https://artifacthub.io/packages/helm/istio-official/istiod?modal=values) +- [Gateway parameters](https://artifacthub.io/packages/helm/istio-official/gateway?modal=values) +- [CNI parameters](https://artifacthub.io/packages/helm/istio-official/cni?modal=values) +- [ZTunnel parameters](https://artifacthub.io/packages/helm/istio-official/ztunnel?modal=values) + +## Installing the istioctl tool + +The `istioctl` tool is a configuration command line utility that allows service +operators to debug and diagnose Istio service mesh deployments. + +For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.md). + +## Installing the Bookinfo Application + +You can use the `bookinfo` example application to explore service mesh features. +Using the `bookinfo` application, you can easily confirm that requests from a +web browser pass through the mesh and reach the application. + +For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.md). + +## Creating and Configuring Gateways + +The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not +part of the control plane. As a security best-practice, Ingress and Egress +Gateways should be deployed in a different namespace than the namespace that +contains the control plane. + +You can deploy gateways using either the Gateway API or Gateway Injection methods. + +For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.md). + +## Istio Addons Integrations + +Istio can be integrated with other software to provide additional functionality +(More information can be found in: https://istio.io/latest/docs/ops/integrations/). +The following addons are for demonstration or development purposes only and +should not be used in production environments: + +For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.md). + + +## Undeploying Istio and the Sail Operator + +### Deleting Istio + + ```sh + $ kubectl -n istio-system delete istio default + ``` + +### Deleting IstioCNI (in OpenShift cluster platform) + + ```sh + $ kubectl -n istio-cni delete istiocni default + ``` + +### Uninstall the Sail Operator using Helm + + ```sh + $ helm uninstall sail-operator --namespace sail-operator + ``` + +### Deleting the Project namespaces + + ```sh + $ kubectl delete namespace istio-system + $ kubectl delete namespace istio-cni + $ kubectl delete namespace sail-operator + ``` diff --git a/docs/README.md b/docs/README.md index 64bdbefdd..3a7a4069f 100644 --- a/docs/README.md +++ b/docs/README.md @@ -260,7 +260,7 @@ When the `InPlace` strategy is used, the existing Istio control plane is replace Prerequisites: * Sail Operator is installed. -* `istioctl` is installed. +* `istioctl` is [installed](common/istio-addons-integrations.md). Steps: 1. Create the `istio-system` namespace. @@ -336,7 +336,7 @@ When the `RevisionBased` strategy is used, a new Istio control plane instance is Prerequisites: * Sail Operator is installed. -* `istioctl` is installed. +* `istioctl` is [installed](common/istio-addons-integrations.md). Steps: diff --git a/docs/common/create-and-configure-gateways.md b/docs/common/create-and-configure-gateways.md new file mode 100644 index 000000000..00fdca0ee --- /dev/null +++ b/docs/common/create-and-configure-gateways.md @@ -0,0 +1,84 @@ +## Creating and Configuring Gateways + +The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not +part of the control plane. As a security best-practice, Ingress and Egress +Gateways should be deployed in a different namespace than the namespace that +contains the control plane. + +You can deploy gateways using either the Gateway API or Gateway Injection methods. + + +### Option 1: Istio Gateway Injection + +Gateway Injection uses the same mechanisms as Istio sidecar injection to create +a gateway from a `Deployment` resource that is paired with a `Service` resource +that can be made accessible from outside the cluster. For more information, see +[Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). + +To configure gateway injection with the `bookinfo` application, we have provided +a [sample gateway configuration](../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace +where the application is installed: + +1. Create the `istio-ingressgateway` deployment and service: + + ```sh + $ oc apply -f -n ingress-gateway.yaml + ``` + +2. Configure the `bookinfo` application with the new gateway: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml + ``` + +3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally: + + ```sh + $ oc expose service istio-ingressgateway + ``` + +4. Finally, obtain the gateway host name and the URL of the product page: + + ```sh + $ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}') + $ echo http://$HOST/productpage + ``` + +Verify that the `productpage` is accessible from a web browser. + + +### Option 2: Kubernetes Gateway API + +Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it +the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more +information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page. + +As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are +not available by default and must be enabled to be used. This can be done with +the command: + +```sh +$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | oc apply -f -; } +``` + +To configure `bookinfo` with a gateway using `Gateway API`: + +1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml + ``` + +2. Retrieve the host, port and gateway URL: + + ```sh + $ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}') + $ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}') + $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT + ``` + +3. Obtain the `productpage` URL and check that you can visit it from a browser: + + ```sh + $ echo "http://${GATEWAY_URL}/productpage" + ``` diff --git a/docs/common/install-bookinfo-app.md b/docs/common/install-bookinfo-app.md new file mode 100644 index 000000000..0026b4d8e --- /dev/null +++ b/docs/common/install-bookinfo-app.md @@ -0,0 +1,30 @@ +## Installing the Bookinfo Application + +You can use the `bookinfo` example application to explore service mesh features. +Using the `bookinfo` application, you can easily confirm that requests from a +web browser pass through the mesh and reach the application. + +The `bookinfo` application displays information about a book, similar to a +single catalog entry of an online book store. The application displays a page +that describes the book, lists book details (ISBN, number of pages, and other +information), and book reviews. + +The `bookinfo` application is exposed through the mesh, and the mesh configuration +determines how the microservices comprising the application are used to serve +requests. The review information comes from one of three services: `reviews-v1`, +`reviews-v2` or `reviews-v3`. If you deploy the `bookinfo` application without +defining the `reviews` virtual service, then the mesh uses a round-robin rule to +route requests to a service. + +By deploying the `reviews` virtual service, you can specify a different behavior. +For example, you can specify that if a user logs into the `bookinfo` application, +then the mesh routes requests to the `reviews-v2` service, and the application +displays reviews with black stars. If a user does not log into the `bookinfo` +application, then the mesh routes requests to the `reviews-v3` service, and the +application displays reviews with red stars. + +For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation. + +After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you +will need to create and configure a gateway** for the `bookinfo` application to +be accessible outside the cluster. diff --git a/docs/common/install-istioctl-tool.md b/docs/common/install-istioctl-tool.md new file mode 100644 index 000000000..ec489105e --- /dev/null +++ b/docs/common/install-istioctl-tool.md @@ -0,0 +1,52 @@ +## Installing the istioctl tool + +The `istioctl` tool is a configuration command line utility that allows service +operators to debug and diagnose Istio service mesh deployments. + + +### Prerequisites + +Use an `istioctl` version that is the same version as the Istio control plane +for the Service Mesh deployment. See [Istio Releases](https://github.com/istio/istio/releases) for a list of valid +releases, including Beta releases. + + +### Procedure + +1. Confirm if you have `istioctl` installed, and if so which version, by running +the following command at the terminal: + + ```sh + $ istioctl version + ``` + +2. Confirm the version of Istio you are using by running the following command +at the terminal: + + ```sh + $ oc -n istio-system get istio + ``` + +3. Install `istioctl` by running the following command at the terminal: + + ```sh + $ curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION= sh - + ``` + Replace `` with the version of Istio you are using. + +4. Put the `istioctl` directory on path by running the following command at the terminal: + + ```sh + $ export PATH=$HOME/.istioctl/bin:$PATH + ``` + +5. Confirm that the `istioctl` client version and the Istio control plane +version now match (or are within one version) by running the following command +at the terminal: + + ```sh + $ istioctl version + ``` + + +*Note*: `istioctl install` is not supported. The Sail Operator installs Istio. diff --git a/docs/common/istio-addons-integrations.md b/docs/common/istio-addons-integrations.md new file mode 100644 index 000000000..36f0ee1da --- /dev/null +++ b/docs/common/istio-addons-integrations.md @@ -0,0 +1,119 @@ +## Istio Addons Integrations + +Istio can be integrated with other software to provide additional functionality +(More information can be found in: https://istio.io/latest/docs/ops/integrations/). +The following addons are for demonstration or development purposes only and +should not be used in production environments: + + +### Prometheus + +`Prometheus` is an open-source systems monitoring and alerting toolkit. You can +use `Prometheus` with the Sail Operator to keep an eye on how healthy Istio and +the apps in the service mesh are, for more information, see [Prometheus](https://istio.io/latest/docs/ops/integrations/prometheus/). + +To install Prometheus, perform the following steps: + +1. Deploy `Prometheus`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml + ``` +2. Access to `Prometheus`console: + + * Expose the `Prometheus` service externally: + + ```sh + $ oc expose service prometheus -n istio-system + ``` + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route prometheus -o jsonpath='{.spec.host}' -n istio-system + ``` + + +### Grafana + +`Grafana` is an open-source platform for monitoring and observability. You can +use `Grafana` with the Sail Operator to configure dashboards for istio, see +[Grafana](https://istio.io/latest/docs/ops/integrations/grafana/) for more information. + +To install Grafana, perform the following steps: + +1. Deploy `Grafana`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml + ``` + +2. Access to `Grafana`console: + + * Expose the `Grafana` service externally + + ```sh + $ oc expose service grafana -n istio-system + ``` + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route grafana -o jsonpath='{.spec.host}' -n istio-system + ``` + + +### Jaeger + +`Jaeger` is an open-source end-to-end distributed tracing system. You can use +`Jaeger` with the Sail Operator to monitor and troubleshoot transactions in +complex distributed systems, see [Jaeger](https://istio.io/latest/docs/ops/integrations/jaeger/) for more information. + +To install Jaeger, perform the following steps: + +1. Deploy `Jaeger`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/jaeger.yaml + ``` +2. Access to `Jaeger` console: + + * Expose the `Jaeger` service externally: + + ```sh + $ oc expose svc/tracing -n istio-system + ``` + + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route tracing -o jsonpath='{.spec.host}' -n istio-system + ``` +*Note*: if you want to see some traces you can refresh several times the product +page of bookinfo app to start generating traces. + + +### Kiali + +`Kiali` is an open-source project that provides a graphical user interface to +visualize the service mesh topology, see [Kiali](https://istio.io/latest/docs/ops/integrations/kiali/) for more information. + +To install Kiali, perform the following steps: + +1. Deploy `Kiali`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml + ``` + +2. Access to `Kiali` console: + + * Expose the `Kiali` service externally: + + ```sh + $ oc expose service kiali -n istio-system + ``` + + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route kiali -o jsonpath='{.spec.host}' -n istio-system + ``` From f896eb5c1e82e1a3a0db35b0afce0d259b578d97 Mon Sep 17 00:00:00 2001 From: Francisco Herrera Date: Wed, 18 Sep 2024 14:37:17 +0200 Subject: [PATCH 04/68] Increase run operator-sdk run bundle timeout in OLM deploy (#345) Signed-off-by: frherrer --- tests/e2e/common-operator-integ-suite.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/e2e/common-operator-integ-suite.sh b/tests/e2e/common-operator-integ-suite.sh index dd5625bb8..d4fdedb1d 100755 --- a/tests/e2e/common-operator-integ-suite.sh +++ b/tests/e2e/common-operator-integ-suite.sh @@ -237,7 +237,7 @@ if [ "${SKIP_BUILD}" == "false" ]; then # Create operator namespace ${COMMAND} create ns "${NAMESPACE}" || echo "Creation of namespace ${NAMESPACE} failed with the message: $?" # Deploy the operator using OLM - ${OPERATOR_SDK} run bundle "${BUNDLE_IMG}" -n "${NAMESPACE}" --skip-tls + ${OPERATOR_SDK} run bundle "${BUNDLE_IMG}" -n "${NAMESPACE}" --skip-tls --timeout 5m # Wait for the operator to be ready ${COMMAND} wait --for=condition=available deployment/"${DEPLOYMENT_NAME}" -n "${NAMESPACE}" --timeout=5m From 5aea1349c473263bf8f4a3051826631f1617b57a Mon Sep 17 00:00:00 2001 From: Francisco Herrera Date: Thu, 19 Sep 2024 17:13:18 +0200 Subject: [PATCH 05/68] Update latest Istio version to latest commit upstream (#348) Signed-off-by: frherrer --- .../sailoperator.clusterserviceversion.yaml | 20 ++++---- chart/values.yaml | 2 +- resources/latest/charts/base/Chart.yaml | 4 +- .../latest/charts/base/crds/crd-all.gen.yaml | 6 --- .../profile-compatibility-version-1.21.yaml | 5 ++ .../profile-compatibility-version-1.22.yaml | 5 ++ .../profile-compatibility-version-1.23.yaml | 11 +++- .../base/files/profile-openshift-ambient.yaml | 28 ---------- .../base/files/profile-platform-k3d.yaml | 7 +++ .../base/files/profile-platform-k3s.yaml | 7 +++ .../base/files/profile-platform-microk8s.yaml | 7 +++ .../base/files/profile-platform-minikube.yaml | 6 +++ .../files/profile-platform-openshift.yaml} | 7 +-- .../latest/charts/base/templates/crds.yaml | 10 ++++ .../charts/base/templates/endpoints.yaml | 2 +- .../charts/base/templates/services.yaml | 2 +- .../base/templates/zzy_descope_legacy.yaml | 3 ++ .../charts/base/templates/zzz_profile.yaml | 7 +++ resources/latest/charts/base/values.yaml | 4 ++ resources/latest/charts/cni/Chart.yaml | 4 +- .../profile-compatibility-version-1.21.yaml | 5 ++ .../profile-compatibility-version-1.22.yaml | 5 ++ .../profile-compatibility-version-1.23.yaml | 11 +++- .../cni/files/profile-openshift-ambient.yaml | 28 ---------- .../cni/files/profile-platform-k3d.yaml | 7 +++ .../cni/files/profile-platform-k3s.yaml | 7 +++ .../cni/files/profile-platform-microk8s.yaml | 7 +++ .../cni/files/profile-platform-minikube.yaml | 6 +++ .../files/profile-platform-openshift.yaml} | 7 +-- .../charts/cni/templates/clusterrole.yaml | 2 +- .../charts/cni/templates/daemonset.yaml | 1 - .../charts/cni/templates/zzz_profile.yaml | 7 +++ resources/latest/charts/cni/values.yaml | 2 +- resources/latest/charts/gateway/Chart.yaml | 4 +- .../profile-compatibility-version-1.21.yaml | 5 ++ .../profile-compatibility-version-1.22.yaml | 5 ++ .../profile-compatibility-version-1.23.yaml | 11 +++- .../files/profile-openshift-ambient.yaml | 28 ---------- .../gateway/files/profile-platform-k3d.yaml | 7 +++ .../gateway/files/profile-platform-k3s.yaml | 7 +++ .../files/profile-platform-microk8s.yaml | 7 +++ .../files/profile-platform-minikube.yaml | 6 +++ .../files/profile-platform-openshift.yaml} | 7 +-- .../charts/gateway/templates/deployment.yaml | 13 ++++- .../charts/gateway/templates/zzz_profile.yaml | 7 +++ .../latest/charts/gateway/values.schema.json | 9 ++++ resources/latest/charts/gateway/values.yaml | 12 +++++ .../latest/charts/istiod-remote/Chart.yaml | 4 +- .../files/injection-template.yaml | 2 + .../profile-compatibility-version-1.21.yaml | 5 ++ .../profile-compatibility-version-1.22.yaml | 5 ++ .../profile-compatibility-version-1.23.yaml | 11 +++- .../files/profile-openshift-ambient.yaml | 28 ---------- .../files/profile-platform-k3d.yaml | 7 +++ .../files/profile-platform-k3s.yaml | 7 +++ .../files/profile-platform-microk8s.yaml | 7 +++ .../files/profile-platform-minikube.yaml | 6 +++ .../files/profile-platform-openshift.yaml} | 7 +-- .../istiod-remote/templates/clusterrole.yaml | 51 +++++++++++++------ .../istiod-remote/templates/endpoints.yaml | 2 +- .../templates/mutatingwebhook.yaml | 2 +- .../istiod-remote/templates/services.yaml | 2 +- .../istiod-remote/templates/zzz_profile.yaml | 7 +++ .../latest/charts/istiod-remote/values.yaml | 15 +++++- resources/latest/charts/istiod/Chart.yaml | 4 +- .../istiod/files/injection-template.yaml | 2 + .../profile-compatibility-version-1.21.yaml | 5 ++ .../profile-compatibility-version-1.22.yaml | 5 ++ .../profile-compatibility-version-1.23.yaml | 11 +++- .../files/profile-openshift-ambient.yaml | 28 ---------- .../istiod/files/profile-openshift.yaml | 20 -------- .../istiod/files/profile-platform-k3d.yaml | 7 +++ .../istiod/files/profile-platform-k3s.yaml | 7 +++ .../files/profile-platform-microk8s.yaml | 7 +++ .../files/profile-platform-minikube.yaml | 6 +++ .../files/profile-platform-openshift.yaml | 17 +++++++ .../latest/charts/istiod/files/waypoint.yaml | 16 ++++++ .../charts/istiod/templates/clusterrole.yaml | 51 +++++++++++++------ .../charts/istiod/templates/deployment.yaml | 14 ++++- .../istiod/templates/mutatingwebhook.yaml | 2 +- .../istiod/templates/revision-tags.yaml | 2 +- .../charts/istiod/templates/zzz_profile.yaml | 7 +++ resources/latest/charts/istiod/values.yaml | 20 +++++++- resources/latest/charts/ztunnel/Chart.yaml | 4 +- .../profile-compatibility-version-1.21.yaml | 5 ++ .../profile-compatibility-version-1.22.yaml | 5 ++ .../profile-compatibility-version-1.23.yaml | 11 +++- .../files/profile-openshift-ambient.yaml | 28 ---------- .../ztunnel/files/profile-openshift.yaml | 20 -------- .../ztunnel/files/profile-platform-k3d.yaml | 7 +++ .../ztunnel/files/profile-platform-k3s.yaml | 7 +++ .../files/profile-platform-microk8s.yaml | 7 +++ .../files/profile-platform-minikube.yaml | 6 +++ .../files/profile-platform-openshift.yaml | 17 +++++++ .../charts/ztunnel/templates/daemonset.yaml | 2 +- .../charts/ztunnel/templates/zzz_profile.yaml | 7 +++ resources/latest/charts/ztunnel/values.yaml | 2 +- versions.yaml | 14 ++--- 98 files changed, 593 insertions(+), 318 deletions(-) delete mode 100644 resources/latest/charts/base/files/profile-openshift-ambient.yaml create mode 100644 resources/latest/charts/base/files/profile-platform-k3d.yaml create mode 100644 resources/latest/charts/base/files/profile-platform-k3s.yaml create mode 100644 resources/latest/charts/base/files/profile-platform-microk8s.yaml create mode 100644 resources/latest/charts/base/files/profile-platform-minikube.yaml rename resources/latest/charts/{gateway/files/profile-openshift.yaml => base/files/profile-platform-openshift.yaml} (84%) create mode 100644 resources/latest/charts/base/templates/zzy_descope_legacy.yaml delete mode 100644 resources/latest/charts/cni/files/profile-openshift-ambient.yaml create mode 100644 resources/latest/charts/cni/files/profile-platform-k3d.yaml create mode 100644 resources/latest/charts/cni/files/profile-platform-k3s.yaml create mode 100644 resources/latest/charts/cni/files/profile-platform-microk8s.yaml create mode 100644 resources/latest/charts/cni/files/profile-platform-minikube.yaml rename resources/latest/charts/{base/files/profile-openshift.yaml => cni/files/profile-platform-openshift.yaml} (84%) delete mode 100644 resources/latest/charts/gateway/files/profile-openshift-ambient.yaml create mode 100644 resources/latest/charts/gateway/files/profile-platform-k3d.yaml create mode 100644 resources/latest/charts/gateway/files/profile-platform-k3s.yaml create mode 100644 resources/latest/charts/gateway/files/profile-platform-microk8s.yaml create mode 100644 resources/latest/charts/gateway/files/profile-platform-minikube.yaml rename resources/latest/charts/{istiod-remote/files/profile-openshift.yaml => gateway/files/profile-platform-openshift.yaml} (84%) delete mode 100644 resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml create mode 100644 resources/latest/charts/istiod-remote/files/profile-platform-k3d.yaml create mode 100644 resources/latest/charts/istiod-remote/files/profile-platform-k3s.yaml create mode 100644 resources/latest/charts/istiod-remote/files/profile-platform-microk8s.yaml create mode 100644 resources/latest/charts/istiod-remote/files/profile-platform-minikube.yaml rename resources/latest/charts/{cni/files/profile-openshift.yaml => istiod-remote/files/profile-platform-openshift.yaml} (84%) delete mode 100644 resources/latest/charts/istiod/files/profile-openshift-ambient.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-openshift.yaml create mode 100644 resources/latest/charts/istiod/files/profile-platform-k3d.yaml create mode 100644 resources/latest/charts/istiod/files/profile-platform-k3s.yaml create mode 100644 resources/latest/charts/istiod/files/profile-platform-microk8s.yaml create mode 100644 resources/latest/charts/istiod/files/profile-platform-minikube.yaml create mode 100644 resources/latest/charts/istiod/files/profile-platform-openshift.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-openshift.yaml create mode 100644 resources/latest/charts/ztunnel/files/profile-platform-k3d.yaml create mode 100644 resources/latest/charts/ztunnel/files/profile-platform-k3s.yaml create mode 100644 resources/latest/charts/ztunnel/files/profile-platform-microk8s.yaml create mode 100644 resources/latest/charts/ztunnel/files/profile-platform-minikube.yaml create mode 100644 resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index c30478933..47e035fbc 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-08-21T08:58:14Z" + createdAt: "2024-09-19T14:41:31Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -374,7 +374,7 @@ spec: - v1.23.0 - v1.22.3 - v1.21.5 - - latest (b28bdd77) + - latest (fe2a0468) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe images.v1_21_5.cni: docker.io/istio/install-cni:1.21.5 images.v1_21_5.istiod: docker.io/istio/pilot:1.21.5 images.v1_21_5.proxy: docker.io/istio/proxyv2:1.21.5 @@ -767,13 +767,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + - image: gcr.io/istio-testing/install-cni:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + - image: gcr.io/istio-testing/pilot:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.5 name: v1_21_5.cni diff --git a/chart/values.yaml b/chart/values.yaml index de6eec47a..d86bac087 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -19,7 +19,7 @@ csv: - v1.23.0 - v1.22.3 - v1.21.5 - - latest (b28bdd77) + - latest (fe2a0468) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 7d589bb9e..7ad77f51a 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe diff --git a/resources/latest/charts/base/crds/crd-all.gen.yaml b/resources/latest/charts/base/crds/crd-all.gen.yaml index 675d42a84..45c7e2b61 100644 --- a/resources/latest/charts/base/crds/crd-all.gen.yaml +++ b/resources/latest/charts/base/crds/crd-all.gen.yaml @@ -13329,8 +13329,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -13595,8 +13593,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -13861,8 +13857,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/base/files/profile-openshift-ambient.yaml b/resources/latest/charts/base/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/base/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/base/files/profile-platform-k3d.yaml b/resources/latest/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/base/files/profile-platform-k3s.yaml b/resources/latest/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/base/files/profile-platform-microk8s.yaml b/resources/latest/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/base/files/profile-platform-minikube.yaml b/resources/latest/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/gateway/files/profile-openshift.yaml b/resources/latest/charts/base/files/profile-platform-openshift.yaml similarity index 84% rename from resources/latest/charts/gateway/files/profile-openshift.yaml rename to resources/latest/charts/base/files/profile-platform-openshift.yaml index 38357bd99..69eda2b1d 100644 --- a/resources/latest/charts/gateway/files/profile-openshift.yaml +++ b/resources/latest/charts/base/files/profile-platform-openshift.yaml @@ -3,18 +3,15 @@ # If you want to make a change in this file, edit the original one and run "make gen". # The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. cni: cniBinDir: /var/lib/cni/bin cniConfDir: /etc/cni/multus/net.d chained: false cniConfFileName: "istio-cni.conf" - logLevel: info provider: "multus" -global: - platform: openshift pilot: cni: enabled: true provider: "multus" -platform: openshift \ No newline at end of file +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/base/templates/crds.yaml b/resources/latest/charts/base/templates/crds.yaml index af9901c6e..7714ad8c1 100644 --- a/resources/latest/charts/base/templates/crds.yaml +++ b/resources/latest/charts/base/templates/crds.yaml @@ -1,3 +1,13 @@ {{- if .Values.base.enableCRDTemplates }} +{{- if .Values.base.excludedCRDs }} +{{- range $crd := .Files.Get "crds/crd-all.gen.yaml"|splitList "\n---\n"}} +{{- $name := (index ($crd |fromYaml) "metadata" "name") }} +{{- if not (has $name $.Values.base.excludedCRDs)}} +{{$crd}} +--- +{{- end }} +{{- end }} +{{- else }} {{ .Files.Get "crds/crd-all.gen.yaml" }} {{- end }} +{{- end }} diff --git a/resources/latest/charts/base/templates/endpoints.yaml b/resources/latest/charts/base/templates/endpoints.yaml index 1cc26dd78..1190dfa9b 100644 --- a/resources/latest/charts/base/templates/endpoints.yaml +++ b/resources/latest/charts/base/templates/endpoints.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Endpoints metadata: - {{- if .Values.pilot.enabled }} + {{- if .Values.enabled }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote {{- else }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} diff --git a/resources/latest/charts/base/templates/services.yaml b/resources/latest/charts/base/templates/services.yaml index 4290f2848..fe9b701aa 100644 --- a/resources/latest/charts/base/templates/services.yaml +++ b/resources/latest/charts/base/templates/services.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - {{- if .Values.pilot.enabled }} + {{- if .Values.enabled }} # when local istiod is enabled, we can't use istiod service name to reach the remote control plane name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote {{- else }} diff --git a/resources/latest/charts/base/templates/zzy_descope_legacy.yaml b/resources/latest/charts/base/templates/zzy_descope_legacy.yaml new file mode 100644 index 000000000..ae8fced29 --- /dev/null +++ b/resources/latest/charts/base/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/resources/latest/charts/base/templates/zzz_profile.yaml b/resources/latest/charts/base/templates/zzz_profile.yaml index b96dcafcb..4eea73812 100644 --- a/resources/latest/charts/base/templates/zzz_profile.yaml +++ b/resources/latest/charts/base/templates/zzz_profile.yaml @@ -33,6 +33,13 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if $globals.platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" $globals.platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} diff --git a/resources/latest/charts/base/values.yaml b/resources/latest/charts/base/values.yaml index fae4e61e4..ef078c11d 100644 --- a/resources/latest/charts/base/values.yaml +++ b/resources/latest/charts/base/values.yaml @@ -25,6 +25,10 @@ defaults: ipFamilies: [] base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] # Used for helm2 to add the CRDs to templates. enableCRDTemplates: false diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 72b0cbb69..41e66e2c6 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/cni/files/profile-openshift-ambient.yaml b/resources/latest/charts/cni/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/cni/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/cni/files/profile-platform-k3d.yaml b/resources/latest/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/cni/files/profile-platform-k3s.yaml b/resources/latest/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/cni/files/profile-platform-microk8s.yaml b/resources/latest/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/cni/files/profile-platform-minikube.yaml b/resources/latest/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/base/files/profile-openshift.yaml b/resources/latest/charts/cni/files/profile-platform-openshift.yaml similarity index 84% rename from resources/latest/charts/base/files/profile-openshift.yaml rename to resources/latest/charts/cni/files/profile-platform-openshift.yaml index 38357bd99..69eda2b1d 100644 --- a/resources/latest/charts/base/files/profile-openshift.yaml +++ b/resources/latest/charts/cni/files/profile-platform-openshift.yaml @@ -3,18 +3,15 @@ # If you want to make a change in this file, edit the original one and run "make gen". # The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. cni: cniBinDir: /var/lib/cni/bin cniConfDir: /etc/cni/multus/net.d chained: false cniConfFileName: "istio-cni.conf" - logLevel: info provider: "multus" -global: - platform: openshift pilot: cni: enabled: true provider: "multus" -platform: openshift \ No newline at end of file +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/cni/templates/clusterrole.yaml b/resources/latest/charts/cni/templates/clusterrole.yaml index a1640c5d4..30f159603 100644 --- a/resources/latest/charts/cni/templates/clusterrole.yaml +++ b/resources/latest/charts/cni/templates/clusterrole.yaml @@ -18,7 +18,7 @@ rules: - apiGroups: [""] resources: ["pods","nodes","namespaces"] verbs: ["get", "list", "watch"] -{{- if (eq .Values.platform "openshift") }} +{{- if (eq (coalesce .Values.platform .Values.global.platform) "openshift") }} - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] resourceNames: ["privileged"] diff --git a/resources/latest/charts/cni/templates/daemonset.yaml b/resources/latest/charts/cni/templates/daemonset.yaml index fad5c3287..2ce4a0665 100644 --- a/resources/latest/charts/cni/templates/daemonset.yaml +++ b/resources/latest/charts/cni/templates/daemonset.yaml @@ -82,7 +82,6 @@ spec: {{- end }} ports: - containerPort: 15014 - hostPort: 15014 name: metrics protocol: TCP readinessProbe: diff --git a/resources/latest/charts/cni/templates/zzz_profile.yaml b/resources/latest/charts/cni/templates/zzz_profile.yaml index b96dcafcb..4eea73812 100644 --- a/resources/latest/charts/cni/templates/zzz_profile.yaml +++ b/resources/latest/charts/cni/templates/zzz_profile.yaml @@ -33,6 +33,13 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if $globals.platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" $globals.platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index ff80bed0a..3fdef82fe 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -112,7 +112,7 @@ defaults: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + tag: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index 344196f94..aad800d17 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/gateway/files/profile-openshift-ambient.yaml b/resources/latest/charts/gateway/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/gateway/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/gateway/files/profile-platform-k3d.yaml b/resources/latest/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/gateway/files/profile-platform-k3s.yaml b/resources/latest/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/gateway/files/profile-platform-microk8s.yaml b/resources/latest/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/gateway/files/profile-platform-minikube.yaml b/resources/latest/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/istiod-remote/files/profile-openshift.yaml b/resources/latest/charts/gateway/files/profile-platform-openshift.yaml similarity index 84% rename from resources/latest/charts/istiod-remote/files/profile-openshift.yaml rename to resources/latest/charts/gateway/files/profile-platform-openshift.yaml index 38357bd99..69eda2b1d 100644 --- a/resources/latest/charts/istiod-remote/files/profile-openshift.yaml +++ b/resources/latest/charts/gateway/files/profile-platform-openshift.yaml @@ -3,18 +3,15 @@ # If you want to make a change in this file, edit the original one and run "make gen". # The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. cni: cniBinDir: /var/lib/cni/bin cniConfDir: /etc/cni/multus/net.d chained: false cniConfFileName: "istio-cni.conf" - logLevel: info provider: "multus" -global: - platform: openshift pilot: cni: enabled: true provider: "multus" -platform: openshift \ No newline at end of file +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/gateway/templates/deployment.yaml b/resources/latest/charts/gateway/templates/deployment.yaml index 73ecc1a73..e9bfbbd36 100644 --- a/resources/latest/charts/gateway/templates/deployment.yaml +++ b/resources/latest/charts/gateway/templates/deployment.yaml @@ -15,6 +15,13 @@ spec: replicas: {{ . }} {{- end }} {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} selector: matchLabels: {{- include "gateway.selectorLabels" . | nindent 6 }} @@ -93,7 +100,11 @@ spec: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.volumeMounts }} volumeMounts: - {{ toYaml . | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/resources/latest/charts/gateway/templates/zzz_profile.yaml b/resources/latest/charts/gateway/templates/zzz_profile.yaml index b96dcafcb..4eea73812 100644 --- a/resources/latest/charts/gateway/templates/zzz_profile.yaml +++ b/resources/latest/charts/gateway/templates/zzz_profile.yaml @@ -33,6 +33,13 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if $globals.platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" $globals.platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} diff --git a/resources/latest/charts/gateway/values.schema.json b/resources/latest/charts/gateway/values.schema.json index 4c4f0836d..3108259a9 100644 --- a/resources/latest/charts/gateway/values.schema.json +++ b/resources/latest/charts/gateway/values.schema.json @@ -60,6 +60,15 @@ "env": { "type": "object" }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ "null", "integer" ] + }, + "readinessProbe": { + "type": [ "null", "object" ] + }, "labels": { "type": "object" }, diff --git a/resources/latest/charts/gateway/values.yaml b/resources/latest/charts/gateway/values.yaml index 72205b4a1..466b9d21c 100644 --- a/resources/latest/charts/gateway/values.yaml +++ b/resources/latest/charts/gateway/values.yaml @@ -84,6 +84,17 @@ defaults: # Pod environment variables env: {} + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + # Labels to apply to all resources labels: {} @@ -137,6 +148,7 @@ defaults: # podDisruptionBudget: {} + # Sets the per-pod terminationGracePeriodSeconds setting. terminationGracePeriodSeconds: 30 # A list of `Volumes` added into the Gateway Pods. See diff --git a/resources/latest/charts/istiod-remote/Chart.yaml b/resources/latest/charts/istiod-remote/Chart.yaml index 1f72b8275..6957bd426 100644 --- a/resources/latest/charts/istiod-remote/Chart.yaml +++ b/resources/latest/charts/istiod-remote/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe description: Helm chart for a remote cluster using an external istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: istiod-remote sources: - https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe diff --git a/resources/latest/charts/istiod-remote/files/injection-template.yaml b/resources/latest/charts/istiod-remote/files/injection-template.yaml index 63bc0e734..f41122f9b 100644 --- a/resources/latest/charts/istiod-remote/files/injection-template.yaml +++ b/resources/latest/charts/istiod-remote/files/injection-template.yaml @@ -125,6 +125,8 @@ spec: {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml b/resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/files/profile-platform-k3d.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/istiod-remote/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/istiod-remote/files/profile-platform-k3s.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/istiod-remote/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/istiod-remote/files/profile-platform-microk8s.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/istiod-remote/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/istiod-remote/files/profile-platform-minikube.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/istiod-remote/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/cni/files/profile-openshift.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-openshift.yaml similarity index 84% rename from resources/latest/charts/cni/files/profile-openshift.yaml rename to resources/latest/charts/istiod-remote/files/profile-platform-openshift.yaml index 38357bd99..69eda2b1d 100644 --- a/resources/latest/charts/cni/files/profile-openshift.yaml +++ b/resources/latest/charts/istiod-remote/files/profile-platform-openshift.yaml @@ -3,18 +3,15 @@ # If you want to make a change in this file, edit the original one and run "make gen". # The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. cni: cniBinDir: /var/lib/cni/bin cniConfDir: /etc/cni/multus/net.d chained: false cniConfFileName: "istio-cni.conf" - logLevel: info provider: "multus" -global: - platform: openshift pilot: cni: enabled: true provider: "multus" -platform: openshift \ No newline at end of file +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/istiod-remote/templates/clusterrole.yaml b/resources/latest/charts/istiod-remote/templates/clusterrole.yaml index b2eeb92cc..8c25cbf72 100644 --- a/resources/latest/charts/istiod-remote/templates/clusterrole.yaml +++ b/resources/latest/charts/istiod-remote/templates/clusterrole.yaml @@ -28,25 +28,35 @@ rules: resources: ["*"] {{- if .Values.global.istiod.enableAnalysis }} - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] - - # Needed because status reporter sets the config map owner reference to the istiod pod - - apiGroups: [""] - verbs: ["update"] - resources: ["pods/finalizers"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status {{- end }} - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries" ] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch" ] - resources: [ "serviceentries/status" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] # auto-detect installed CRD definitions - apiGroups: ["apiextensions.k8s.io"] @@ -118,11 +128,20 @@ rules: verbs: ["create"] # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + - apiGroups: ["gateway.networking.k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status verbs: ["update", "patch"] - apiGroups: ["gateway.networking.k8s.io"] resources: ["gatewayclasses"] diff --git a/resources/latest/charts/istiod-remote/templates/endpoints.yaml b/resources/latest/charts/istiod-remote/templates/endpoints.yaml index 1cc26dd78..1190dfa9b 100644 --- a/resources/latest/charts/istiod-remote/templates/endpoints.yaml +++ b/resources/latest/charts/istiod-remote/templates/endpoints.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Endpoints metadata: - {{- if .Values.pilot.enabled }} + {{- if .Values.enabled }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote {{- else }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml b/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml index 5b7e734e4..fae4ed87a 100644 --- a/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml +++ b/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml @@ -50,7 +50,7 @@ metadata: operator.istio.io/component: "Pilot" app: sidecar-injector release: {{ .Release.Name }} - app.kubernetes.io/name: "sidecar-injector" + app.kubernetes.io/name: "istiod" {{- include "istio.labels" . | nindent 4 }} webhooks: {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} diff --git a/resources/latest/charts/istiod-remote/templates/services.yaml b/resources/latest/charts/istiod-remote/templates/services.yaml index 4290f2848..fe9b701aa 100644 --- a/resources/latest/charts/istiod-remote/templates/services.yaml +++ b/resources/latest/charts/istiod-remote/templates/services.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - {{- if .Values.pilot.enabled }} + {{- if .Values.enabled }} # when local istiod is enabled, we can't use istiod service name to reach the remote control plane name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote {{- else }} diff --git a/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml b/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml index b96dcafcb..4eea73812 100644 --- a/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml +++ b/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml @@ -33,6 +33,13 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if $globals.platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" $globals.platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} diff --git a/resources/latest/charts/istiod-remote/values.yaml b/resources/latest/charts/istiod-remote/values.yaml index 3d511673d..54c4ee7a8 100644 --- a/resources/latest/charts/istiod-remote/values.yaml +++ b/resources/latest/charts/istiod-remote/values.yaml @@ -47,6 +47,8 @@ defaults: volumeMounts: [] # Additional volumes to the istiod pod volumes: [] + # Inject initContainers into the istiod pod + initContainers: [] nodeSelector: {} podAnnotations: {} serviceAnnotations: {} @@ -197,7 +199,7 @@ defaults: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + tag: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" @@ -315,6 +317,9 @@ defaults: proxy_init: # Base name for the proxy_init container, used to configure iptables. image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false # configure remote pilot and istiod service and endpoint remotePilotAddress: "" ############################################################################################## @@ -428,6 +433,14 @@ defaults: limits: cpu: "2" memory: 1Gi + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + # Node labels for the waypoint proxy. + nodeSelector: {} + # Tolerations for the waypoint proxy. + tolerations: [] base: # For istioctl usage to disable istio config crds in base enableIstioConfigCRDs: true diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index 5dfee6540..e4e4b0de8 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe diff --git a/resources/latest/charts/istiod/files/injection-template.yaml b/resources/latest/charts/istiod/files/injection-template.yaml index 63bc0e734..f41122f9b 100644 --- a/resources/latest/charts/istiod/files/injection-template.yaml +++ b/resources/latest/charts/istiod/files/injection-template.yaml @@ -125,6 +125,8 @@ spec: {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/istiod/files/profile-openshift-ambient.yaml b/resources/latest/charts/istiod/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/istiod/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/istiod/files/profile-openshift.yaml b/resources/latest/charts/istiod/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/istiod/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/istiod/files/profile-platform-k3d.yaml b/resources/latest/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/istiod/files/profile-platform-k3s.yaml b/resources/latest/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/istiod/files/profile-platform-microk8s.yaml b/resources/latest/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/istiod/files/profile-platform-minikube.yaml b/resources/latest/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/istiod/files/profile-platform-openshift.yaml b/resources/latest/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..69eda2b1d --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/istiod/files/waypoint.yaml b/resources/latest/charts/istiod/files/waypoint.yaml index e01409503..ed3d59397 100644 --- a/resources/latest/charts/istiod/files/waypoint.yaml +++ b/resources/latest/charts/istiod/files/waypoint.yaml @@ -68,6 +68,22 @@ spec: "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 8}} spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: diff --git a/resources/latest/charts/istiod/templates/clusterrole.yaml b/resources/latest/charts/istiod/templates/clusterrole.yaml index ac86e28b6..fb5dd398a 100644 --- a/resources/latest/charts/istiod/templates/clusterrole.yaml +++ b/resources/latest/charts/istiod/templates/clusterrole.yaml @@ -27,25 +27,35 @@ rules: resources: ["*"] {{- if .Values.global.istiod.enableAnalysis }} - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] - - # Needed because status reporter sets the config map owner reference to the istiod pod - - apiGroups: [""] - verbs: ["update"] - resources: ["pods/finalizers"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status {{- end }} - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries" ] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch" ] - resources: [ "serviceentries/status" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] # auto-detect installed CRD definitions - apiGroups: ["apiextensions.k8s.io"] @@ -117,11 +127,20 @@ rules: verbs: ["create"] # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + - apiGroups: ["gateway.networking.k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status verbs: ["update", "patch"] - apiGroups: ["gateway.networking.k8s.io"] resources: ["gatewayclasses"] diff --git a/resources/latest/charts/istiod/templates/deployment.yaml b/resources/latest/charts/istiod/templates/deployment.yaml index 3b8ea75d9..987db2a71 100644 --- a/resources/latest/charts/istiod/templates/deployment.yaml +++ b/resources/latest/charts/istiod/templates/deployment.yaml @@ -81,6 +81,10 @@ spec: serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} containers: - name: discovery @@ -116,12 +120,19 @@ spec: ports: - containerPort: 8080 protocol: TCP + name: http-debug - containerPort: 15010 protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds - containerPort: 15017 protocol: TCP + name: https-webhooks - containerPort: 15014 protocol: TCP + name: http-monitoring readinessProbe: httpGet: path: /ready @@ -189,8 +200,9 @@ spec: valueFrom: resourceFieldRef: resource: limits.cpu + divisor: "1" - name: PLATFORM - value: "{{ .Values.global.platform }}" + value: "{{ coalesce .Values.global.platform .Values.platform }}" resources: {{- if .Values.resources }} {{ toYaml .Values.resources | trim | indent 12 }} diff --git a/resources/latest/charts/istiod/templates/mutatingwebhook.yaml b/resources/latest/charts/istiod/templates/mutatingwebhook.yaml index 5b7e734e4..fae4ed87a 100644 --- a/resources/latest/charts/istiod/templates/mutatingwebhook.yaml +++ b/resources/latest/charts/istiod/templates/mutatingwebhook.yaml @@ -50,7 +50,7 @@ metadata: operator.istio.io/component: "Pilot" app: sidecar-injector release: {{ .Release.Name }} - app.kubernetes.io/name: "sidecar-injector" + app.kubernetes.io/name: "istiod" {{- include "istio.labels" . | nindent 4 }} webhooks: {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} diff --git a/resources/latest/charts/istiod/templates/revision-tags.yaml b/resources/latest/charts/istiod/templates/revision-tags.yaml index 1d13d62d5..9c1d2784a 100644 --- a/resources/latest/charts/istiod/templates/revision-tags.yaml +++ b/resources/latest/charts/istiod/templates/revision-tags.yaml @@ -46,7 +46,7 @@ metadata: operator.istio.io/component: "Pilot" app: sidecar-injector release: {{ $.Release.Name }} - app.kubernetes.io/name: "sidecar-injector" + app.kubernetes.io/name: "istiod" {{- include "istio.labels" $ | nindent 4 }} webhooks: {{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} diff --git a/resources/latest/charts/istiod/templates/zzz_profile.yaml b/resources/latest/charts/istiod/templates/zzz_profile.yaml index b96dcafcb..4eea73812 100644 --- a/resources/latest/charts/istiod/templates/zzz_profile.yaml +++ b/resources/latest/charts/istiod/templates/zzz_profile.yaml @@ -33,6 +33,13 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if $globals.platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" $globals.platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index bc83baf91..93ebefbd8 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -60,6 +60,9 @@ defaults: # Additional volumes to the istiod pod volumes: [] + # Inject initContainers into the istiod pod + initContainers: [] + nodeSelector: {} podAnnotations: {} serviceAnnotations: {} @@ -234,7 +237,7 @@ defaults: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + tag: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" @@ -377,6 +380,9 @@ defaults: proxy_init: # Base name for the proxy_init container, used to configure iptables. image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false # configure remote pilot and istiod service and endpoint remotePilotAddress: "" @@ -506,6 +512,18 @@ defaults: cpu: "2" memory: 1Gi + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + base: # For istioctl usage to disable istio config crds in base enableIstioConfigCRDs: true diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index 4eb63bbed..c2d07c68c 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/ztunnel/files/profile-openshift.yaml b/resources/latest/charts/ztunnel/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/ztunnel/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/ztunnel/files/profile-platform-k3d.yaml b/resources/latest/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/ztunnel/files/profile-platform-k3s.yaml b/resources/latest/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/ztunnel/files/profile-platform-microk8s.yaml b/resources/latest/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/ztunnel/files/profile-platform-minikube.yaml b/resources/latest/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml b/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..69eda2b1d --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/ztunnel/templates/daemonset.yaml b/resources/latest/charts/ztunnel/templates/daemonset.yaml index 6025871e9..c6e2daf48 100644 --- a/resources/latest/charts/ztunnel/templates/daemonset.yaml +++ b/resources/latest/charts/ztunnel/templates/daemonset.yaml @@ -188,7 +188,7 @@ spec: - name: cni-ztunnel-sock-dir hostPath: path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet. + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - name: tmp emptyDir: {} diff --git a/resources/latest/charts/ztunnel/templates/zzz_profile.yaml b/resources/latest/charts/ztunnel/templates/zzz_profile.yaml index 68a66eec6..680b3d5c3 100644 --- a/resources/latest/charts/ztunnel/templates/zzz_profile.yaml +++ b/resources/latest/charts/ztunnel/templates/zzz_profile.yaml @@ -33,6 +33,13 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if $globals.platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" $globals.platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index 955528f5b..c5e3ebe7b 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ defaults: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + tag: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index 116ad15ac..c579186aa 100644 --- a/versions.yaml +++ b/versions.yaml @@ -46,11 +46,11 @@ versions: version: 1.24-alpha repo: https://github.com/istio/istio branch: master - commit: b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + commit: fe2a04689d3b7abf7630dc5646bf825e0c0592fe charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/base-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/cni-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/gateway-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/istiod-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/istiod-remote-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/ztunnel-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/base-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/cni-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/gateway-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/istiod-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/istiod-remote-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/ztunnel-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz From 9d12b6f8e7a9d1c5999451a308fa946bf24fe85b Mon Sep 17 00:00:00 2001 From: Travis White Date: Fri, 20 Sep 2024 02:44:19 -0500 Subject: [PATCH 06/68] added helm overrides for proxy image as is available for operator (#339) * added helm overrides for proxy image as is available for operator Signed-off-by: Travis White * `make gen` results Signed-off-by: Travis White --------- Signed-off-by: Travis White Co-authored-by: Daniel Grimm --- bundle/manifests/sailoperator.clusterserviceversion.yaml | 1 + chart/templates/deployment.yaml | 3 ++- chart/values.yaml | 3 +++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 47e035fbc..de1cd4691 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -643,6 +643,7 @@ spec: - --logtostderr=true - --v=0 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + imagePullPolicy: Always name: kube-rbac-proxy ports: - containerPort: 8443 diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 0067d9eaa..02c4c4646 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -53,7 +53,8 @@ spec: - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + image: {{ .Values.proxy.image }} + imagePullPolicy: {{ .Values.proxy.imagePullPolicy }} name: kube-rbac-proxy ports: - containerPort: 8443 diff --git a/chart/values.yaml b/chart/values.yaml index d86bac087..75d8d8799 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -44,6 +44,9 @@ csv: features.operators.openshift.io/csi: "false" image: quay.io/maistra-dev/sail-operator:0.2-latest imagePullPolicy: Always +proxy: + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + imagePullPolicy: Always # setting this to true will add resources required to generate the bundle using operator-sdk bundleGeneration: false From 1dff7d97be92323dfcd6e6f21795011f67be5fe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Fri, 20 Sep 2024 12:03:19 +0200 Subject: [PATCH 07/68] Show name of active revision in Istio/RemoteIstio status (#350) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This helps users know the name of the currently active revision. Previously, the users had to just know that for the InPlace strategy, the name of the revision is the same as the name of the Istio/RemoteIstio resource, and for the RevisionBased strategy, the revision name is the Istio/RemoteIstio name + version. Signed-off-by: Marko Lukša --- api/v1alpha1/istio_types.go | 6 +++++- api/v1alpha1/remoteistio_types.go | 6 +++++- bundle/manifests/sailoperator.io_istios.yaml | 9 ++++++++- bundle/manifests/sailoperator.io_remoteistios.yaml | 9 ++++++++- chart/crds/sailoperator.io_istios.yaml | 9 ++++++++- chart/crds/sailoperator.io_remoteistios.yaml | 9 ++++++++- controllers/istio/istio_controller.go | 1 + controllers/istio/istio_controller_test.go | 10 +++++++++- controllers/remoteistio/remoteistio_controller.go | 1 + controllers/remoteistio/remoteistio_controller_test.go | 10 +++++++++- docs/api-reference/sailoperator.io.md | 2 ++ 11 files changed, 64 insertions(+), 8 deletions(-) diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go index dfeb27df3..ba39fdc06 100644 --- a/api/v1alpha1/istio_types.go +++ b/api/v1alpha1/istio_types.go @@ -114,6 +114,9 @@ type IstioStatus struct { // Reports the current state of the object. State IstioConditionReason `json:"state,omitempty"` + // The name of the active revision. + ActiveRevisionName string `json:"activeRevisionName,omitempty"` + // Reports information about the underlying IstioRevisions. Revisions RevisionSummary `json:"revisions,omitempty"` } @@ -238,7 +241,8 @@ const ( // +kubebuilder:printcolumn:name="Revisions",type="string",JSONPath=".status.revisions.total",description="Total number of IstioRevision objects currently associated with this object." // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.revisions.ready",description="Number of revisions that are ready." // +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.revisions.inUse",description="Number of revisions that are currently being used by workloads." -// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.state",description="The current state of the active revision." +// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.activeRevisionName",description="The name of the currently active revision." +// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of the active revision." // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the control plane installation." // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object" diff --git a/api/v1alpha1/remoteistio_types.go b/api/v1alpha1/remoteistio_types.go index 1494a9bc7..dbfe3707c 100644 --- a/api/v1alpha1/remoteistio_types.go +++ b/api/v1alpha1/remoteistio_types.go @@ -71,6 +71,9 @@ type RemoteIstioStatus struct { // Reports the current state of the object. State RemoteIstioConditionReason `json:"state,omitempty"` + // The name of the active revision. + ActiveRevisionName string `json:"activeRevisionName,omitempty"` + // Reports information about the underlying IstioRevisions. Revisions RevisionSummary `json:"revisions,omitempty"` } @@ -183,7 +186,8 @@ const ( // +kubebuilder:printcolumn:name="Revisions",type="string",JSONPath=".status.revisions.total",description="Total number of IstioRevision objects currently associated with this object." // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.revisions.ready",description="Number of revisions that are ready." // +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.revisions.inUse",description="Number of revisions that are currently being used by workloads." -// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.state",description="The current state of the active revision." +// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.activeRevisionName",description="The name of the currently active revision." +// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of the active revision." // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the control plane installation." // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object" diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 3ba422ba5..4057df688 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -30,9 +30,13 @@ spec: jsonPath: .status.revisions.inUse name: In use type: string + - description: The name of the currently active revision. + jsonPath: .status.activeRevisionName + name: Active Revision + type: string - description: The current state of the active revision. jsonPath: .status.state - name: Active Revision + name: Status type: string - description: The version of the control plane installation. jsonPath: .spec.version @@ -8001,6 +8005,9 @@ spec: status: description: IstioStatus defines the observed state of Istio properties: + activeRevisionName: + description: The name of the active revision. + type: string conditions: description: Represents the latest available observations of the object's current state. diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml index f77d7cc7a..19c17f37d 100644 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ b/bundle/manifests/sailoperator.io_remoteistios.yaml @@ -30,9 +30,13 @@ spec: jsonPath: .status.revisions.inUse name: In use type: string + - description: The name of the currently active revision. + jsonPath: .status.activeRevisionName + name: Active Revision + type: string - description: The current state of the active revision. jsonPath: .status.state - name: Active Revision + name: Status type: string - description: The version of the control plane installation. jsonPath: .spec.version @@ -7996,6 +8000,9 @@ spec: status: description: RemoteIstioStatus defines the observed state of RemoteIstio properties: + activeRevisionName: + description: The name of the active revision. + type: string conditions: description: Represents the latest available observations of the object's current state. diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index b9a5f37fa..8ccbb7dcc 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -30,9 +30,13 @@ spec: jsonPath: .status.revisions.inUse name: In use type: string + - description: The name of the currently active revision. + jsonPath: .status.activeRevisionName + name: Active Revision + type: string - description: The current state of the active revision. jsonPath: .status.state - name: Active Revision + name: Status type: string - description: The version of the control plane installation. jsonPath: .spec.version @@ -8001,6 +8005,9 @@ spec: status: description: IstioStatus defines the observed state of Istio properties: + activeRevisionName: + description: The name of the active revision. + type: string conditions: description: Represents the latest available observations of the object's current state. diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml index 75f001835..edc2c67d5 100644 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ b/chart/crds/sailoperator.io_remoteistios.yaml @@ -30,9 +30,13 @@ spec: jsonPath: .status.revisions.inUse name: In use type: string + - description: The name of the currently active revision. + jsonPath: .status.activeRevisionName + name: Active Revision + type: string - description: The current state of the active revision. jsonPath: .status.state - name: Active Revision + name: Status type: string - description: The version of the control plane installation. jsonPath: .spec.version @@ -7996,6 +8000,9 @@ spec: status: description: RemoteIstioStatus defines the observed state of RemoteIstio properties: + activeRevisionName: + description: The name of the active revision. + type: string conditions: description: Represents the latest available observations of the object's current state. diff --git a/controllers/istio/istio_controller.go b/controllers/istio/istio_controller.go index f7644e0d8..b46119796 100644 --- a/controllers/istio/istio_controller.go +++ b/controllers/istio/istio_controller.go @@ -207,6 +207,7 @@ func (r *Reconciler) determineStatus(ctx context.Context, istio *v1alpha1.Istio, }) status.State = v1alpha1.IstioReasonReconcileError } else { + status.ActiveRevisionName = getActiveRevisionName(istio) rev, err := r.getActiveRevision(ctx, istio) if apierrors.IsNotFound(err) { revisionNotFound := func(conditionType v1alpha1.IstioConditionType) v1alpha1.IstioCondition { diff --git a/controllers/istio/istio_controller_test.go b/controllers/istio/istio_controller_test.go index 020529823..1a5150a53 100644 --- a/controllers/istio/istio_controller_test.go +++ b/controllers/istio/istio_controller_test.go @@ -367,6 +367,7 @@ func TestDetermineStatus(t *testing.T) { Message: "ready message", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: 2, Ready: 1, @@ -398,6 +399,7 @@ func TestDetermineStatus(t *testing.T) { Status: metav1.ConditionTrue, }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: 3, Ready: 2, @@ -425,6 +427,7 @@ func TestDetermineStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, }, }, { @@ -455,7 +458,8 @@ func TestDetermineStatus(t *testing.T) { Message: "failed to get active IstioRevision: get failed: simulated error", }, }, - Revisions: v1alpha1.RevisionSummary{}, + ActiveRevisionName: istioKey.Name, + Revisions: v1alpha1.RevisionSummary{}, }, }, { @@ -486,6 +490,7 @@ func TestDetermineStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: -1, Ready: -1, @@ -587,6 +592,7 @@ func TestUpdateStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: -1, Ready: -1, @@ -625,6 +631,7 @@ func TestUpdateStatus(t *testing.T) { LastTransitionTime: *oneMinuteAgo, }, }, + ActiveRevisionName: istioKey.Name, }, }, revisions: []v1alpha1.IstioRevision{ @@ -673,6 +680,7 @@ func TestUpdateStatus(t *testing.T) { Message: "ready message", }, }, + ActiveRevisionName: istioKey.Name, }, disallowWrites: true, wantErr: false, diff --git a/controllers/remoteistio/remoteistio_controller.go b/controllers/remoteistio/remoteistio_controller.go index 32b2ac028..31c70a51c 100644 --- a/controllers/remoteistio/remoteistio_controller.go +++ b/controllers/remoteistio/remoteistio_controller.go @@ -206,6 +206,7 @@ func (r *Reconciler) determineStatus(ctx context.Context, istio *v1alpha1.Remote }) status.State = v1alpha1.RemoteIstioReasonReconcileError } else { + status.ActiveRevisionName = getActiveRevisionName(istio) rev, err := r.getActiveRevision(ctx, istio) if apierrors.IsNotFound(err) { revisionNotFound := func(conditionType v1alpha1.RemoteIstioConditionType) v1alpha1.RemoteIstioCondition { diff --git a/controllers/remoteistio/remoteistio_controller_test.go b/controllers/remoteistio/remoteistio_controller_test.go index 9e4f3732c..c9ff33f0a 100644 --- a/controllers/remoteistio/remoteistio_controller_test.go +++ b/controllers/remoteistio/remoteistio_controller_test.go @@ -367,6 +367,7 @@ func TestDetermineStatus(t *testing.T) { Message: "ready message", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: 2, Ready: 1, @@ -398,6 +399,7 @@ func TestDetermineStatus(t *testing.T) { Status: metav1.ConditionTrue, }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: 3, Ready: 2, @@ -425,6 +427,7 @@ func TestDetermineStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, }, }, { @@ -455,7 +458,8 @@ func TestDetermineStatus(t *testing.T) { Message: "failed to get active IstioRevision: get failed: simulated error", }, }, - Revisions: v1alpha1.RevisionSummary{}, + ActiveRevisionName: istioKey.Name, + Revisions: v1alpha1.RevisionSummary{}, }, }, { @@ -486,6 +490,7 @@ func TestDetermineStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: -1, Ready: -1, @@ -587,6 +592,7 @@ func TestUpdateStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: -1, Ready: -1, @@ -625,6 +631,7 @@ func TestUpdateStatus(t *testing.T) { LastTransitionTime: *oneMinuteAgo, }, }, + ActiveRevisionName: istioKey.Name, }, }, revisions: []v1alpha1.IstioRevision{ @@ -673,6 +680,7 @@ func TestUpdateStatus(t *testing.T) { Message: "ready message", }, }, + ActiveRevisionName: istioKey.Name, }, disallowWrites: true, wantErr: false, diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index d8e479b79..ce6e08862 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -928,6 +928,7 @@ _Appears in:_ | `observedGeneration` _integer_ | ObservedGeneration is the most recent generation observed for this Istio object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object. | | | | `conditions` _[IstioCondition](#istiocondition) array_ | Represents the latest available observations of the object's current state. | | | | `state` _[IstioConditionReason](#istioconditionreason)_ | Reports the current state of the object. | | | +| `activeRevisionName` _string_ | The name of the active revision. | | | | `revisions` _[RevisionSummary](#revisionsummary)_ | Reports information about the underlying IstioRevisions. | | | @@ -2533,6 +2534,7 @@ _Appears in:_ | `observedGeneration` _integer_ | ObservedGeneration is the most recent generation observed for this RemoteIstio object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object. | | | | `conditions` _[RemoteIstioCondition](#remoteistiocondition) array_ | Represents the latest available observations of the object's current state. | | | | `state` _[RemoteIstioConditionReason](#remoteistioconditionreason)_ | Reports the current state of the object. | | | +| `activeRevisionName` _string_ | The name of the active revision. | | | | `revisions` _[RevisionSummary](#revisionsummary)_ | Reports information about the underlying IstioRevisions. | | | From c5e80218c2ab898b361f4a949f0e6eeb53ab14ad Mon Sep 17 00:00:00 2001 From: Nick Fox Date: Fri, 20 Sep 2024 11:04:21 -0400 Subject: [PATCH 08/68] Add External Controlplane to user docs (#335) * Add external controlplane to docs Signed-off-by: Nick Fox * Remove extra fields from examples and update some descriptions Signed-off-by: Nick Fox * Caps consistently and fix copy/pasta errors Signed-off-by: Nick Fox * Apply suggestions from code review Co-authored-by: Sridhar Gaddam Signed-off-by: Nick Fox --------- Signed-off-by: Nick Fox Co-authored-by: Sridhar Gaddam --- docs/README.md | 290 +++++++++++++++- docs/multicluster/controlplane-gateway.yaml | 355 ++++++++++++++++++++ 2 files changed, 641 insertions(+), 4 deletions(-) create mode 100644 docs/multicluster/controlplane-gateway.yaml diff --git a/docs/README.md b/docs/README.md index 3a7a4069f..a950d7ac6 100644 --- a/docs/README.md +++ b/docs/README.md @@ -22,6 +22,11 @@ - [RevisionBased](#revisionbased) - [Example using the RevisionBased strategy](#example-using-the-revisionbased-strategy) - [Multi-cluster](#multi-cluster) + - [Prerequisites](#prerequisites) + - [Common Setup](#common-setup) + - [Multi-Primary](#multi-primary---multi-network) + - [Primary-Remote](#primary-remote---multi-network) + - [External Control Plane](#external-controlplane) - [Addons](#addons) - [Deploy Prometheus and Jaeger addons](#deploy-prometheus-and-jaeger-addons) - [Deploy Kiali addon](#deploy-kiali-addon) @@ -472,13 +477,12 @@ Steps: You can use the Sail Operator and the Sail CRDs to manage a multi-cluster Istio deployment. The following instructions are adapted from the [Istio multi-cluster documentation](https://istio.io/latest/docs/setup/install/multicluster/) to demonstrate how you can setup the various deployment models with Sail. Please familiarize yourself with the different [deployment models](https://istio.io/latest/docs/ops/deployment/deployment-models/) before starting. -*Prerequisites* - -Each deployment model requires you to install the Sail Operator and the Sail CRDs to every cluster that is part of the mesh. +### Prerequisites - Install [istioctl](https://istio.io/latest/docs/setup/install/istioctl) and have it included in your `$PATH`. - Two kubernetes clusters with external lb support. (If using kind, `cloud-provider-kind` is running in the background) - kubeconfig file with a context for each cluster. +- Install the Sail Operator and the Sail CRDs to every cluster. ### Common Setup @@ -502,7 +506,7 @@ These steps are common to every multi-cluster deployment and should be completed kubectl get ns istio-system --context "${CTX_CLUSTER2}" || kubectl create namespace istio-system --context "${CTX_CLUSTER2}" ``` -2. Create shared trust and add intermediate CAs to each cluster. +3. Create shared trust and add intermediate CAs to each cluster. If you already have a [shared trust](https://istio.io/latest/docs/setup/install/multicluster/before-you-begin/#configure-trust) for each cluster you can skip this. Otherwise, you can use the instructions below to create a shared trust and push the intermediate CAs into your clusters. @@ -868,6 +872,284 @@ In this setup there is a Primary cluster (`cluster1`) and a Remote cluster (`clu kubectl delete ns sample --context="${CTX_CLUSTER2}" ``` +### External Control Plane + +These instructions install an [external control plane](https://istio.io/latest/docs/setup/install/external-controlplane/) Istio deployment using the Sail Operator and Sail CRDs. **Before you begin**, ensure you meet the requirements of the [common setup](#common-setup) and complete **only** the "Setup env vars" step. Unlike other Multi-Cluster deployments, you won't be creating a common CA in this setup. + +These installation instructions are adapted from [Istio's external control plane documentation](https://istio.io/latest/docs/setup/install/external-controlplane/) and are intended to be run in a development environment, such as `kind`, rather than in production. + +In this setup there is an external control plane cluster (`cluster1`) and a remote cluster (`cluster2`) which are on separate networks. + +1. Create an `Istio` resource on `cluster1` to manage the ingress gateways for the external control plane. + + ```sh + kubectl create namespace istio-system --context "${CTX_CLUSTER1}" + kubectl apply --context "${CTX_CLUSTER1}" -f - < /dev/null || \ + { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.1.0" | kubectl apply -f - --context="${CTX_CLUSTER2}"; } + ``` + + Expose `helloworld` through the ingress gateway. + ```sh + kubectl apply -f https://raw.githubusercontent.com/istio/istio/${ISTIO_VERSION}/samples/helloworld/gateway-api/helloworld-gateway.yaml -n sample --context="${CTX_CLUSTER2}" + kubectl -n sample --context="${CTX_CLUSTER2}" wait --for=condition=programmed gtw helloworld-gateway + ``` + + Confirm you can access the `helloworld` application through the ingress gateway created in the Remote cluster. + ```sh + curl -s "http://$(kubectl -n sample --context="${CTX_CLUSTER2}" get gtw helloworld-gateway -o jsonpath='{.status.addresses[0].value}'):80/hello" + ``` + You should see a response from the `helloworld` application: + ```sh + Hello version: v1, instance: helloworld-v1-6d65866976-jb6qc + ``` + +15. Cleanup + + ```sh + kubectl delete istios default --context="${CTX_CLUSTER1}" + kubectl delete ns istio-system --context="${CTX_CLUSTER1}" + kubectl delete istios external-istiod --context="${CTX_CLUSTER1}" + kubectl delete ns external-istiod --context="${CTX_CLUSTER1}" + kubectl delete remoteistios external-istiod --context="${CTX_CLUSTER2}" + kubectl delete ns external-istiod --context="${CTX_CLUSTER2}" + kubectl delete ns sample --context="${CTX_CLUSTER2}" + ``` + ## Addons Addons are managed separately from the Sail Operator. You can follow the [istio documentation](https://istio.io/latest/docs/ops/integrations/) for how to install addons. Below is an example of how to install some addons for Istio. diff --git a/docs/multicluster/controlplane-gateway.yaml b/docs/multicluster/controlplane-gateway.yaml new file mode 100644 index 000000000..33689f854 --- /dev/null +++ b/docs/multicluster/controlplane-gateway.yaml @@ -0,0 +1,355 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-service-account + namespace: istio-system + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + istio.io/rev: default + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + labels: + app: istio-ingressgateway + chart: gateways + heritage: Tiller + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + service.istio.io/canonical-name: istio-ingressgateway + service.istio.io/canonical-revision: latest + sidecar.istio.io/inject: "false" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: null + requiredDuringSchedulingIgnoredDuringExecution: null + containers: + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: istio-ingressgateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: docker.io/istio/proxyv2:1.22.1 + name: istio-proxy + ports: + - containerPort: 15021 + protocol: TCP + - containerPort: 15012 + protocol: TCP + - containerPort: 15017 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true + securityContext: + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + serviceAccountName: istio-ingressgateway-service-account + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + optional: true + name: config-volume + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs + +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + minAvailable: 1 + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-sds + namespace: istio-system +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-sds + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account + +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway + +--- +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: tls-xds + port: 15012 + protocol: TCP + targetPort: 15012 + - name: tls-webhook + port: 15017 + protocol: TCP + targetPort: 15017 + selector: + app: istio-ingressgateway + istio: ingressgateway + type: LoadBalancer + +--- From bd6e0482446decb56d55a7344296a29408dee4b4 Mon Sep 17 00:00:00 2001 From: Daniel Grimm Date: Mon, 23 Sep 2024 08:36:22 +0200 Subject: [PATCH 09/68] Use Kubernetes defaults for imagePullPolicy (#352) Signed-off-by: Daniel Grimm --- bundle/manifests/sailoperator.clusterserviceversion.yaml | 4 +--- chart/templates/deployment.yaml | 4 ++++ chart/values.yaml | 6 ++++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index de1cd4691..69e8b3d42 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-09-19T14:41:31Z" + createdAt: "2024-09-22T10:00:56Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -643,7 +643,6 @@ spec: - --logtostderr=true - --v=0 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - imagePullPolicy: Always name: kube-rbac-proxy ports: - containerPort: 8443 @@ -668,7 +667,6 @@ spec: command: - /manager image: quay.io/maistra-dev/sail-operator:0.2-latest - imagePullPolicy: Always livenessProbe: httpGet: path: /healthz diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 02c4c4646..d9fdcfd85 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -54,7 +54,9 @@ spec: - --logtostderr=true - --v=0 image: {{ .Values.proxy.image }} +{{- if .Values.proxy.imagePullPolicy }} imagePullPolicy: {{ .Values.proxy.imagePullPolicy }} +{{- end }} name: kube-rbac-proxy ports: - containerPort: 8443 @@ -81,7 +83,9 @@ spec: command: - /manager image: {{ .Values.image }} +{{- if .Values.proxy.imagePullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- end }} livenessProbe: httpGet: path: /healthz diff --git a/chart/values.yaml b/chart/values.yaml index 75d8d8799..9dae758ca 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -43,10 +43,12 @@ csv: features.operators.openshift.io/cni: "true" features.operators.openshift.io/csi: "false" image: quay.io/maistra-dev/sail-operator:0.2-latest -imagePullPolicy: Always +# We're commenting out the imagePullPolicy to use k8s defaults +# imagePullPolicy: Always proxy: image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 - imagePullPolicy: Always + # We're commenting out the imagePullPolicy to use k8s defaults + # imagePullPolicy: IfNotPresent # setting this to true will add resources required to generate the bundle using operator-sdk bundleGeneration: false From ab57cdf683aba2beb08b15f5a03b4267af76efc4 Mon Sep 17 00:00:00 2001 From: Francisco Herrera Date: Mon, 23 Sep 2024 19:46:23 +0200 Subject: [PATCH 10/68] Adding E2e multicluster test (#342) * Adding E2e multicluster test Signed-off-by: frherrer * Add istioctl util go build Signed-off-by: frherrer * Delete kind config breaking the test Signed-off-by: frherrer * Removing references to raw.githubusercontent on multicluster related YAML Signed-off-by: frherrer * Updates from review: improve cleanup, minor fixes Signed-off-by: frherrer --------- Signed-off-by: frherrer --- .devcontainer/devcontainer.json | 2 +- Makefile.core.mk | 28 +- common/scripts/kind_provisioner.sh | 13 +- common/scripts/setup_env.sh | 2 +- .../util/supportedversion/supportedversion.go | 27 ++ tests/e2e/common-operator-integ-suite.sh | 14 +- tests/e2e/config/default.yaml | 7 +- tests/e2e/config/multicluster.json | 14 + .../controlplane/control_plane_suite_test.go | 6 +- tests/e2e/controlplane/control_plane_test.go | 22 +- tests/e2e/integ-suite-kind.sh | 50 ++- .../multicluster_multiprimary_test.go | 344 +++++++++++++++++ .../multicluster_primaryremote_test.go | 346 ++++++++++++++++++ .../multicluster/multicluster_suite_test.go | 95 +++++ tests/e2e/operator/operator_suite_test.go | 6 +- tests/e2e/util/certs/certs.go | 280 ++++++++++++++ tests/e2e/util/client/client.go | 20 +- tests/e2e/util/common/e2e_utils.go | 57 ++- tests/e2e/util/istioctl/istioctl.go | 55 +++ tests/e2e/util/kubectl/kubectl.go | 102 +++++- 20 files changed, 1416 insertions(+), 74 deletions(-) create mode 100644 tests/e2e/config/multicluster.json create mode 100644 tests/e2e/multicluster/multicluster_multiprimary_test.go create mode 100644 tests/e2e/multicluster/multicluster_primaryremote_test.go create mode 100644 tests/e2e/multicluster/multicluster_suite_test.go create mode 100644 tests/e2e/util/certs/certs.go create mode 100644 tests/e2e/util/istioctl/istioctl.go diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 0b1d2b6d5..591b24ffa 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:master-0aa2afb4bac9a4fd1bfe50a929c077a643066b3a", + "image": "gcr.io/istio-testing/build-tools:master-8584ca511549c1cd96d9cb8b900297de83f4cb64", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/Makefile.core.mk b/Makefile.core.mk index 3a3cd3d7f..07a3ce318 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -165,8 +165,8 @@ test.e2e.ocp: ## Run the end-to-end tests against an existing OCP cluster. GINKGO_FLAGS="$(GINKGO_FLAGS)" ${SOURCE_DIR}/tests/e2e/integ-suite-ocp.sh .PHONY: test.e2e.kind -test.e2e.kind: ## Deploy a KinD cluster and run the end-to-end tests against it. - GINKGO_FLAGS="$(GINKGO_FLAGS)" ${SOURCE_DIR}/tests/e2e/integ-suite-kind.sh +test.e2e.kind: istioctl ## Deploy a KinD cluster and run the end-to-end tests against it. + GINKGO_FLAGS="$(GINKGO_FLAGS)" ISTIOCTL="$(ISTIOCTL)" ${SOURCE_DIR}/tests/e2e/integ-suite-kind.sh .PHONY: test.e2e.describe test.e2e.describe: ## Runs ginkgo outline -format indent over the e2e test to show in BDD style the steps and test structure @@ -450,6 +450,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest GITLEAKS ?= $(LOCALBIN)/gitleaks OPM ?= $(LOCALBIN)/opm +ISTIOCTL ?= $(LOCALBIN)/istioctl ## Tool Versions OPERATOR_SDK_VERSION ?= v1.36.1 @@ -457,6 +458,7 @@ HELM_VERSION ?= v3.15.3 CONTROLLER_TOOLS_VERSION ?= v0.16.0 OPM_VERSION ?= v1.45.0 GITLEAKS_VERSION ?= v8.18.4 +ISTIOCTL_VERSION ?= 1.23.0 # GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not # To disable set flag to false @@ -483,6 +485,28 @@ $(OPERATOR_SDK): $(LOCALBIN) curl -sSLfo $(LOCALBIN)/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(OS)_$(ARCH) && \ chmod +x $(LOCALBIN)/operator-sdk; +.PHONY: istioctl $(ISTIOCTL) +istioctl: $(ISTIOCTL) ## Download istioctl to bin directory. +istioctl: TARGET_OS=$(shell go env GOOS) +istioctl: TARGET_ARCH=$(shell go env GOARCH) +$(ISTIOCTL): $(LOCALBIN) + @test -s $(LOCALBIN)/istioctl || { \ + OSEXT=$(if $(filter $(TARGET_OS),Darwin),osx,linux); \ + URL="https://github.com/istio/istio/releases/download/$(ISTIOCTL_VERSION)/istioctl-$(ISTIOCTL_VERSION)-$$OSEXT-$(TARGET_ARCH).tar.gz"; \ + echo "Fetching istioctl from $$URL"; \ + curl -fsL $$URL -o /tmp/istioctl.tar.gz || { \ + echo "Download failed! Please check the URL and ISTIO_VERSION."; \ + exit 1; \ + }; \ + tar -xzf /tmp/istioctl.tar.gz -C /tmp || { \ + echo "Extraction failed!"; \ + exit 1; \ + }; \ + mv /tmp/istioctl $(LOCALBIN)/istioctl; \ + rm -f /tmp/istioctl.tar.gz; \ + echo "istioctl has been downloaded and placed in $(LOCALBIN)"; \ + } + .PHONY: controller-gen controller-gen: $(LOCALBIN) ## Download controller-gen to bin directory. If wrong version is installed, it will be overwritten. @test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ diff --git a/common/scripts/kind_provisioner.sh b/common/scripts/kind_provisioner.sh index 9c372b9ca..a2a5691f5 100644 --- a/common/scripts/kind_provisioner.sh +++ b/common/scripts/kind_provisioner.sh @@ -34,6 +34,9 @@ set -x # DEFAULT_KIND_IMAGE is used to set the Kubernetes version for KinD unless overridden in params to setup_kind_cluster(s) DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.28.4" +# the default kind cluster should be ipv4 if not otherwise specified +IP_FAMILY="${IP_FAMILY:-ipv4}" + # COMMON_SCRIPTS contains the directory this file is in. COMMON_SCRIPTS=$(dirname "${BASH_SOURCE:-$0}") @@ -174,11 +177,6 @@ function setup_kind_cluster() { CONFIG=${DEFAULT_CLUSTER_YAML} fi - # Configure the ipFamily of the cluster - if [ -n "${IP_FAMILY}" ]; then - yq eval ".networking.ipFamily = \"${IP_FAMILY}\"" -i "${CONFIG}" - fi - KIND_WAIT_FLAG="--wait=180s" KIND_DISABLE_CNI="false" if [[ -n "${KUBERNETES_CNI:-}" ]]; then @@ -187,7 +185,8 @@ function setup_kind_cluster() { fi # Create KinD cluster - if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" | \ + if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" \ + --expression ".networking.ipFamily = \"${IP_FAMILY}\"" | \ kind create cluster --name="${NAME}" -v4 --retain --image "${IMAGE}" ${KIND_WAIT_FLAG:+"$KIND_WAIT_FLAG"} --config -); then echo "Could not setup KinD environment. Something wrong with KinD setup. Exporting logs." return 9 @@ -478,4 +477,4 @@ function ips_to_cidrs() { from ipaddress import summarize_address_range, IPv4Address [ print(n.compressed) for n in summarize_address_range(IPv4Address(u'$IP_RANGE_START'), IPv4Address(u'$IP_RANGE_END')) ] EOF -} +} \ No newline at end of file diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index ee932a946..e2c5b9211 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=master-0aa2afb4bac9a4fd1bfe50a929c077a643066b3a + IMAGE_VERSION=master-8584ca511549c1cd96d9cb8b900297de83f4cb64 fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff --git a/pkg/test/util/supportedversion/supportedversion.go b/pkg/test/util/supportedversion/supportedversion.go index 59cd44e56..58778d956 100644 --- a/pkg/test/util/supportedversion/supportedversion.go +++ b/pkg/test/util/supportedversion/supportedversion.go @@ -17,6 +17,8 @@ package supportedversion import ( "os" "path/filepath" + "regexp" + "strconv" "github.com/istio-ecosystem/sail-operator/pkg/test/project" "gopkg.in/yaml.v3" @@ -47,6 +49,12 @@ func init() { panic(err) } + // Major, Minor and Patch needs to be set from parsing the version string + for i := range versions.Versions { + v := &versions.Versions[i] + v.Major, v.Minor, v.Patch = parseVersion(v.Version) + } + List = versions.Versions Default = List[0].Name if len(List) > 1 { @@ -55,6 +63,22 @@ func init() { New = List[0].Name } +func parseVersion(version string) (int, int, int) { + // The version can have this formats: "1.22.2", "1.23.0-rc.1", "1.24-alpha" + re := regexp.MustCompile(`^(\d+)\.(\d+)\.?(\d*)`) + + matches := re.FindStringSubmatch(version) + if len(matches) < 4 { + return 0, 0, 0 + } + + major, _ := strconv.Atoi(matches[1]) + minor, _ := strconv.Atoi(matches[2]) + patch, _ := strconv.Atoi(matches[3]) + + return major, minor, patch +} + type Versions struct { Versions []VersionInfo `json:"versions"` } @@ -62,6 +86,9 @@ type Versions struct { type VersionInfo struct { Name string `json:"name"` Version string `json:"version"` + Major int `json:"major"` + Minor int `json:"minor"` + Patch int `json:"patch"` Repo string `json:"repo"` Branch string `json:"branch,omitempty"` Commit string `json:"commit"` diff --git a/tests/e2e/common-operator-integ-suite.sh b/tests/e2e/common-operator-integ-suite.sh index d4fdedb1d..935cd1a3e 100755 --- a/tests/e2e/common-operator-integ-suite.sh +++ b/tests/e2e/common-operator-integ-suite.sh @@ -29,6 +29,7 @@ parse_flags() { SKIP_DEPLOY=${SKIP_DEPLOY:-false} OLM=${OLM:-false} DESCRIBE=false + MULTICLUSTER=false while [ $# -gt 0 ]; do case "$1" in --ocp) @@ -39,6 +40,10 @@ parse_flags() { shift OCP=false ;; + --multicluster) + shift + MULTICLUSTER=true + ;; --skip-build) shift SKIP_BUILD=true @@ -80,6 +85,10 @@ parse_flags() { echo "Running on kind" fi + if [ "${MULTICLUSTER}" == "true" ]; then + echo "Running on multicluster" + fi + if [ "${SKIP_BUILD}" == "true" ]; then echo "Skipping build" fi @@ -108,6 +117,7 @@ initialize_variables() { COMMAND="kubectl" ARTIFACTS="${ARTIFACTS:-$(mktemp -d)}" KUBECONFIG="${KUBECONFIG:-"${ARTIFACTS}/config"}" + ISTIOCTL="${ISTIOCTL:-"istioctl"}" LOCALBIN="${LOCALBIN:-${HOME}/bin}" OPERATOR_SDK=${LOCALBIN}/operator-sdk @@ -258,6 +268,6 @@ fi # Run the go test passing the env variables defined that are going to be used in the operator tests # shellcheck disable=SC2086 IMAGE="${HUB}/${IMAGE_BASE}:${TAG}" SKIP_DEPLOY="${SKIP_DEPLOY}" OCP="${OCP}" ISTIO_MANIFEST="${ISTIO_MANIFEST}" \ -NAMESPACE="${NAMESPACE}" CONTROL_PLANE_NS="${CONTROL_PLANE_NS}" DEPLOYMENT_NAME="${DEPLOYMENT_NAME}" \ -ISTIO_NAME="${ISTIO_NAME}" COMMAND="${COMMAND}" VERSIONS_YAML_FILE="${VERSIONS_YAML_FILE}" KUBECONFIG="${KUBECONFIG}" \ +NAMESPACE="${NAMESPACE}" CONTROL_PLANE_NS="${CONTROL_PLANE_NS}" DEPLOYMENT_NAME="${DEPLOYMENT_NAME}" MULTICLUSTER="${MULTICLUSTER}" ARTIFACTS="${ARTIFACTS}" \ +ISTIO_NAME="${ISTIO_NAME}" COMMAND="${COMMAND}" VERSIONS_YAML_FILE="${VERSIONS_YAML_FILE}" KUBECONFIG="${KUBECONFIG}" ISTIOCTL_PATH="${ISTIOCTL}" \ go run github.com/onsi/ginkgo/v2/ginkgo -tags e2e --timeout 30m --junit-report=report.xml ${GINKGO_FLAGS} "${WD}"/... diff --git a/tests/e2e/config/default.yaml b/tests/e2e/config/default.yaml index 58c947c9e..9f160497d 100644 --- a/tests/e2e/config/default.yaml +++ b/tests/e2e/config/default.yaml @@ -27,9 +27,4 @@ containerdConfigPatches: - |- [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] endpoint = ["http://kind-registry:5000"] -networking: - # MAISTRA specific: - # our prow cluster uses serviceSubnet 10.96.0.0/12, so the kind cluster must use other subnet to correctly route traffic; - # in this case, address 10.224.0.0 is chosen randomly from available set of subnets. - serviceSubnet: "10.224.0.0/12" - ipFamily: ipv4 + diff --git a/tests/e2e/config/multicluster.json b/tests/e2e/config/multicluster.json new file mode 100644 index 000000000..247824a37 --- /dev/null +++ b/tests/e2e/config/multicluster.json @@ -0,0 +1,14 @@ +[ + { + "cluster_name": "primary", + "pod_subnet": "10.10.0.0/16", + "svc_subnet": "10.255.10.0/24", + "network_id": "0" + }, + { + "cluster_name": "remote", + "pod_subnet": "10.20.0.0/16", + "svc_subnet": "10.255.20.0/24", + "network_id": "1" + } +] \ No newline at end of file diff --git a/tests/e2e/controlplane/control_plane_suite_test.go b/tests/e2e/controlplane/control_plane_suite_test.go index 1603b380e..872a0578a 100644 --- a/tests/e2e/controlplane/control_plane_suite_test.go +++ b/tests/e2e/controlplane/control_plane_suite_test.go @@ -40,9 +40,13 @@ var ( skipDeploy = env.GetBool("SKIP_DEPLOY", false) expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io") bookinfoNamespace = env.Get("BOOKINFO_NAMESPACE", "bookinfo") + multicluster = env.GetBool("MULTICLUSTER", false) ) func TestInstall(t *testing.T) { + if multicluster { + t.Skip("Skipping test for multicluster") + } RegisterFailHandler(Fail) setup() RunSpecs(t, "Control Plane Suite") @@ -52,6 +56,6 @@ func setup() { GinkgoWriter.Println("************ Running Setup ************") GinkgoWriter.Println("Initializing k8s client") - cl, err = k8sclient.InitK8sClient() + cl, err = k8sclient.InitK8sClient("") Expect(err).NotTo(HaveOccurred()) } diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go index ab3007e2f..ec7a6574a 100644 --- a/tests/e2e/controlplane/control_plane_test.go +++ b/tests/e2e/controlplane/control_plane_test.go @@ -19,7 +19,6 @@ package controlplane import ( "fmt" "path/filepath" - "regexp" "strings" "time" @@ -43,12 +42,6 @@ import ( "istio.io/istio/pkg/ptr" ) -// version can have one of the following formats: -// - 1.22.2 -// - 1.23.0-rc.1 -// - 1.24-alpha -var istiodVersionRegex = regexp.MustCompile(`Version:"(\d+\.\d+(\.\d+)?(-\w+(\.\d+)?)?)`) - var _ = Describe("Control Plane Installation", Ordered, func() { SetDefaultEventuallyTimeout(180 * time.Second) SetDefaultEventuallyPollingInterval(time.Second) @@ -219,7 +212,7 @@ spec: It("deploys istiod", func(ctx SpecContext) { Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available; unexpected Condition") - Expect(getVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") Success("Istiod is deployed in the namespace and Running") }) @@ -356,19 +349,6 @@ func ImageFromRegistry(regexp string) types.GomegaMatcher { return HaveField("Image", MatchRegexp(regexp)) } -func getVersionFromIstiod() (string, error) { - output, err := kubectl.Exec(controlPlaneNamespace, "deploy/istiod", "", "pilot-discovery version") - if err != nil { - return "", fmt.Errorf("error getting version from istiod: %w", err) - } - - matches := istiodVersionRegex.FindStringSubmatch(output) - if len(matches) > 1 && matches[1] != "" { - return matches[1], nil - } - return "", fmt.Errorf("error getting version from istiod: version not found in output: %s", output) -} - func indent(level int, str string) string { indent := strings.Repeat(" ", level) return indent + strings.ReplaceAll(str, "\n", "\n"+indent) diff --git a/tests/e2e/integ-suite-kind.sh b/tests/e2e/integ-suite-kind.sh index 39a5b415e..90a939851 100755 --- a/tests/e2e/integ-suite-kind.sh +++ b/tests/e2e/integ-suite-kind.sh @@ -29,9 +29,19 @@ export KIND_REGISTRY="localhost:${KIND_REGISTRY_PORT}" export DEFAULT_CLUSTER_YAML="${SCRIPTPATH}/config/default.yaml" export IP_FAMILY="${IP_FAMILY:-ipv4}" export ARTIFACTS="${ARTIFACTS:-$(mktemp -d)}" +export MULTICLUSTER="${MULTICLUSTER:-false}" +# Set variable to exclude kind clusters from kubectl annotations. +# You need to set kind clusters names separated by comma +export KIND_EXCLUDE_CLUSTERS="${KIND_EXCLUDE_CLUSTERS:-}" +export ISTIOCTL="${ISTIOCTL:-${ROOT}/bin/istioctl}" + # Set variable for cluster kind name export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-operator-integration-tests}" +if [ "${MULTICLUSTER}" == "true" ]; then + export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME}-1" + export KIND_CLUSTER_NAME_2="${KIND_CLUSTER_NAME}-2" +fi # Use the local registry instead of the default HUB export HUB="${KIND_REGISTRY}" @@ -52,16 +62,44 @@ function setup_kind_registry() { fi # https://docs.tilt.dev/choosing_clusters.html#discovering-the-registry - # TODO get context/config from existing variables - kind export kubeconfig --name="${KIND_CLUSTER_NAME}" - for node in $(kind get nodes --name="${KIND_CLUSTER_NAME}"); do - kubectl annotate node "${node}" "kind.x-k8s.io/registry=localhost:${KIND_REGISTRY_PORT}" --overwrite; + for cluster in $(kind get clusters); do + # TODO get context/config from existing variables + # Avoid adding the registry to excluded clusters. Use when you have multiple clusters running. + if [[ "${KIND_EXCLUDE_CLUSTERS}" == *"${cluster}"* ]]; then + continue + fi + + kind export kubeconfig --name="${cluster}" + for node in $(kind get nodes --name="${cluster}"); do + kubectl annotate node "${node}" "kind.x-k8s.io/registry=localhost:${KIND_REGISTRY_PORT}" --overwrite; + done done } -KUBECONFIG="${ARTIFACTS}/config" setup_kind_cluster "${KIND_CLUSTER_NAME}" "" "" "true" "true" -setup_kind_registry +if [ "${MULTICLUSTER}" == "true" ]; then + CLUSTER_TOPOLOGY_CONFIG_FILE="${SCRIPTPATH}/config/multicluster.json" + load_cluster_topology "${CLUSTER_TOPOLOGY_CONFIG_FILE}" + setup_kind_clusters "" "" + setup_kind_registry + + export KUBECONFIG="${KUBECONFIGS[0]}" + export KUBECONFIG2="${KUBECONFIGS[1]}" +else + KUBECONFIG="${ARTIFACTS}/config" setup_kind_cluster "${KIND_CLUSTER_NAME}" "" "" "true" "true" + setup_kind_registry +fi + + +# Check that istioctl is present using ${ISTIOCTL} +if ! command -v "${ISTIOCTL}" &> /dev/null; then + echo "istioctl not found. Please set the ISTIOCTL environment variable to the path of the istioctl binary" + exit 1 +fi # Run the integration tests echo "Running integration tests" +if [ "${MULTICLUSTER}" == "true" ]; then + ARTIFACTS="${ARTIFACTS}" ISTIOCTL="${ISTIOCTL}" ./tests/e2e/common-operator-integ-suite.sh --kind --multicluster +else ARTIFACTS="${ARTIFACTS}" ./tests/e2e/common-operator-integ-suite.sh --kind +fi \ No newline at end of file diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go new file mode 100644 index 000000000..97c404c52 --- /dev/null +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -0,0 +1,344 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package multicluster + +import ( + "context" + "fmt" + "path/filepath" + "strings" + "time" + + "github.com/istio-ecosystem/sail-operator/api/v1alpha1" + "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/pkg/test/project" + . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" + "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" + common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +var _ = Describe("Multicluster deployment models", Ordered, func() { + SetDefaultEventuallyTimeout(180 * time.Second) + SetDefaultEventuallyPollingInterval(time.Second) + + BeforeAll(func(ctx SpecContext) { + if !skipDeploy { + // Deploy the Sail Operator on both clusters + Expect(kubectl.CreateNamespace(namespace, kubeconfig)).To(Succeed(), "Namespace failed to be created on Cluster #1") + Expect(kubectl.CreateNamespace(namespace, kubeconfig2)).To(Succeed(), "Namespace failed to be created on Cluster #2") + + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). + To(Succeed(), "Operator failed to be deployed in Cluster #1") + + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the Cluster #1 namespace and Running") + + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). + To(Succeed(), "Operator failed to be deployed in Cluster #2") + + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the Cluster #2 namespace and Running") + } + }) + + Describe("Multi-Primary Multi-Network configuration", func() { + // Test the Multi-Primary Multi-Network configuration for each supported Istio version + for _, version := range supportedversion.List { + Context("Istio version is: "+version.Version, func() { + When("Istio resources are created in both clusters with multicluster configuration", func() { + BeforeAll(func(ctx SpecContext) { + Expect(kubectl.CreateNamespace(controlPlaneNamespace, kubeconfig)).To(Succeed(), "Namespace failed to be created") + Expect(kubectl.CreateNamespace(controlPlaneNamespace, kubeconfig2)).To(Succeed(), "Namespace failed to be created") + + // Push the intermediate CA to both clusters + certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig, "east", "network1", artifacts, clPrimary) + certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig2, "west", "network2", artifacts, clRemote) + + // Wait for the secret to be created in both clusters + Eventually(func() error { + _, err := common.GetObject(context.Background(), clPrimary, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{}) + return err + }).ShouldNot(HaveOccurred(), "Secret is not created on Cluster #1") + + Eventually(func() error { + _, err := common.GetObject(context.Background(), clRemote, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{}) + return err + }).ShouldNot(HaveOccurred(), "Secret is not created on Cluster #1") + + multiclusterYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +metadata: + name: default +spec: + version: %s + namespace: %s + values: + global: + meshID: %s + multiCluster: + clusterName: %s + network: %s` + multiclusterCluster1YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") + Log("Istio CR Cluster #1: ", multiclusterCluster1YAML) + Expect(kubectl.CreateFromString(multiclusterCluster1YAML, kubeconfig)).To(Succeed(), "Istio Resource creation failed on Cluster #1") + + multiclusterCluster2YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster2", "network2") + Log("Istio CR Cluster #2: ", multiclusterCluster2YAML) + Expect(kubectl.CreateFromString(multiclusterCluster2YAML, kubeconfig2)).To(Succeed(), "Istio Resource creation failed on Cluster #2") + }) + + It("updates both Istio CR status to Ready", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Cluster #1; unexpected Condition") + Success("Istio CR is Ready on Cluster #1") + + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Cluster #2; unexpected Condition") + Success("Istio CR is Ready on Cluster #1") + }) + + It("deploys istiod", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Cluster #1; unexpected Condition") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Success("Istiod is deployed in the namespace and Running on Cluster #1") + + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Cluster #2; unexpected Condition") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Success("Istiod is deployed in the namespace and Running on Cluster #2") + }) + }) + + When("Gateway is created in both clusters", func() { + BeforeAll(func(ctx SpecContext) { + Expect(kubectl.Apply(controlPlaneNamespace, eastGatewayYAML, kubeconfig)).To(Succeed(), "Gateway creation failed on Cluster #1") + + Expect(kubectl.Apply(controlPlaneNamespace, westGatewayYAML, kubeconfig2)).To(Succeed(), "Gateway creation failed on Cluster #2") + + // Expose the Gateway service in both clusters + Expect(kubectl.Apply(controlPlaneNamespace, exposeServiceYAML, kubeconfig)).To(Succeed(), "Expose Service creation failed on Cluster #1") + Expect(kubectl.Apply(controlPlaneNamespace, exposeServiceYAML, kubeconfig2)).To(Succeed(), "Expose Service creation failed on Cluster #2") + }) + + It("updates both Gateway status to Available", func(ctx SpecContext) { + Eventually((common.GetObject)). + WithArguments(ctx, clPrimary, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Cluster #1; unexpected Condition") + + Eventually((common.GetObject)). + WithArguments(ctx, clRemote, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Cluster #2; unexpected Condition") + Success("Gateway is created and available in both clusters") + }) + }) + + When("are installed remote secrets on each cluster", func() { + BeforeAll(func(ctx SpecContext) { + // Get the internal IP of the control plane node in both clusters + internalIPCluster1, err := kubectl.GetInternalIP("node-role.kubernetes.io/control-plane", kubeconfig) + Expect(err).NotTo(HaveOccurred()) + Expect(internalIPCluster1).NotTo(BeEmpty(), "Internal IP is empty for Cluster #1") + + internalIPCluster2, err := kubectl.GetInternalIP("node-role.kubernetes.io/control-plane", kubeconfig2) + Expect(internalIPCluster2).NotTo(BeEmpty(), "Internal IP is empty for Cluster #2") + Expect(err).NotTo(HaveOccurred()) + + // Install a remote secret in Cluster #1 that provides access to the Cluster #2 API server. + secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "cluster2", internalIPCluster2) + Expect(err).NotTo(HaveOccurred()) + Expect(kubectl.ApplyString("", secret, kubeconfig)).To(Succeed(), "Remote secret creation failed on Cluster #1") + + // Install a remote secret in Cluster #2 that provides access to the Cluster #1 API server. + secret, err = istioctl.CreateRemoteSecret(kubeconfig, "cluster1", internalIPCluster1) + Expect(err).NotTo(HaveOccurred()) + Expect(kubectl.ApplyString("", secret, kubeconfig2)).To(Succeed(), "Remote secret creation failed on Cluster #1") + }) + + It("remote secrets are created", func(ctx SpecContext) { + secret, err := common.GetObject(ctx, clPrimary, kube.Key("istio-remote-secret-cluster2", controlPlaneNamespace), &corev1.Secret{}) + Expect(err).NotTo(HaveOccurred()) + Expect(secret).NotTo(BeNil(), "Secret is not created on Cluster #1") + + secret, err = common.GetObject(ctx, clRemote, kube.Key("istio-remote-secret-cluster1", controlPlaneNamespace), &corev1.Secret{}) + Expect(err).NotTo(HaveOccurred()) + Expect(secret).NotTo(BeNil(), "Secret is not created on Cluster #2") + Success("Remote secrets are created in both clusters") + }) + }) + + When("sample apps are deployed in both clusters", func() { + BeforeAll(func(ctx SpecContext) { + // Deploy the sample app in both clusters + deploySampleApp("sample", version, kubeconfig, kubeconfig2) + Success("Sample app is deployed in both clusters") + }) + + It("updates the pods status to Ready", func(ctx SpecContext) { + samplePodsCluster1 := &corev1.PodList{} + + clPrimary.List(ctx, samplePodsCluster1, client.InNamespace("sample")) + Expect(samplePodsCluster1.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") + + for _, pod := range samplePodsCluster1.Items { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(pod.Name, "sample"), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Cluster #1; unexpected Condition") + } + + samplePodsCluster2 := &corev1.PodList{} + clRemote.List(ctx, samplePodsCluster2, client.InNamespace("sample")) + Expect(samplePodsCluster2.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") + + for _, pod := range samplePodsCluster2.Items { + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(pod.Name, "sample"), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Cluster #2; unexpected Condition") + } + Success("Sample app is created in both clusters and Running") + }) + + It("can access the sample app from both clusters", func(ctx SpecContext) { + sleepPodNameCluster1, err := common.GetPodNameByLabel(ctx, clPrimary, "sample", "app", "sleep") + Expect(sleepPodNameCluster1).NotTo(BeEmpty(), "Sleep pod not found on Cluster #1") + Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #1") + + sleepPodNameCluster2, err := common.GetPodNameByLabel(ctx, clRemote, "sample", "app", "sleep") + Expect(sleepPodNameCluster2).NotTo(BeEmpty(), "Sleep pod not found on Cluster #2") + Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #2") + + // Run the curl command from the sleep pod in the Cluster #2 and get response list to validate that we get responses from both clusters + Cluster2Responses := strings.Join(getListCurlResponses(sleepPodNameCluster2, kubeconfig2), "\n") + Expect(Cluster2Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #2 are not the expected") + Expect(Cluster2Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #2 are not the expected") + + // Run the curl command from the sleep pod in the Cluster #1 and get response list to validate that we get responses from both clusters + Cluster1Responses := strings.Join(getListCurlResponses(sleepPodNameCluster1, kubeconfig), "\n") + Expect(Cluster1Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #1 are not the expected") + Expect(Cluster1Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #1 are not the expected") + Success("Sample app is accessible from both clusters") + }) + }) + + When("istio CR is deleted in both clusters", func() { + BeforeEach(func() { + // Delete the Istio CR in both clusters + Expect(kubectl.Delete(controlPlaneNamespace, "istio", istioName, kubeconfig)).To(Succeed(), "Istio CR failed to be deleted") + Expect(kubectl.Delete(controlPlaneNamespace, "istio", istioName, kubeconfig2)).To(Succeed(), "Istio CR failed to be deleted") + Success("Istio CR is deleted in both clusters") + }) + + It("removes istiod pod", func(ctx SpecContext) { + // Check istiod pod is deleted in both clusters + Eventually(clPrimary.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(ReturnNotFoundError(), "Istiod should not exist anymore on Cluster #1") + Eventually(clRemote.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(ReturnNotFoundError(), "Istiod should not exist anymore on Cluster #2") + }) + }) + + AfterAll(func(ctx SpecContext) { + // Delete namespace to ensure clean up for new tests iteration + Expect(kubectl.DeleteNamespace(controlPlaneNamespace, kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(kubectl.DeleteNamespace(controlPlaneNamespace, kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + + common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) + common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) + Success("ControlPlane Namespaces are empty") + + // Delete the entire sample namespace in both clusters + Expect(kubectl.DeleteNamespace("sample", kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(kubectl.DeleteNamespace("sample", kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + + common.CheckNamespaceEmpty(ctx, clPrimary, "sample") + common.CheckNamespaceEmpty(ctx, clRemote, "sample") + Success("Sample app is deleted in both clusters") + }) + }) + } + }) + + AfterAll(func(ctx SpecContext) { + // Delete the Sail Operator from both clusters + Expect(kubectl.DeleteNamespace(namespace, kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(kubectl.DeleteNamespace(namespace, kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + + // Delete the intermediate CA from both clusters + common.CheckNamespaceEmpty(ctx, clPrimary, namespace) + common.CheckNamespaceEmpty(ctx, clRemote, namespace) + }) +}) + +// deploySampleApp deploys the sample app in the given cluster +func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo, kubeconfig string, kubeconfig2 string) { + // Create the namespace + Expect(kubectl.CreateNamespace(ns, kubeconfig)).To(Succeed(), "Namespace failed to be created") + Expect(kubectl.CreateNamespace(ns, kubeconfig2)).To(Succeed(), "Namespace failed to be created") + + // Label the namespace + Expect(kubectl.Patch("", "namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching sample namespace") + Expect(kubectl.Patch("", "namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`, kubeconfig2)). + To(Succeed(), "Error patching sample namespace") + + version := istioVersion.Version + // Deploy the sample app from upstream URL in both clusters + if istioVersion.Name == "latest" { + version = "master" + } + helloWorldURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/helloworld/helloworld.yaml", version) + Expect(kubectl.ApplyWithLabels(ns, helloWorldURL, "service=helloworld", kubeconfig)).To(Succeed(), "Sample service deploy failed on Cluster #1") + Expect(kubectl.ApplyWithLabels(ns, helloWorldURL, "service=helloworld", kubeconfig2)).To(Succeed(), "Sample service deploy failed on Cluster #2") + + Expect(kubectl.ApplyWithLabels(ns, helloWorldURL, "version=v1", kubeconfig)).To(Succeed(), "Sample service deploy failed on Cluster #1") + Expect(kubectl.ApplyWithLabels(ns, helloWorldURL, "version=v2", kubeconfig2)).To(Succeed(), "Sample service deploy failed on Cluster #2") + + sleepURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/sleep/sleep.yaml", version) + Expect(kubectl.Apply(ns, sleepURL, kubeconfig)).To(Succeed(), "Sample sleep deploy failed on Cluster #1") + Expect(kubectl.Apply(ns, sleepURL, kubeconfig2)).To(Succeed(), "Sample sleep deploy failed on Cluster #2") +} + +// getListCurlResponses runs the curl command 10 times from the sleep pod in the given cluster and get response list +func getListCurlResponses(podName, kubeconfig string) []string { + var responses []string + for i := 0; i < 10; i++ { + response, err := kubectl.Exec("sample", podName, "sleep", "curl -sS helloworld.sample:5000/hello", kubeconfig) + Expect(err).NotTo(HaveOccurred()) + responses = append(responses, response) + } + return responses +} diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go new file mode 100644 index 000000000..798db3c2c --- /dev/null +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -0,0 +1,346 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package multicluster + +import ( + "context" + "fmt" + "path/filepath" + "strings" + "time" + + "github.com/istio-ecosystem/sail-operator/api/v1alpha1" + "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/pkg/test/project" + . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" + "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" + certs "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" + common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +var _ = Describe("Multicluster deployment models", Ordered, func() { + SetDefaultEventuallyTimeout(180 * time.Second) + SetDefaultEventuallyPollingInterval(time.Second) + + BeforeAll(func(ctx SpecContext) { + if !skipDeploy { + // Deploy the Sail Operator on both clusters + Expect(kubectl.CreateNamespace(namespace, kubeconfig)).To(Succeed(), "Namespace failed to be created on Primary Cluster") + Expect(kubectl.CreateNamespace(namespace, kubeconfig2)).To(Succeed(), "Namespace failed to be created on Remote Cluster") + + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). + To(Succeed(), "Operator failed to be deployed in Primary Cluster") + + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the Primary namespace and Running") + + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). + To(Succeed(), "Operator failed to be deployed in Remote Cluster") + + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the Remote namespace and Running") + } + }) + + Describe("Primary-Remote - Multi-Network configuration", func() { + // Test the Primary-Remote - Multi-Network configuration for each supported Istio version + for _, version := range supportedversion.List { + // The Primary-Remote - Multi-Network configuration is only supported in Istio 1.23 and later + if version.Major < 1 || (version.Major == 1 && version.Minor < 23) { + continue + } + + Context("Istio version is: "+version.Version, func() { + When("Istio resources are created in both clusters", func() { + BeforeAll(func(ctx SpecContext) { + Expect(kubectl.CreateNamespace(controlPlaneNamespace, kubeconfig)).To(Succeed(), "Namespace failed to be created") + Expect(kubectl.CreateNamespace(controlPlaneNamespace, kubeconfig2)).To(Succeed(), "Namespace failed to be created") + + // Push the intermediate CA to both clusters + Expect(certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig, "east", "network1", artifacts, clPrimary)). + To(Succeed(), "Error pushing intermediate CA to Primary Cluster") + Expect(certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig2, "west", "network2", artifacts, clRemote)). + To(Succeed(), "Error pushing intermediate CA to Remote Cluster") + + // Wait for the secret to be created in both clusters + Eventually(func() error { + _, err := common.GetObject(context.Background(), clPrimary, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{}) + return err + }).ShouldNot(HaveOccurred(), "Secret is not created on Primary Cluster") + + Eventually(func() error { + _, err := common.GetObject(context.Background(), clRemote, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{}) + return err + }).ShouldNot(HaveOccurred(), "Secret is not created on Primary Cluster") + + PrimaryYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +metadata: + name: default +spec: + version: %s + namespace: %s + values: + pilot: + env: + EXTERNAL_ISTIOD: "true" + global: + meshID: %s + multiCluster: + clusterName: %s + network: %s` + multiclusterPrimaryYAML := fmt.Sprintf(PrimaryYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") + Log("Istio CR Primary: ", multiclusterPrimaryYAML) + Expect(kubectl.CreateFromString(multiclusterPrimaryYAML, kubeconfig)).To(Succeed(), "Istio Resource creation failed on Primary Cluster") + }) + + It("updates Istio CR on Primary cluster status to Ready", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Primary; unexpected Condition") + Success("Istio CR is Ready on Primary Cluster") + }) + + It("deploys istiod", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Primary; unexpected Condition") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Success("Istiod is deployed in the namespace and Running on Primary Cluster") + }) + }) + + When("Gateway is created on Primary cluster ", func() { + BeforeAll(func(ctx SpecContext) { + Expect(kubectl.Apply(controlPlaneNamespace, eastGatewayYAML, kubeconfig)).To(Succeed(), "Gateway creation failed on Primary Cluster") + + // Expose istiod service in Primary cluster + Expect(kubectl.Apply(controlPlaneNamespace, exposeIstiodYAML, kubeconfig)).To(Succeed(), "Expose Istiod creation failed on Primary Cluster") + + // Expose the Gateway service in both clusters + Expect(kubectl.Apply(controlPlaneNamespace, exposeServiceYAML, kubeconfig)).To(Succeed(), "Expose Service creation failed on Primary Cluster") + }) + + It("updates Gateway status to Available", func(ctx SpecContext) { + Eventually((common.GetObject)). + WithArguments(ctx, clPrimary, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Primary; unexpected Condition") + }) + }) + + When("RemoteIstio is created in Remote cluster", func() { + BeforeAll(func(ctx SpecContext) { + RemoteYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: RemoteIstio +metadata: + name: default +spec: + version: %s + namespace: istio-system + values: + istiodRemote: + injectionPath: /inject/cluster/remote/net/network2 + global: + remotePilotAddress: %s` + + remotePilotAddress, err := common.GetSVCLoadBalancerAddress(ctx, clPrimary, controlPlaneNamespace, "istio-eastwestgateway") + Expect(remotePilotAddress).NotTo(BeEmpty(), "Remote Pilot Address is empty") + Expect(err).NotTo(HaveOccurred(), "Error getting Remote Pilot Address") + remoteIstioYAML := fmt.Sprintf(RemoteYAML, version.Name, remotePilotAddress) + Log("RemoteIstio CR: ", remoteIstioYAML) + By("Creating RemoteIstio CR on Remote Cluster") + Expect(kubectl.CreateFromString(remoteIstioYAML, kubeconfig2)).To(Succeed(), "RemoteIstio Resource creation failed on Remote Cluster") + + // Set the controlplane cluster and network for Remote namespace + By("Patching the istio-system namespace on Remote Cluster") + Expect( + kubectl.Patch("", + "namespace", + controlPlaneNamespace, + "merge", + `{"metadata":{"annotations":{"topology.istio.io/controlPlaneClusters":"cluster1"}}}`, + kubeconfig2)). + To(Succeed(), "Error patching istio-system namespace") + Expect( + kubectl.Patch("", + "namespace", + controlPlaneNamespace, + "merge", + `{"metadata":{"labels":{"topology.istio.io/network":"network2"}}}`, + kubeconfig2)). + To(Succeed(), "Error patching istio-system namespace") + + // To be able to access the remote cluster from the primary cluster, we need to create a secret in the primary cluster + // RemoteIstio resource will not be Ready until the secret is created + // Get the internal IP of the control plane node in Remote cluster + internalIPRemote, err := kubectl.GetInternalIP("node-role.kubernetes.io/control-plane", kubeconfig2) + Expect(internalIPRemote).NotTo(BeEmpty(), "Internal IP is empty for Remote Cluster") + Expect(err).NotTo(HaveOccurred()) + + // Wait for the RemoteIstio CR to be created, this can be moved to a condition verification, but the resource it not will be Ready at this point + time.Sleep(5 * time.Second) + + // Install a remote secret in Primary cluster that provides access to the Remote cluster API server. + By("Creating Remote Secret on Primary Cluster") + secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "remote", internalIPRemote) + Expect(err).NotTo(HaveOccurred()) + Expect(kubectl.ApplyString("", secret, kubeconfig)).To(Succeed(), "Remote secret creation failed on Primary Cluster") + }) + + It("secret is created", func(ctx SpecContext) { + secret, err := common.GetObject(ctx, clPrimary, kube.Key("istio-remote-secret-remote", controlPlaneNamespace), &corev1.Secret{}) + Expect(err).NotTo(HaveOccurred()) + Expect(secret).NotTo(BeNil(), "Secret is not created on Primary Cluster") + Success("Remote secret is created in Primary cluster") + }) + + It("updates RemoteIstio CR status to Ready", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(istioName), &v1alpha1.RemoteIstio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Remote; unexpected Condition") + Success("RemoteIstio CR is Ready on Remote Cluster") + }) + }) + + When("gateway is created in Remote cluster", func() { + BeforeAll(func(ctx SpecContext) { + Expect(kubectl.Apply(controlPlaneNamespace, westGatewayYAML, kubeconfig2)).To(Succeed(), "Gateway creation failed on Remote Cluster") + Success("Gateway is created in Remote cluster") + }) + + It("updates Gateway status to Available", func(ctx SpecContext) { + Eventually((common.GetObject)). + WithArguments(ctx, clRemote, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Remote; unexpected Condition") + Success("Gateway is created and available in Remote cluster") + }) + }) + + When("sample apps are deployed in both clusters", func() { + BeforeAll(func(ctx SpecContext) { + // Deploy the sample app in both clusters + deploySampleApp("sample", version, kubeconfig, kubeconfig2) + Success("Sample app is deployed in both clusters") + }) + + It("updates the pods status to Ready", func(ctx SpecContext) { + samplePodsPrimary := &corev1.PodList{} + + clPrimary.List(ctx, samplePodsPrimary, client.InNamespace("sample")) + Expect(samplePodsPrimary.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") + + for _, pod := range samplePodsPrimary.Items { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(pod.Name, "sample"), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Primary; unexpected Condition") + } + + samplePodsRemote := &corev1.PodList{} + clRemote.List(ctx, samplePodsRemote, client.InNamespace("sample")) + Expect(samplePodsRemote.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") + + for _, pod := range samplePodsRemote.Items { + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(pod.Name, "sample"), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Remote; unexpected Condition") + } + Success("Sample app is created in both clusters and Running") + }) + + It("can access the sample app from both clusters", func(ctx SpecContext) { + sleepPodNamePrimary, err := common.GetPodNameByLabel(ctx, clPrimary, "sample", "app", "sleep") + Expect(sleepPodNamePrimary).NotTo(BeEmpty(), "Sleep pod not found on Primary Cluster") + Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Primary Cluster") + + sleepPodNameRemote, err := common.GetPodNameByLabel(ctx, clRemote, "sample", "app", "sleep") + Expect(sleepPodNameRemote).NotTo(BeEmpty(), "Sleep pod not found on Remote Cluster") + Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Remote Cluster") + + // Run the curl command from the sleep pod in the Remote Cluster and get response list to validate that we get responses from both clusters + remoteResponses := strings.Join(getListCurlResponses(sleepPodNameRemote, kubeconfig2), "\n") + Expect(remoteResponses).To(ContainSubstring("Hello version: v1"), "Responses from Remote Cluster are not the expected") + Expect(remoteResponses).To(ContainSubstring("Hello version: v2"), "Responses from Remote Cluster are not the expected") + + // Run the curl command from the sleep pod in the Primary Cluster and get response list to validate that we get responses from both clusters + primaryResponses := strings.Join(getListCurlResponses(sleepPodNamePrimary, kubeconfig), "\n") + Expect(primaryResponses).To(ContainSubstring("Hello version: v1"), "Responses from Primary Cluster are not the expected") + Expect(primaryResponses).To(ContainSubstring("Hello version: v2"), "Responses from Primary Cluster are not the expected") + Success("Sample app is accessible from both clusters") + }) + }) + + When("Istio CR and RemoteIstio CR are deleted in both clusters", func() { + BeforeEach(func() { + Expect(kubectl.Delete(controlPlaneNamespace, "istio", istioName, kubeconfig)).To(Succeed(), "Istio CR failed to be deleted") + Expect(kubectl.Delete(controlPlaneNamespace, "remoteistio", istioName, kubeconfig2)).To(Succeed(), "RemoteIstio CR failed to be deleted") + Success("Istio and RemoteIstio are deleted") + }) + + It("removes istiod on Primary", func(ctx SpecContext) { + Eventually(clPrimary.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(ReturnNotFoundError(), "Istiod should not exist anymore") + Success("Istiod is deleted on Primary Cluster") + }) + }) + + AfterAll(func(ctx SpecContext) { + // Delete namespace to ensure clean up for new tests iteration + Expect(kubectl.DeleteNamespace(controlPlaneNamespace, kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(kubectl.DeleteNamespace(controlPlaneNamespace, kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + + common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) + common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) + Success("ControlPlane Namespaces are empty") + + // Delete the entire sample namespace in both clusters + Expect(kubectl.DeleteNamespace("sample", kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(kubectl.DeleteNamespace("sample", kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + + common.CheckNamespaceEmpty(ctx, clPrimary, "sample") + common.CheckNamespaceEmpty(ctx, clRemote, "sample") + Success("Sample app is deleted in both clusters") + }) + }) + } + }) + + AfterAll(func(ctx SpecContext) { + // Delete the Sail Operator from both clusters + Expect(kubectl.DeleteNamespace(namespace, kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(kubectl.DeleteNamespace(namespace, kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + + // Check that the namespace is empty + common.CheckNamespaceEmpty(ctx, clPrimary, namespace) + common.CheckNamespaceEmpty(ctx, clRemote, namespace) + }) +}) diff --git a/tests/e2e/multicluster/multicluster_suite_test.go b/tests/e2e/multicluster/multicluster_suite_test.go new file mode 100644 index 000000000..5c0cd061a --- /dev/null +++ b/tests/e2e/multicluster/multicluster_suite_test.go @@ -0,0 +1,95 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package multicluster + +import ( + "fmt" + "os" + "path/filepath" + "testing" + + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" + k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" + env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +var ( + clPrimary client.Client + clRemote client.Client + err error + ocp = env.GetBool("OCP", false) + namespace = env.Get("NAMESPACE", "sail-operator") + deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") + controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system") + istioName = env.Get("ISTIO_NAME", "default") + image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") + skipDeploy = env.GetBool("SKIP_DEPLOY", false) + multicluster = env.GetBool("MULTICLUSTER", false) + kubeconfig = env.Get("KUBECONFIG", "") + kubeconfig2 = env.Get("KUBECONFIG2", "") + artifacts = env.Get("ARTIFACTS", "/tmp/artifacts") + + eastGatewayYAML string + westGatewayYAML string + exposeServiceYAML string + exposeIstiodYAML string +) + +func TestInstall(t *testing.T) { + if !multicluster { + t.Skip("Skipping test. Only valid for multicluster") + } + if ocp { + t.Skip("Skipping test. Not valid for OCP") + // TODO: Implement the steps to run the test on OCP + } + RegisterFailHandler(Fail) + setup(t) + RunSpecs(t, "Control Plane Suite") +} + +func setup(t *testing.T) { + GinkgoWriter.Println("************ Running Setup ************") + + GinkgoWriter.Println("Initializing k8s client") + clPrimary, err = k8sclient.InitK8sClient(kubeconfig) + clRemote, err = k8sclient.InitK8sClient(kubeconfig2) + if err != nil { + t.Fatalf("Error initializing k8s client: %v", err) + } + + err := certs.CreateIntermediateCA(artifacts) + if err != nil { + t.Fatalf("Error creating intermediate CA: %v", err) + } + + // Set the path for the multicluster YAML files to be used + workDir, err := os.Getwd() + if err != nil { + t.Fatalf("Error getting working directory: %v", err) + } + + // Set base path + baseRepoDir := filepath.Join(workDir, "../../..") + eastGatewayYAML = fmt.Sprintf("%s/docs/multicluster/east-west-gateway-net1.yaml", baseRepoDir) + westGatewayYAML = fmt.Sprintf("%s/docs/multicluster/east-west-gateway-net2.yaml", baseRepoDir) + exposeServiceYAML = fmt.Sprintf("%s/docs/multicluster/expose-services.yaml", baseRepoDir) + exposeIstiodYAML = fmt.Sprintf("%s/docs/multicluster/expose-istiod.yaml", baseRepoDir) +} diff --git a/tests/e2e/operator/operator_suite_test.go b/tests/e2e/operator/operator_suite_test.go index ebe1c972d..32b737594 100644 --- a/tests/e2e/operator/operator_suite_test.go +++ b/tests/e2e/operator/operator_suite_test.go @@ -33,9 +33,13 @@ var ( image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") namespace = env.Get("NAMESPACE", "sail-operator") deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") + multicluster = env.GetBool("MULTICLUSTER", false) ) func TestInstall(t *testing.T) { + if multicluster { + t.Skip("Skipping test for multicluster") + } RegisterFailHandler(Fail) setup() RunSpecs(t, "Install Operator Suite") @@ -46,7 +50,7 @@ func setup() { GinkgoWriter.Println("Initializing k8s client") var err error - cl, err = k8sclient.InitK8sClient() + cl, err = k8sclient.InitK8sClient("") Expect(err).NotTo(HaveOccurred()) if ocp { diff --git a/tests/e2e/util/certs/certs.go b/tests/e2e/util/certs/certs.go new file mode 100644 index 000000000..78aaaa004 --- /dev/null +++ b/tests/e2e/util/certs/certs.go @@ -0,0 +1,280 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package certs + +import ( + "context" + "fmt" + "os" + "path/filepath" + + "github.com/istio-ecosystem/sail-operator/pkg/kube" + common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// CreateIntermediateCA creates the intermediate CA +func CreateIntermediateCA(basePath string) error { + certsDir := filepath.Join(basePath, "certs") + + // Create the certs directory + err := os.MkdirAll(certsDir, 0o755) + if err != nil { + return fmt.Errorf("failed to create certs directory: %w", err) + } + + // Create the root CA configuration file + err = createRootCAConf(certsDir) + if err != nil { + return fmt.Errorf("failed to create root-ca.conf: %w", err) + } + + // Step 1: Generate root-key.pem + rootKey := filepath.Join(certsDir, "root-key.pem") + _, err = shell.ExecuteCommand(fmt.Sprintf("openssl genrsa -out %s 4096", rootKey)) + if err != nil { + return fmt.Errorf("failed to generate root-key.pem: %w", err) + } + + // Step 2: Generate root-cert.csr using root-key.pem and root-ca.conf + rootCSR := filepath.Join(certsDir, "root-cert.csr") + rootConf := filepath.Join(certsDir, "root-ca.conf") // You'll need to ensure root-ca.conf exists + _, err = shell.ExecuteCommand(fmt.Sprintf("openssl req -sha256 -new -key %s -config %s -out %s", rootKey, rootConf, rootCSR)) + if err != nil { + return fmt.Errorf("failed to generate root-cert.csr: %w", err) + } + + // Step 3: Generate root-cert.pem + rootCert := filepath.Join(certsDir, "root-cert.pem") + _, err = shell.ExecuteCommand( + fmt.Sprintf("openssl x509 -req -sha256 -days 3650 -signkey %s -extensions req_ext -extfile %s -in %s -out %s", + rootKey, rootConf, rootCSR, rootCert)) + if err != nil { + return fmt.Errorf("failed to generate root-cert.pem: %w", err) + } + + // Step 4: Generate east-cacerts (self-signed intermediate certificates) + // Create directories for east and west if needed + eastDir := filepath.Join(certsDir, "east") + westDir := filepath.Join(certsDir, "west") + + // Create the east and west directories + err = os.MkdirAll(eastDir, 0o755) + if err != nil { + return fmt.Errorf("failed to create east directory: %w", err) + } + err = os.MkdirAll(westDir, 0o755) + if err != nil { + return fmt.Errorf("failed to create west directory: %w", err) + } + + // Create the intermediate CA configuration file + err = createIntermediateCAConf(eastDir) + if err != nil { + return fmt.Errorf("failed to create ca.conf on east dir: %w", err) + } + + err = createIntermediateCAConf(westDir) + if err != nil { + return fmt.Errorf("failed to create ca.conf on west dir: %w", err) + } + + err = generateIntermediateCACertificates(eastDir, rootCert, rootKey) + if err != nil { + return fmt.Errorf("failed to generate east intermediate CA certificates: %w", err) + } + + err = generateIntermediateCACertificates(westDir, rootCert, rootKey) + if err != nil { + return fmt.Errorf("failed to generate west intermediate CA certificates: %w", err) + } + + return nil +} + +func generateIntermediateCACertificates(dir string, rootCert string, rootKey string) error { + caKey := filepath.Join(dir, "ca-key.pem") + _, err := shell.ExecuteCommand(fmt.Sprintf("openssl genrsa -out %s 4096", caKey)) + if err != nil { + return fmt.Errorf("failed to generate east-ca-key.pem: %w", err) + } + + caCSR := filepath.Join(dir, "ca-cert.csr") + caConf := filepath.Join(dir, "ca.conf") + _, err = shell.ExecuteCommand(fmt.Sprintf("openssl req -sha256 -new -config %s -key %s -out %s", caConf, caKey, caCSR)) + if err != nil { + return fmt.Errorf("failed to generate east-ca-cert.csr: %w", err) + } + + caCert := filepath.Join(dir, "ca-cert.pem") + _, err = shell.ExecuteCommand( + fmt.Sprintf("openssl x509 -req -sha256 -days 3650 -CA %s -CAkey %s -CAcreateserial -extensions req_ext -extfile %s -in %s -out %s", + rootCert, rootKey, caConf, caCSR, caCert)) + if err != nil { + return fmt.Errorf("failed to generate east-ca-cert.pem: %w", err) + } + + certChain := filepath.Join(dir, "cert-chain.pem") + _, err = shell.ExecuteCommand(fmt.Sprintf("cat %s %s > %s", caCert, rootCert, certChain)) + if err != nil { + return fmt.Errorf("failed to generate east-cert-chain.pem: %w", err) + } + + return nil +} + +// createRootCAConf creates the root CA configuration file +func createRootCAConf(certsDir string) error { + confPath := filepath.Join(certsDir, "root-ca.conf") + confContent := ` +[ req ] +encrypt_key = no +prompt = no +utf8 = yes +default_md = sha256 +default_bits = 4096 +req_extensions = req_ext +x509_extensions = req_ext +distinguished_name = req_dn + +[ req_ext ] +subjectKeyIdentifier = hash +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign + +[ req_dn ] +O = Istio +CN = Root CA +` + + // Write the configuration file to the directory + return writeFile(confPath, confContent) +} + +// createIntermediateCAConf creates the intermediate CA configuration file +func createIntermediateCAConf(certsDir string) error { + confPath := filepath.Join(certsDir, "ca.conf") + confContent := fmt.Sprintf(` +[ req ] +encrypt_key = no +prompt = no +utf8 = yes +default_md = sha256 +default_bits = 4096 +req_extensions = req_ext +x509_extensions = req_ext +distinguished_name = req_dn + +[ req_ext ] +subjectKeyIdentifier = hash +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign +subjectAltName=@san + +[ san ] +DNS.1 = istiod.istio-system.svc + +[ req_dn ] +O = Istio +CN = Intermediate CA +L = %s +`, confPath) + + // Write the configuration file to the directory + return writeFile(confPath, confContent) +} + +// writeFile writes the content to the file +func writeFile(confPath string, confContent string) error { + file, err := os.Create(confPath) + if err != nil { + return fmt.Errorf("failed to create %s: %v", confPath, err) + } + defer file.Close() + + _, err = file.WriteString(confContent) + if err != nil { + return fmt.Errorf("failed to write to %s: %v", confPath, err) + } + + return nil +} + +// PushIntermediateCA pushes the intermediate CA to the cluster +func PushIntermediateCA(ns, kubeconfig, zone, network, basePath string, cl client.Client) error { + // Set cert dir + certDir := filepath.Join(basePath, "certs") + + // Check if the secret exists in the cluster + _, err := common.GetObject(context.Background(), cl, kube.Key("cacerts", ns), &corev1.Secret{}) + if err != nil { + // Label the namespace with the network + err = kubectl.Patch("", "namespace", ns, "merge", `{"metadata":{"labels":{"topology.istio.io/network":"`+network+`"}}}`, kubeconfig) + if err != nil { + return fmt.Errorf("failed to label namespace: %w", err) + } + + // Read the pem content from the files + caCertPath := filepath.Join(certDir, zone, "ca-cert.pem") + caKeyPath := filepath.Join(certDir, zone, "ca-key.pem") + rootCertPath := filepath.Join(certDir, "root-cert.pem") + certChainPath := filepath.Join(certDir, zone, "cert-chain.pem") + + // Read the pem content from the files to create the secret + caCert, err := os.ReadFile(caCertPath) + if err != nil { + return fmt.Errorf("failed to read ca-cert.pem: %w", err) + } + caKey, err := os.ReadFile(caKeyPath) + if err != nil { + return fmt.Errorf("failed to read ca-key.pem: %w", err) + } + rootCert, err := os.ReadFile(rootCertPath) + if err != nil { + return fmt.Errorf("failed to read root-cert.pem: %w", err) + } + certChain, err := os.ReadFile(certChainPath) + if err != nil { + return fmt.Errorf("failed to read cert-chain.pem: %w", err) + } + + // Create the secret by using the client in the cluster and the files created in the setup + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "cacerts", + Namespace: ns, + }, + Data: map[string][]byte{ + "ca-cert.pem": caCert, + "ca-key.pem": caKey, + "root-cert.pem": rootCert, + "cert-chain.pem": certChain, + }, + } + + err = cl.Create(context.Background(), secret) + if err != nil { + return fmt.Errorf("failed to create secret: %w", err) + } + } + + return nil +} diff --git a/tests/e2e/util/client/client.go b/tests/e2e/util/client/client.go index 9ab45ee74..efebdad0f 100644 --- a/tests/e2e/util/client/client.go +++ b/tests/e2e/util/client/client.go @@ -27,8 +27,17 @@ import ( ) // getConfig returns the configuration of the kubernetes go-client -func getConfig() (*rest.Config, error) { - // use the current context in kubeconfig +func getConfig(kubeconfig string) (*rest.Config, error) { + // If kubeconfig is provided, use it + if kubeconfig != "" { + config, err := clientcmd.BuildConfigFromFlags("", kubeconfig) + if err != nil { + return nil, fmt.Errorf("error building config: %w", err) + } + + return config, nil + } + // If not kubeconfig is provided use the current context in kubeconfig config, err := clientcmd.BuildConfigFromFlags("", os.Getenv("KUBECONFIG")) if err != nil { return nil, fmt.Errorf("error building config: %w", err) @@ -38,8 +47,11 @@ func getConfig() (*rest.Config, error) { } // InitK8sClient returns the kubernetes clientset -func InitK8sClient() (client.Client, error) { - config, err := getConfig() +// Arguments: +// Kubeconfig: string +// Set kubeconfig to "" to use the current context in kubeconfig +func InitK8sClient(kubeconfig string) (client.Client, error) { + config, err := getConfig(kubeconfig) if err != nil { return nil, fmt.Errorf("error getting config for k8s client: %w", err) } diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index a787a4b49..e17e07686 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -18,6 +18,8 @@ package common import ( "context" + "fmt" + "regexp" "strings" "time" @@ -39,6 +41,12 @@ var ( istioName = env.Get("ISTIO_NAME", "default") istioCniName = env.Get("ISTIOCNI_NAME", "default") istioCniNamespace = env.Get("ISTIOCNI_NAMESPACE", "istio-cni") + + // version can have one of the following formats: + // - 1.22.2 + // - 1.23.0-rc.1 + // - 1.24-alpha + istiodVersionRegex = regexp.MustCompile(`Version:"(\d+\.\d+(\.\d+)?(-\w+(\.\d+)?)?)`) ) // getObject returns the object with the given key @@ -53,6 +61,36 @@ func GetList(ctx context.Context, cl client.Client, list client.ObjectList, opts return list, err } +// GetPodNameByLabel returns the name of the pod with the given label +func GetPodNameByLabel(ctx context.Context, cl client.Client, ns, labelKey, labelValue string) (string, error) { + podList := &corev1.PodList{} + err := cl.List(ctx, podList, client.InNamespace(ns), client.MatchingLabels{labelKey: labelValue}) + if err != nil { + return "", err + } + if len(podList.Items) == 0 { + return "", fmt.Errorf("no pod found with label %s=%s", labelKey, labelValue) + } + return podList.Items[0].Name, nil +} + +// GetSVCAddress returns the address of the service with the given name +func GetSVCLoadBalancerAddress(ctx context.Context, cl client.Client, ns, svcName string) (string, error) { + svc := &corev1.Service{} + err := cl.Get(ctx, client.ObjectKey{Namespace: ns, Name: svcName}, svc) + if err != nil { + return "", err + } + + // To avoid flakiness, wait for the LoadBalancer to be ready + Eventually(func() ([]corev1.LoadBalancerIngress, error) { + err := cl.Get(ctx, client.ObjectKey{Namespace: ns, Name: svcName}, svc) + return svc.Status.LoadBalancer.Ingress, err + }, "1m", "1s").ShouldNot(BeEmpty(), "LoadBalancer should be ready") + + return svc.Status.LoadBalancer.Ingress[0].IP, nil +} + // checkNamespaceEmpty checks if the given namespace is empty func CheckNamespaceEmpty(ctx SpecContext, cl client.Client, ns string) { // TODO: Check to add more validations @@ -107,7 +145,7 @@ func logOperatorDebugInfo() { logDebugElement("Events in "+namespace, events, err) // Temporaty information to gather more details about failure - pods, err := kubectl.GetPods(namespace, "-o wide") + pods, err := kubectl.GetPods(namespace, "", "-o wide") logDebugElement("Pods in "+namespace, pods, err) describe, err := kubectl.Describe(namespace, "deployment", deploymentName) @@ -118,7 +156,7 @@ func logIstioDebugInfo() { resource, err := kubectl.GetYAML("", "istio", istioName) logDebugElement("Istio YAML", resource, err) - output, err := kubectl.GetPods(controlPlaneNamespace, "-o wide") + output, err := kubectl.GetPods(controlPlaneNamespace, "", "-o wide") logDebugElement("Pods in "+controlPlaneNamespace, output, err) logs, err := kubectl.Logs(controlPlaneNamespace, "deploy/istiod", ptr.Of(120*time.Second)) @@ -139,7 +177,7 @@ func logCNIDebugInfo() { logDebugElement("Events in "+istioCniNamespace, events, err) // Temporaty information to gather more details about failure - pods, err := kubectl.GetPods(istioCniNamespace, "-o wide") + pods, err := kubectl.GetPods(istioCniNamespace, "", "-o wide") logDebugElement("Pods in "+istioCniNamespace, pods, err) describe, err := kubectl.Describe(istioCniNamespace, "daemonset", "istio-cni-node") @@ -155,3 +193,16 @@ func logDebugElement(caption string, info string, err error) { GinkgoWriter.Println(indent + strings.ReplaceAll(strings.TrimSpace(info), "\n", "\n"+indent)) } } + +func GetVersionFromIstiod() (string, error) { + output, err := kubectl.Exec(controlPlaneNamespace, "deploy/istiod", "", "pilot-discovery version") + if err != nil { + return "", fmt.Errorf("error getting version from istiod: %w", err) + } + + matches := istiodVersionRegex.FindStringSubmatch(output) + if len(matches) > 1 && matches[1] != "" { + return matches[1], nil + } + return "", fmt.Errorf("error getting version from istiod: version not found in output: %s", output) +} diff --git a/tests/e2e/util/istioctl/istioctl.go b/tests/e2e/util/istioctl/istioctl.go new file mode 100644 index 000000000..e055f5828 --- /dev/null +++ b/tests/e2e/util/istioctl/istioctl.go @@ -0,0 +1,55 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR Condition OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istioctl + +import ( + "fmt" + + env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell" +) + +var istioctlBinary = env.Get("ISTIOCTL_PATH", "istioctl") + +// Istioctl returns the istioctl command +// If the environment variable COMMAND is set, it will return the value of COMMAND +// Otherwise, it will return the default value "istioctl" as default +// Arguments: +// - format: format of the command without istioctl +// - args: arguments of the command +func istioctl(format string, args ...interface{}) string { + binary := "istioctl" + if istioctlBinary != "" { + binary = istioctlBinary + } + + cmd := fmt.Sprintf(format, args...) + + return fmt.Sprintf("%s %s", binary, cmd) +} + +// CreateRemoteSecret creates a secret in the remote cluster +// Arguments: +// - remoteKubeconfig: kubeconfig of the remote cluster +// - secretName: name of the secret +// - internalIP: internal IP of the remote cluster +func CreateRemoteSecret(remoteKubeconfig string, secretName string, internalIP string) (string, error) { + cmd := istioctl("create-remote-secret --kubeconfig %s --name %s --server=https://%s:6443", remoteKubeconfig, secretName, internalIP) + yaml, err := shell.ExecuteCommand(cmd) + + return yaml, err +} diff --git a/tests/e2e/util/kubectl/kubectl.go b/tests/e2e/util/kubectl/kubectl.go index 7d4e8f054..931470851 100644 --- a/tests/e2e/util/kubectl/kubectl.go +++ b/tests/e2e/util/kubectl/kubectl.go @@ -25,6 +25,14 @@ import ( const DefaultBinary = "kubectl" +// optionalKubeconfig add the flag --kubeconfig if the kubeconfig is set +func optionalKubeconfig(kubeconfig []string) string { + if len(kubeconfig) > 0 && kubeconfig[0] != "" { + return fmt.Sprintf("--kubeconfig %s", kubeconfig[0]) + } + return "" +} + // kubectl return the kubectl command // If the environment variable COMMAND is set, it will return the value of COMMAND // Otherwise, it will return the default value "kubectl" as default @@ -41,8 +49,8 @@ func kubectl(format string, args ...interface{}) string { } // CreateFromString creates a resource from the given yaml string -func CreateFromString(yamlString string) error { - cmd := kubectl("create -f -") +func CreateFromString(yamlString string, kubeconfig ...string) error { + cmd := kubectl("create %s -f -", optionalKubeconfig(kubeconfig)) _, err := shell.ExecuteCommandWithInput(cmd, yamlString) if err != nil { return fmt.Errorf("error creating resource from yaml: %w", err) @@ -51,8 +59,15 @@ func CreateFromString(yamlString string) error { } // ApplyString applies the given yaml string to the cluster -func ApplyString(ns, yamlString string) error { - cmd := kubectl("apply -n %s --server-side -f -", ns) +func ApplyString(ns, yamlString string, kubeconfig ...string) error { + nsflag := nsflag(ns) + // If the namespace is empty, we need to remove the flag because it will fail + // TODO: improve the nsflag function to handle this case + if ns == "" { + nsflag = "" + } + + cmd := kubectl("apply %s %s --server-side -f -", nsflag, optionalKubeconfig(kubeconfig)) _, err := shell.ExecuteCommandWithInput(cmd, yamlString) if err != nil { return fmt.Errorf("error applying yaml: %w", err) @@ -62,8 +77,14 @@ func ApplyString(ns, yamlString string) error { } // Apply applies the given yaml file to the cluster -func Apply(ns, yamlFile string) error { - cmd := kubectl("apply -n %s -f %s", ns, yamlFile) +func Apply(ns, yamlFile string, kubeconfig ...string) error { + err := ApplyWithLabels(ns, yamlFile, "", kubeconfig...) + return err +} + +// ApplyWithLabels applies the given yaml file to the cluster with the given labels +func ApplyWithLabels(ns, yamlFile string, label string, kubeconfig ...string) error { + cmd := kubectl("apply -n %s %s -f %s %s", ns, labelFlag(label), yamlFile, optionalKubeconfig(kubeconfig)) _, err := shell.ExecuteCommand(cmd) if err != nil { return fmt.Errorf("error applying yaml: %w", err) @@ -72,10 +93,24 @@ func Apply(ns, yamlFile string) error { return nil } +// DeleteFromFile deletes a resource from the given yaml file +func DeleteFromFile(yamlFile string, kubeconfig ...string) error { + cmd := kubectl("delete -f %s %s", yamlFile, optionalKubeconfig(kubeconfig)) + _, err := shell.ExecuteCommand(cmd) + if err != nil { + return fmt.Errorf("error deleting resource from yaml: %w", err) + } + + return nil +} + // CreateNamespace creates a namespace // If the namespace already exists, it will return nil -func CreateNamespace(ns string) error { - cmd := kubectl("create namespace %s", ns) +// Arguments: +// - ns: namespace +// - kubeconfig: optional kubeconfig to set the target file +func CreateNamespace(ns string, kubeconfig ...string) error { + cmd := kubectl("create namespace %s %s", ns, optionalKubeconfig(kubeconfig)) output, err := shell.ExecuteCommand(cmd) if err != nil { if strings.Contains(output, "AlreadyExists") { @@ -89,8 +124,11 @@ func CreateNamespace(ns string) error { } // DeleteNamespace deletes a namespace -func DeleteNamespace(ns string) error { - cmd := kubectl("delete namespace %s", ns) +// Arguments: +// - ns: namespace +// - kubeconfig: optional kubeconfig to set the target file +func DeleteNamespace(ns string, kubeconfig ...string) error { + cmd := kubectl("delete namespace %s %s", ns, optionalKubeconfig(kubeconfig)) _, err := shell.ExecuteCommand(cmd) if err != nil { return fmt.Errorf("error deleting namespace: %w", err) @@ -99,9 +137,9 @@ func DeleteNamespace(ns string) error { return nil } -// Delete deletes a resource based on the namespace, kind and the name -func Delete(ns, kind, name string) error { - cmd := kubectl("delete %s %s %s", kind, name, nsflag(ns)) +// Delete deletes a resource based on the namespace, kind and the name. Optionally, you can provide a kubeconfig +func Delete(ns, kind, name string, kubeconfig ...string) error { + cmd := kubectl("delete %s %s %s %s", kind, name, nsflag(ns), optionalKubeconfig(kubeconfig)) _, err := shell.ExecuteCommand(cmd) if err != nil { return fmt.Errorf("error deleting deployment: %w", err) @@ -124,8 +162,8 @@ func DeleteCRDs(crds []string) error { } // Patch patches a resource. -func Patch(ns, kind, name, patchType, patch string) error { - cmd := kubectl(`patch %s %s %s --type=%s -p=%q`, kind, name, prepend("-n", ns), patchType, patch) +func Patch(ns, kind, name, patchType, patch string, kubeconfig ...string) error { + cmd := kubectl(`patch %s %s %s %s --type=%s -p=%q`, kind, name, prepend("-n", ns), optionalKubeconfig(kubeconfig), patchType, patch) _, err := shell.ExecuteCommand(cmd) if err != nil { return fmt.Errorf("error patching resource: %w", err) @@ -152,8 +190,13 @@ func GetYAML(ns, kind, name string) (string, error) { } // GetPods returns the pods of a namespace -func GetPods(ns string, args ...string) (string, error) { - cmd := kubectl("get pods %s %s", nsflag(ns), strings.Join(args, " ")) +func GetPods(ns string, kubeconfig string, args ...string) (string, error) { + kubeconfigFlag := "" + if kubeconfig != "" { + kubeconfigFlag = fmt.Sprintf("--kubeconfig %s", kubeconfig) + } + + cmd := kubectl("get pods %s %s %s", nsflag(ns), strings.Join(args, " "), kubeconfigFlag) output, err := shell.ExecuteCommand(cmd) if err != nil { return "", fmt.Errorf("error getting pods: %w, output: %s", err, output) @@ -188,6 +231,20 @@ func Describe(ns, kind, name string) (string, error) { return output, nil } +// GetInternalIP returns the internal IP of a node +// Arguments: +// - label: label of the node +// - kubeconfig: optional kubeconfig to set the target file +func GetInternalIP(label string, kubeconfig ...string) (string, error) { + cmd := kubectl("get nodes -l %s -o jsonpath='{.items[0].status.addresses[?(@.type==\"InternalIP\")].address}' %s", label, optionalKubeconfig(kubeconfig)) + output, err := shell.ExecuteCommand(cmd) + if err != nil { + return "", fmt.Errorf("error getting internal IP: %w, output: %s", err, output) + } + + return output, nil +} + // Logs returns the logs of a deployment // Arguments: // - ns: namespace @@ -210,8 +267,8 @@ func sinceFlag(since *time.Duration) string { } // Exec executes a command in the pod or specific container -func Exec(ns, pod, container, command string) (string, error) { - cmd := kubectl("exec %s %s %s -- %s", pod, containerflag(container), nsflag(ns), command) +func Exec(ns, pod, container, command string, kubeconfig ...string) (string, error) { + cmd := kubectl("exec %s %s %s %s -- %s", pod, containerflag(container), nsflag(ns), optionalKubeconfig(kubeconfig), command) output, err := shell.ExecuteCommand(cmd) if err != nil { return "", err @@ -234,6 +291,13 @@ func nsflag(ns string) string { return "-n " + ns } +func labelFlag(label string) string { + if label == "" { + return "" + } + return "-l " + label +} + func containerflag(container string) string { if container == "" { return "" From 005d1c37cb295ef16c1d1b6986aa12016189c760 Mon Sep 17 00:00:00 2001 From: Francisco Herrera Date: Tue, 24 Sep 2024 12:06:24 +0200 Subject: [PATCH 11/68] Adding wait after olm install in olm test setup (#357) Adding sleep Adding timout to wait in olm setup Delete sleep Adding more debug information Adding more debug information when operator-sdk fails Fix label on wait condition Change wait condition for catalogSource Delete comment Improve wait for catalogSource Signed-off-by: frherrer --- tests/e2e/common-operator-integ-suite.sh | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/tests/e2e/common-operator-integ-suite.sh b/tests/e2e/common-operator-integ-suite.sh index 935cd1a3e..304c2b005 100755 --- a/tests/e2e/common-operator-integ-suite.sh +++ b/tests/e2e/common-operator-integ-suite.sh @@ -244,10 +244,27 @@ if [ "${SKIP_BUILD}" == "false" ]; then # Install OLM in the cluster because it's not available by default in kind. ${OPERATOR_SDK} olm install + # Wait for for the CatalogSource to be CatalogSource.status.connectionState.lastObservedState == READY + ${COMMAND} wait catalogsource operatorhubio-catalog -n olm --for 'jsonpath={.status.connectionState.lastObservedState}=READY' --timeout=5m + # Create operator namespace ${COMMAND} create ns "${NAMESPACE}" || echo "Creation of namespace ${NAMESPACE} failed with the message: $?" # Deploy the operator using OLM - ${OPERATOR_SDK} run bundle "${BUNDLE_IMG}" -n "${NAMESPACE}" --skip-tls --timeout 5m + ${OPERATOR_SDK} run bundle "${BUNDLE_IMG}" -n "${NAMESPACE}" --skip-tls --timeout 5m || { + echo "****** run bundle failed, running debug information" + # Get all the pods in the namespace + ${COMMAND} get pods -n "${NAMESPACE}" + + # Get all the pods in olm namespace + ${COMMAND} get pods -n olm + + # Describe all the olm pods by iterating over the pods + for pod in $(${COMMAND} get pods -n olm -o name); do + echo "*** Describing pod: ${pod}" + ${COMMAND} describe "${pod}" + done + exit 1 + } # Wait for the operator to be ready ${COMMAND} wait --for=condition=available deployment/"${DEPLOYMENT_NAME}" -n "${NAMESPACE}" --timeout=5m From dbf31fe0186857ecb18c68740311f106ca0ab7f2 Mon Sep 17 00:00:00 2001 From: Daniel Grimm Date: Tue, 24 Sep 2024 15:39:23 +0200 Subject: [PATCH 12/68] Automatically adjust default release channel (#353) This will make sure that the channel field is pre-populated with a good default when we run the release workflow. Signed-off-by: Daniel Grimm --- .github/workflows/release.yaml | 2 +- Makefile.core.mk | 14 +++++++++++--- bundle.Dockerfile | 2 +- bundle/metadata/annotations.yaml | 2 +- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 89a72465c..0ddb40159 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,7 +9,7 @@ on: bundle_channels: description: "Bundle channels" required: true - default: "candidates" + default: dev-0.2 is_draft_release: description: "Draft release" type: boolean diff --git a/Makefile.core.mk b/Makefile.core.mk index 07a3ce318..f8f34e443 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -79,7 +79,12 @@ GINKGO_FLAGS := $(if $(VERBOSE),-v) $(if $(CI),--no-color) # To re-generate a bundle for other specific channels without changing the standard setup, you can: # - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable) # - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable") -CHANNELS ?= ${MINOR_VERSION} +CHANNEL_PREFIX := dev +ifneq (,$(findstring release-,$(shell git rev-parse --abbrev-ref HEAD))) +CHANNEL_PREFIX = stable +endif + +CHANNELS ?= $(CHANNEL_PREFIX)-$(MINOR_VERSION) ifneq ($(origin CHANNELS), undefined) BUNDLE_CHANNELS = --channels=\"$(CHANNELS)\" endif @@ -381,7 +386,7 @@ gen-charts: ## Pull charts from istio repository. gen: gen-all-except-bundle bundle ## Generate everything. .PHONY: gen-all-except-bundle -gen-all-except-bundle: operator-name operator-chart controller-gen gen-api gen-charts gen-manifests gen-code gen-api-docs +gen-all-except-bundle: operator-name operator-chart controller-gen gen-api gen-charts gen-manifests gen-code gen-api-docs github-workflow .PHONY: gen-check gen-check: gen restore-manifest-dates check-clean-repo ## Verify that changes in generated resources have been checked in. @@ -425,6 +430,9 @@ operator-chart: sed -i -e "s|^\(image: \).*$$|\1${IMAGE}|g" \ -e "s/^\( version: \).*$$/\1${VERSION}/g" chart/values.yaml +github-workflow: + sed -i -e '1,/default:/ s/^\(.*default:\).*$$/\1 ${CHANNELS}/' .github/workflows/release.yaml + .PHONY: update-istio update-istio: ## Update the Istio commit hash in the 'latest' entry in versions.yaml to the latest commit in the branch. @hack/update-istio.sh @@ -648,7 +656,7 @@ git-hook: gitleaks ## Installs gitleaks as a git pre-commit hook. chmod +x .git/hooks/pre-commit; \ fi -.SILENT: helm $(HELM) $(LOCALBIN) deploy-yaml gen-api operator-name operator-chart +.SILENT: helm $(HELM) $(LOCALBIN) deploy-yaml gen-api operator-name operator-chart github-workflow COMMON_IMPORTS ?= lint-all lint-scripts lint-copyright-banner lint-go lint-yaml lint-helm format-go tidy-go check-clean-repo update-common .PHONY: $(COMMON_IMPORTS) diff --git a/bundle.Dockerfile b/bundle.Dockerfile index 7120f4329..5bc812405 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -5,7 +5,7 @@ LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=sailoperator -LABEL operators.operatorframework.io.bundle.channels.v1="0.2" +LABEL operators.operatorframework.io.bundle.channels.v1="dev-0.2" LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.36.1 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4 diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 7b7ca23e4..e520fa1cb 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -4,7 +4,7 @@ annotations: operators.operatorframework.io.bundle.manifests.v1: manifests/ operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: sailoperator - operators.operatorframework.io.bundle.channels.v1: "0.2" + operators.operatorframework.io.bundle.channels.v1: "dev-0.2" operators.operatorframework.io.metrics.builder: operator-sdk-v1.36.1 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4 From 4c6488726821c04ffb8aafba6973f923a8ba689c Mon Sep 17 00:00:00 2001 From: Francisco Herrera Date: Tue, 24 Sep 2024 16:19:23 +0200 Subject: [PATCH 13/68] Update test labels in the wayofwork documentation (#359) Signed-off-by: frherrer --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d71a391ea..40e05748e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -25,7 +25,7 @@ If you want to contribute to the Sail Operator project, you can follow some rule - Discuss your changes before you start working on them. You can open a new issue in the [Sail Operator GitHub repository](https://github.com/istio-ecosystem/sail-operator/issues) or start a discussion in the [Sail Operator Discussion](https://github.com/istio-ecosystem/sail-operator/discussions). By this way, you can get feedback from the community and ensure that your changes are aligned with the project goals. - Use of Labels: We use labels in the issues to help us track the progress of the issues. You can use the labels to help you understand the status of the issue and what is needed to move forward. Those labels are: - `backport/backport-handled`: Use this label to indicate that the issue has been backported to the appropriate branches. - - `testing`: Use this label to indicate that the issue is related to testing. Can be used in combination with other labels to mark the proper testing type, for example: `testing/e2e`, `testing/unit`, `testing/integration`. + - `test`: Use this label to indicate that the issue is related to test or add `test-needed` when a issue needs a test to be added related. Can be used in combination with other labels to mark the proper test type, for example: `test-e2e`, `test-unit`, `test-integration`. - `good first issue`: Use this label to indicate that the issue is a good first issue for new contributors. - `help wanted`: Use this label to indicate that the issue needs help from the community. - `enhancement`: Use this label to indicate that the issue is an enhancement related to a new feature or improvement. From 87f9fbd6ef42f0af472d646ee4f4c8127e06958f Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Tue, 24 Sep 2024 18:40:24 +0300 Subject: [PATCH 14/68] Add CODE-OF-CONDUCT to the project (#362) In order to follow the project community standards, adding the CODE-OF-CONDACT to the repository. Signed-off-by: Maxim Babushkin --- CODE-OF-CONDUCT.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 CODE-OF-CONDUCT.md diff --git a/CODE-OF-CONDUCT.md b/CODE-OF-CONDUCT.md new file mode 100644 index 000000000..880f0a278 --- /dev/null +++ b/CODE-OF-CONDUCT.md @@ -0,0 +1,7 @@ +# Sail Operator Community Code of Conduct + +As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities. + +All members of the Sail Operator community must abide by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). +Only by respecting each other can we develop a productive, collaborative community. + From ae7ba932d1a53f88eccbf46a3ed1d01661f62340 Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Wed, 25 Sep 2024 19:24:26 +0530 Subject: [PATCH 15/68] Fix formatting in the charts readme page (#364) Signed-off-by: Sridhar Gaddam --- bundle/README.md | 12 ++++++------ chart/README.md | 40 ++++++++++++++++++++-------------------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/bundle/README.md b/bundle/README.md index 50aaf7008..078ef4d31 100644 --- a/bundle/README.md +++ b/bundle/README.md @@ -88,9 +88,9 @@ drop down menu when creating a new `Istio` with the OpenShift Container Platform web console. For a list of available versions, see the [versions.yaml](/versions.yaml) file or use the command: - ```sh - $ kubectl explain istio.spec.version - ``` +```sh +$ kubectl explain istio.spec.version +``` ### Customizing Istio configuration @@ -131,9 +131,9 @@ spec: For a list of available configuration for the `spec.values` field, run the following command: - ```sh - $ kubectl explain istio.spec.values - ``` +```sh +$ kubectl explain istio.spec.values +``` For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above. diff --git a/chart/README.md b/chart/README.md index c2e4cf792..3a81b42f9 100644 --- a/chart/README.md +++ b/chart/README.md @@ -31,9 +31,9 @@ The extract command will create the `sail-operator` directory with the helm char This section describes the procedure to install `Sail Operator` using Helm. The general syntax for helm installation is: - ```sh - helm install --create-namespace --namespace [--set ] - ``` +```sh +$ helm install --create-namespace --namespace [--set ] +``` The variables specified in the command are as follows: * `` - A name to identify and manage the Helm chart once installed. @@ -169,9 +169,9 @@ An example configuration: For a list of available configuration for the `spec.values` field, run the following command: - ```sh - $ kubectl explain istio.spec.values - ``` +```sh +$ kubectl explain istio.spec.values +``` For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above. @@ -223,26 +223,26 @@ For installation steps, refer to the following [link](../docs/common/istio-addon ### Deleting Istio - ```sh - $ kubectl -n istio-system delete istio default - ``` +```sh +$ kubectl -n istio-system delete istio default +``` ### Deleting IstioCNI (in OpenShift cluster platform) - ```sh - $ kubectl -n istio-cni delete istiocni default - ``` +```sh +$ kubectl -n istio-cni delete istiocni default +``` ### Uninstall the Sail Operator using Helm - ```sh - $ helm uninstall sail-operator --namespace sail-operator - ``` +```sh +$ helm uninstall sail-operator --namespace sail-operator +``` ### Deleting the Project namespaces - ```sh - $ kubectl delete namespace istio-system - $ kubectl delete namespace istio-cni - $ kubectl delete namespace sail-operator - ``` +```sh +$ kubectl delete namespace istio-system +$ kubectl delete namespace istio-cni +$ kubectl delete namespace sail-operator +``` From 96e2c0eaf77af7c02dbd60c653975a697f9fe98b Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Thu, 26 Sep 2024 19:06:23 +0300 Subject: [PATCH 16/68] Add pull request template (#366) The pull request template will help to add important information for the reviewers during new PR creation. Signed-off-by: Maxim Babushkin --- .github/pull_request_template.md | 70 ++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 12 +----- 2 files changed, 71 insertions(+), 11 deletions(-) create mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 000000000..fc34ef026 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,70 @@ + + +#### What type of PR is this? + + +- [ ] Enhancement / New Feature +- [ ] Bug Fix +- [ ] Refactor +- [ ] Optimization +- [ ] Test +- [ ] Documentation Update + +#### What this PR does / why we need it: +```text + +``` + +#### Which issue(s) this PR fixes: + +Fixes # + +Related Issue/PR # + +#### Special notes for your reviewer: +```text + +``` + +#### Does this PR introduce a user-facing change? + +```release-note + +``` + +#### Additional documentation: +```text + +``` + +#### Does this PR introduce a breaking change? +```text + +``` + +#### Other information: +```text + +``` diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 40e05748e..8d6421f53 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -29,16 +29,6 @@ If you want to contribute to the Sail Operator project, you can follow some rule - `good first issue`: Use this label to indicate that the issue is a good first issue for new contributors. - `help wanted`: Use this label to indicate that the issue needs help from the community. - `enhancement`: Use this label to indicate that the issue is an enhancement related to a new feature or improvement. -- Pull Requests: When you open a pull request, you can follow this template to help you provide the necessary information to the maintainers: - - **What type of PR is this?** - - **What this PR does / why we need it:** - - **Which issue(s) this PR fixes:** (Mark with Fixes #12345, with this the issue will be autoclosed when the PR is merged) - - **Special notes for your reviewer:** - - **Does this PR introduce a user-facing change?** - - **Additional documentation:** - - **Does this PR introduce a breaking change?** - - **Other information:** - - Labels: You can use the labels to help you track the status of the PR. The labels are the same as the issue labels. Additionally, you can use the `cleanup/refactor` to indicate that the PR is a cleanup or refactor of the codebase. Having the label just helps with filtering pull requests. It also is a hint that this work does not need an entry in the changelog ## Community meetings @@ -46,4 +36,4 @@ This is not defined yet. We are working on defining the community meetings and h ## Security Issues -If you find a security issue in the Sail Operator project, please refer to the [Security Policy](https://github.com/istio-ecosystem/sail-operator/security/policy) for more information on how to report security issues. Please do not report security issues in the public GitHub repository. \ No newline at end of file +If you find a security issue in the Sail Operator project, please refer to the [Security Policy](https://github.com/istio-ecosystem/sail-operator/security/policy) for more information on how to report security issues. Please do not report security issues in the public GitHub repository. From c199a1bc6ff839c353397335d74588dbf4162fc8 Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Fri, 27 Sep 2024 09:37:24 +0300 Subject: [PATCH 17/68] Update helm chart README (#370) It's now possible to deploy Sail Operator with Helm and use the repository as "helm repo" instead of the need to clone the repo. Update the chart readme file with new way of deployment. Signed-off-by: Maxim Babushkin --- chart/README.md | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/chart/README.md b/chart/README.md index 3a81b42f9..e822fed6d 100644 --- a/chart/README.md +++ b/chart/README.md @@ -16,16 +16,10 @@ OpenShift: ## Prepare the Helm charts -**Note** - `Sail Operator` could be installed by downloading the release artifacts from the [release page](https://github.com/istio-ecosystem/sail-operator/releases). - -* Download the required release artifact -* Extract it locally. - - ```sh - $ tar -xvf /tmp/sail-operator-.tgz - ``` - -The extract command will create the `sail-operator` directory with the helm charts in it. +```sh +$ helm repo add sail-operator https://istio-ecosystem.github.io/sail-operator +$ helm repo update +``` ## Installation steps @@ -55,13 +49,13 @@ Default configuration values can be changed using one or more `--set * Kubernetes ```sh - $ helm install sail-operator sail-operator/ --namespace sail-operator + $ helm install sail-operator sail-operator/sail-operator --namespace sail-operator ``` * OpenShift ```sh - $ helm install sail-operator sail-operator/ --namespace sail-operator --set platform=openshift + $ helm install sail-operator sail-operator/sail-operator --namespace sail-operator --set platform=openshift ``` 3. Validate the CRD installation with the `helm ls` command: @@ -69,8 +63,8 @@ Default configuration values can be changed using one or more `--set ```sh $ helm ls -n sail-operator - NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION - sail-operator sail-operator 1 2024-09-16 12:43:18.786846217 +0300 IDT deployed sail-operator-0.1.0-rc.1 0.1.0-rc.1 + NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION + sail-operator sail-operator 1 2024-09-26 21:15:52.508983383 +0300 IDT deployed sail-operator-0.1.0 0.1.0 ``` 4. Get the status of the installed helm chart to ensure it is deployed: @@ -79,7 +73,7 @@ Default configuration values can be changed using one or more `--set $ helm status sail-operator -n sail-operator NAME: sail-operator - LAST DEPLOYED: Mon Sep 16 12:43:18 2024 + LAST DEPLOYED: Thu Sep 26 21:15:52 2024 NAMESPACE: sail-operator STATUS: deployed REVISION: 1 @@ -91,8 +85,8 @@ Default configuration values can be changed using one or more `--set ```sh $ kubectl -n sail-operator get deployment --output wide - NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR - sail-operator 1/1 1 1 19m kube-rbac-proxy,manager gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0,quay.io/maistra-dev/sail-operator:0.1.0-rc.1 app.kubernetes.io/created-by=sailoperator,app.kubernetes.io/part-of=sailoperator,control-plane=sail-operator + NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR + sail-operator 1/1 1 1 107s kube-rbac-proxy,manager gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0,quay.io/maistra-dev/sail-operator:0.1-latest app.kubernetes.io/created-by=sailoperator,app.kubernetes.io/part-of=sailoperator,control-plane=sail-operator $ kubectl -n sail-operator get pods -o wide From 837ffbc0978707a4cbb4a426f3952c5e1d3d3a9c Mon Sep 17 00:00:00 2001 From: Francisco Herrera Date: Fri, 27 Sep 2024 16:23:24 +0200 Subject: [PATCH 18/68] E2E kubectl util refactor (#368) * E2E kubectl util refactor Signed-off-by: frherrer * Improve reset namespace in kubectl util Signed-off-by: frherrer * Deleting non needed func in the kubectl util Signed-off-by: frherrer --------- Signed-off-by: frherrer --- .../controlplane/control_plane_suite_test.go | 5 + tests/e2e/controlplane/control_plane_test.go | 52 +-- .../multicluster_multiprimary_test.go | 76 ++--- .../multicluster_primaryremote_test.go | 57 ++-- .../multicluster/multicluster_suite_test.go | 9 + tests/e2e/operator/operator_install_test.go | 5 +- tests/e2e/operator/operator_suite_test.go | 5 + tests/e2e/util/certs/certs.go | 4 +- tests/e2e/util/common/e2e_utils.go | 35 +- tests/e2e/util/kubectl/kubectl.go | 321 +++++++++--------- 10 files changed, 302 insertions(+), 267 deletions(-) diff --git a/tests/e2e/controlplane/control_plane_suite_test.go b/tests/e2e/controlplane/control_plane_suite_test.go index 872a0578a..627edfc5d 100644 --- a/tests/e2e/controlplane/control_plane_suite_test.go +++ b/tests/e2e/controlplane/control_plane_suite_test.go @@ -21,6 +21,7 @@ import ( k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "sigs.k8s.io/controller-runtime/pkg/client" @@ -41,6 +42,8 @@ var ( expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io") bookinfoNamespace = env.Get("BOOKINFO_NAMESPACE", "bookinfo") multicluster = env.GetBool("MULTICLUSTER", false) + + k *kubectl.KubectlBuilder ) func TestInstall(t *testing.T) { @@ -58,4 +61,6 @@ func setup() { GinkgoWriter.Println("Initializing k8s client") cl, err = k8sclient.InitK8sClient("") Expect(err).NotTo(HaveOccurred()) + + k = kubectl.NewKubectlBuilder() } diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go index ec7a6574a..8beb63065 100644 --- a/tests/e2e/controlplane/control_plane_test.go +++ b/tests/e2e/controlplane/control_plane_test.go @@ -30,7 +30,6 @@ import ( common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/onsi/gomega/types" @@ -45,11 +44,10 @@ import ( var _ = Describe("Control Plane Installation", Ordered, func() { SetDefaultEventuallyTimeout(180 * time.Second) SetDefaultEventuallyPollingInterval(time.Second) - debugInfoLogged := false BeforeAll(func(ctx SpecContext) { - Expect(kubectl.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") + Expect(k.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") extraArg := "" if ocp { @@ -79,7 +77,7 @@ kind: IstioCNI metadata: name: default ` + spec - Expect(kubectl.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed") + Expect(k.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed") Success("IstioCNI created") cni := &v1alpha1.IstioCNI{} @@ -103,7 +101,7 @@ kind: Istio metadata: name: default ` + spec - Expect(kubectl.CreateFromString(yaml)).To(Succeed(), "Istio creation failed") + Expect(k.CreateFromString(yaml)).To(Succeed(), "Istio creation failed") Success("Istio created") istio := &v1alpha1.Istio{} @@ -126,8 +124,8 @@ metadata: Context(version.Name, func() { BeforeAll(func() { - Expect(kubectl.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") - Expect(kubectl.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created") + Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") + Expect(k.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created") }) When("the IstioCNI CR is created", func() { @@ -142,7 +140,7 @@ spec: namespace: %s` yaml = fmt.Sprintf(yaml, version.Name, istioCniNamespace) Log("IstioCNI YAML:", indent(2, yaml)) - Expect(kubectl.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed") + Expect(k.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed") Success("IstioCNI created") }) @@ -174,9 +172,10 @@ spec: }) It("doesn't continuously reconcile the IstioCNI CR", func() { - Eventually(kubectl.Logs).WithArguments(namespace, "deploy/"+deploymentName, ptr.Of(30*time.Second)). - ShouldNot(ContainSubstring("Reconciliation done"), "Istio Operator is continuously reconciling") - Success("Istio Operator stopped reconciling") + Eventually(k.SetNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)). + ShouldNot(ContainSubstring("Reconciliation done"), "IstioCNI is continuously reconciling") + k.ResetNamespace() + Success("IstioCNI stopped reconciling") }) }) @@ -192,7 +191,7 @@ spec: namespace: %s` istioYAML = fmt.Sprintf(istioYAML, version.Name, controlPlaneNamespace) Log("Istio YAML:", indent(2, istioYAML)) - Expect(kubectl.CreateFromString(istioYAML)). + Expect(k.CreateFromString(istioYAML)). To(Succeed(), "Istio CR failed to be created") Success("Istio CR created") }) @@ -222,16 +221,17 @@ spec: }) It("doesn't continuously reconcile the Istio CR", func() { - Eventually(kubectl.Logs).WithArguments(namespace, "deploy/"+deploymentName, ptr.Of(30*time.Second)). - ShouldNot(ContainSubstring("Reconciliation done"), "Istio Operator is continuously reconciling") - Success("Istio Operator stopped reconciling") + Eventually(k.SetNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)). + ShouldNot(ContainSubstring("Reconciliation done"), "Istio CR is continuously reconciling") + k.ResetNamespace() + Success("Istio CR stopped reconciling") }) }) When("bookinfo is deployed", func() { BeforeAll(func() { - Expect(kubectl.CreateNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be created") - Expect(kubectl.Patch("", "namespace", bookinfoNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + Expect(k.CreateNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be created") + Expect(k.Patch("namespace", bookinfoNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). To(Succeed(), "Error patching bookinfo namespace") Expect(deployBookinfo(version)).To(Succeed(), "Error deploying bookinfo") Success("Bookinfo deployed") @@ -261,14 +261,14 @@ spec: AfterAll(func(ctx SpecContext) { By("Deleting bookinfo") - Expect(kubectl.DeleteNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be deleted") + Expect(k.DeleteNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be deleted") Success("Bookinfo deleted") }) }) When("the Istio CR is deleted", func() { BeforeEach(func() { - Expect(kubectl.Delete(controlPlaneNamespace, "istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(k.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") Success("Istio CR deleted") }) @@ -282,7 +282,7 @@ spec: When("the IstioCNI CR is deleted", func() { BeforeEach(func() { - Expect(kubectl.Delete(istioCniNamespace, "istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") + Expect(k.SetNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") Success("IstioCNI deleted") }) @@ -336,7 +336,7 @@ spec: Success("Skipping deletion of operator namespace to avoid removal of operator container image from internal registry") return } - Expect(kubectl.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted") + Expect(k.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted") Success("Namespace deleted") }) }) @@ -357,17 +357,17 @@ func indent(level int, str string) string { func forceDeleteIstioResources() error { // This is a workaround to delete the Istio CRs that are left in the cluster // This will be improved by splitting the tests into different Nodes with their independent setups and cleanups - err := kubectl.ForceDelete("", "istio", istioName) + err := k.ForceDelete("istio", istioName) if err != nil && !strings.Contains(err.Error(), "not found") { return fmt.Errorf("failed to delete %s CR: %w", "istio", err) } - err = kubectl.ForceDelete("", "istiorevision", "default") + err = k.ForceDelete("istiorevision", "default") if err != nil && !strings.Contains(err.Error(), "not found") { return fmt.Errorf("failed to delete %s CR: %w", "istiorevision", err) } - err = kubectl.Delete("", "istiocni", istioCniName) + err = k.Delete("istiocni", istioCniName) if err != nil && !strings.Contains(err.Error(), "not found") { return fmt.Errorf("failed to delete %s CR: %w", "istiocni", err) } @@ -388,7 +388,7 @@ func getBookinfoURL(version supportedversion.VersionInfo) string { func deployBookinfo(version supportedversion.VersionInfo) error { bookinfoURL := getBookinfoURL(version) - kubectl.Apply(bookinfoNamespace, bookinfoURL) + k.SetNamespace(bookinfoNamespace).Apply(bookinfoURL) if err != nil { return fmt.Errorf("error deploying bookinfo: %w", err) } @@ -397,7 +397,7 @@ func deployBookinfo(version supportedversion.VersionInfo) error { } func getProxyVersion(podName, namespace string) (string, error) { - proxyVersion, err := kubectl.Exec(namespace, + proxyVersion, err := k.SetNamespace(namespace).Exec( podName, "istio-proxy", `curl -s http://localhost:15000/server_info | grep "ISTIO_VERSION" | awk -F '"' '{print $4}'`) diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go index 97c404c52..687e763f7 100644 --- a/tests/e2e/multicluster/multicluster_multiprimary_test.go +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -49,8 +49,8 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { BeforeAll(func(ctx SpecContext) { if !skipDeploy { // Deploy the Sail Operator on both clusters - Expect(kubectl.CreateNamespace(namespace, kubeconfig)).To(Succeed(), "Namespace failed to be created on Cluster #1") - Expect(kubectl.CreateNamespace(namespace, kubeconfig2)).To(Succeed(), "Namespace failed to be created on Cluster #2") + Expect(kubectlClient1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #1") + Expect(kubectlClient2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #2") Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). To(Succeed(), "Operator failed to be deployed in Cluster #1") @@ -76,8 +76,8 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Context("Istio version is: "+version.Version, func() { When("Istio resources are created in both clusters with multicluster configuration", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectl.CreateNamespace(controlPlaneNamespace, kubeconfig)).To(Succeed(), "Namespace failed to be created") - Expect(kubectl.CreateNamespace(controlPlaneNamespace, kubeconfig2)).To(Succeed(), "Namespace failed to be created") + Expect(kubectlClient1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + Expect(kubectlClient2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") // Push the intermediate CA to both clusters certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig, "east", "network1", artifacts, clPrimary) @@ -110,11 +110,11 @@ spec: network: %s` multiclusterCluster1YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") Log("Istio CR Cluster #1: ", multiclusterCluster1YAML) - Expect(kubectl.CreateFromString(multiclusterCluster1YAML, kubeconfig)).To(Succeed(), "Istio Resource creation failed on Cluster #1") + Expect(kubectlClient1.CreateFromString(multiclusterCluster1YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #1") multiclusterCluster2YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster2", "network2") Log("Istio CR Cluster #2: ", multiclusterCluster2YAML) - Expect(kubectl.CreateFromString(multiclusterCluster2YAML, kubeconfig2)).To(Succeed(), "Istio Resource creation failed on Cluster #2") + Expect(kubectlClient2.CreateFromString(multiclusterCluster2YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #2") }) It("updates both Istio CR status to Ready", func(ctx SpecContext) { @@ -146,13 +146,13 @@ spec: When("Gateway is created in both clusters", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectl.Apply(controlPlaneNamespace, eastGatewayYAML, kubeconfig)).To(Succeed(), "Gateway creation failed on Cluster #1") + Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #1") - Expect(kubectl.Apply(controlPlaneNamespace, westGatewayYAML, kubeconfig2)).To(Succeed(), "Gateway creation failed on Cluster #2") + Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #2") // Expose the Gateway service in both clusters - Expect(kubectl.Apply(controlPlaneNamespace, exposeServiceYAML, kubeconfig)).To(Succeed(), "Expose Service creation failed on Cluster #1") - Expect(kubectl.Apply(controlPlaneNamespace, exposeServiceYAML, kubeconfig2)).To(Succeed(), "Expose Service creation failed on Cluster #2") + Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #1") + Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #2") }) It("updates both Gateway status to Available", func(ctx SpecContext) { @@ -170,23 +170,23 @@ spec: When("are installed remote secrets on each cluster", func() { BeforeAll(func(ctx SpecContext) { // Get the internal IP of the control plane node in both clusters - internalIPCluster1, err := kubectl.GetInternalIP("node-role.kubernetes.io/control-plane", kubeconfig) + internalIPCluster1, err := kubectlClient1.GetInternalIP("node-role.kubernetes.io/control-plane") Expect(err).NotTo(HaveOccurred()) Expect(internalIPCluster1).NotTo(BeEmpty(), "Internal IP is empty for Cluster #1") - internalIPCluster2, err := kubectl.GetInternalIP("node-role.kubernetes.io/control-plane", kubeconfig2) + internalIPCluster2, err := kubectlClient2.GetInternalIP("node-role.kubernetes.io/control-plane") Expect(internalIPCluster2).NotTo(BeEmpty(), "Internal IP is empty for Cluster #2") Expect(err).NotTo(HaveOccurred()) // Install a remote secret in Cluster #1 that provides access to the Cluster #2 API server. secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "cluster2", internalIPCluster2) Expect(err).NotTo(HaveOccurred()) - Expect(kubectl.ApplyString("", secret, kubeconfig)).To(Succeed(), "Remote secret creation failed on Cluster #1") + Expect(kubectlClient1.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1") // Install a remote secret in Cluster #2 that provides access to the Cluster #1 API server. secret, err = istioctl.CreateRemoteSecret(kubeconfig, "cluster1", internalIPCluster1) Expect(err).NotTo(HaveOccurred()) - Expect(kubectl.ApplyString("", secret, kubeconfig2)).To(Succeed(), "Remote secret creation failed on Cluster #1") + Expect(kubectlClient2.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1") }) It("remote secrets are created", func(ctx SpecContext) { @@ -204,7 +204,7 @@ spec: When("sample apps are deployed in both clusters", func() { BeforeAll(func(ctx SpecContext) { // Deploy the sample app in both clusters - deploySampleApp("sample", version, kubeconfig, kubeconfig2) + deploySampleApp("sample", version) Success("Sample app is deployed in both clusters") }) @@ -242,12 +242,12 @@ spec: Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #2") // Run the curl command from the sleep pod in the Cluster #2 and get response list to validate that we get responses from both clusters - Cluster2Responses := strings.Join(getListCurlResponses(sleepPodNameCluster2, kubeconfig2), "\n") + Cluster2Responses := strings.Join(getListCurlResponses(kubectlClient2, sleepPodNameCluster2), "\n") Expect(Cluster2Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #2 are not the expected") Expect(Cluster2Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #2 are not the expected") // Run the curl command from the sleep pod in the Cluster #1 and get response list to validate that we get responses from both clusters - Cluster1Responses := strings.Join(getListCurlResponses(sleepPodNameCluster1, kubeconfig), "\n") + Cluster1Responses := strings.Join(getListCurlResponses(kubectlClient1, sleepPodNameCluster1), "\n") Expect(Cluster1Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #1 are not the expected") Expect(Cluster1Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #1 are not the expected") Success("Sample app is accessible from both clusters") @@ -257,8 +257,8 @@ spec: When("istio CR is deleted in both clusters", func() { BeforeEach(func() { // Delete the Istio CR in both clusters - Expect(kubectl.Delete(controlPlaneNamespace, "istio", istioName, kubeconfig)).To(Succeed(), "Istio CR failed to be deleted") - Expect(kubectl.Delete(controlPlaneNamespace, "istio", istioName, kubeconfig2)).To(Succeed(), "Istio CR failed to be deleted") + Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") Success("Istio CR is deleted in both clusters") }) @@ -273,16 +273,16 @@ spec: AfterAll(func(ctx SpecContext) { // Delete namespace to ensure clean up for new tests iteration - Expect(kubectl.DeleteNamespace(controlPlaneNamespace, kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") - Expect(kubectl.DeleteNamespace(controlPlaneNamespace, kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + Expect(kubectlClient1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(kubectlClient2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) Success("ControlPlane Namespaces are empty") // Delete the entire sample namespace in both clusters - Expect(kubectl.DeleteNamespace("sample", kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") - Expect(kubectl.DeleteNamespace("sample", kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + Expect(kubectlClient1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(kubectlClient2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #2") common.CheckNamespaceEmpty(ctx, clPrimary, "sample") common.CheckNamespaceEmpty(ctx, clRemote, "sample") @@ -294,8 +294,8 @@ spec: AfterAll(func(ctx SpecContext) { // Delete the Sail Operator from both clusters - Expect(kubectl.DeleteNamespace(namespace, kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") - Expect(kubectl.DeleteNamespace(namespace, kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + Expect(kubectlClient1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(kubectlClient2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") // Delete the intermediate CA from both clusters common.CheckNamespaceEmpty(ctx, clPrimary, namespace) @@ -304,15 +304,15 @@ spec: }) // deploySampleApp deploys the sample app in the given cluster -func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo, kubeconfig string, kubeconfig2 string) { +func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo) { // Create the namespace - Expect(kubectl.CreateNamespace(ns, kubeconfig)).To(Succeed(), "Namespace failed to be created") - Expect(kubectl.CreateNamespace(ns, kubeconfig2)).To(Succeed(), "Namespace failed to be created") + Expect(kubectlClient1.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created") + Expect(kubectlClient2.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created") // Label the namespace - Expect(kubectl.Patch("", "namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + Expect(kubectlClient1.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). To(Succeed(), "Error patching sample namespace") - Expect(kubectl.Patch("", "namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`, kubeconfig2)). + Expect(kubectlClient2.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). To(Succeed(), "Error patching sample namespace") version := istioVersion.Version @@ -321,22 +321,22 @@ func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo, kubec version = "master" } helloWorldURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/helloworld/helloworld.yaml", version) - Expect(kubectl.ApplyWithLabels(ns, helloWorldURL, "service=helloworld", kubeconfig)).To(Succeed(), "Sample service deploy failed on Cluster #1") - Expect(kubectl.ApplyWithLabels(ns, helloWorldURL, "service=helloworld", kubeconfig2)).To(Succeed(), "Sample service deploy failed on Cluster #2") + Expect(kubectlClient1.SetNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #1") + Expect(kubectlClient2.SetNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #2") - Expect(kubectl.ApplyWithLabels(ns, helloWorldURL, "version=v1", kubeconfig)).To(Succeed(), "Sample service deploy failed on Cluster #1") - Expect(kubectl.ApplyWithLabels(ns, helloWorldURL, "version=v2", kubeconfig2)).To(Succeed(), "Sample service deploy failed on Cluster #2") + Expect(kubectlClient1.SetNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v1")).To(Succeed(), "Sample service deploy failed on Cluster #1") + Expect(kubectlClient2.SetNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v2")).To(Succeed(), "Sample service deploy failed on Cluster #2") sleepURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/sleep/sleep.yaml", version) - Expect(kubectl.Apply(ns, sleepURL, kubeconfig)).To(Succeed(), "Sample sleep deploy failed on Cluster #1") - Expect(kubectl.Apply(ns, sleepURL, kubeconfig2)).To(Succeed(), "Sample sleep deploy failed on Cluster #2") + Expect(kubectlClient1.SetNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #1") + Expect(kubectlClient2.SetNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #2") } // getListCurlResponses runs the curl command 10 times from the sleep pod in the given cluster and get response list -func getListCurlResponses(podName, kubeconfig string) []string { +func getListCurlResponses(k *kubectl.KubectlBuilder, podName string) []string { var responses []string for i := 0; i < 10; i++ { - response, err := kubectl.Exec("sample", podName, "sleep", "curl -sS helloworld.sample:5000/hello", kubeconfig) + response, err := k.SetNamespace("sample").Exec(podName, "sleep", "curl -sS helloworld.sample:5000/hello") Expect(err).NotTo(HaveOccurred()) responses = append(responses, response) } diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index 798db3c2c..d7a200c66 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -33,7 +33,6 @@ import ( . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" @@ -49,8 +48,8 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { BeforeAll(func(ctx SpecContext) { if !skipDeploy { // Deploy the Sail Operator on both clusters - Expect(kubectl.CreateNamespace(namespace, kubeconfig)).To(Succeed(), "Namespace failed to be created on Primary Cluster") - Expect(kubectl.CreateNamespace(namespace, kubeconfig2)).To(Succeed(), "Namespace failed to be created on Remote Cluster") + Expect(kubectlClient1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Primary Cluster") + Expect(kubectlClient2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Remote Cluster") Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). To(Succeed(), "Operator failed to be deployed in Primary Cluster") @@ -81,8 +80,8 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Context("Istio version is: "+version.Version, func() { When("Istio resources are created in both clusters", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectl.CreateNamespace(controlPlaneNamespace, kubeconfig)).To(Succeed(), "Namespace failed to be created") - Expect(kubectl.CreateNamespace(controlPlaneNamespace, kubeconfig2)).To(Succeed(), "Namespace failed to be created") + Expect(kubectlClient1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + Expect(kubectlClient2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") // Push the intermediate CA to both clusters Expect(certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig, "east", "network1", artifacts, clPrimary)). @@ -120,7 +119,7 @@ spec: network: %s` multiclusterPrimaryYAML := fmt.Sprintf(PrimaryYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") Log("Istio CR Primary: ", multiclusterPrimaryYAML) - Expect(kubectl.CreateFromString(multiclusterPrimaryYAML, kubeconfig)).To(Succeed(), "Istio Resource creation failed on Primary Cluster") + Expect(kubectlClient1.CreateFromString(multiclusterPrimaryYAML)).To(Succeed(), "Istio Resource creation failed on Primary Cluster") }) It("updates Istio CR on Primary cluster status to Ready", func(ctx SpecContext) { @@ -141,13 +140,13 @@ spec: When("Gateway is created on Primary cluster ", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectl.Apply(controlPlaneNamespace, eastGatewayYAML, kubeconfig)).To(Succeed(), "Gateway creation failed on Primary Cluster") + Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Primary Cluster") // Expose istiod service in Primary cluster - Expect(kubectl.Apply(controlPlaneNamespace, exposeIstiodYAML, kubeconfig)).To(Succeed(), "Expose Istiod creation failed on Primary Cluster") + Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(exposeIstiodYAML)).To(Succeed(), "Expose Istiod creation failed on Primary Cluster") // Expose the Gateway service in both clusters - Expect(kubectl.Apply(controlPlaneNamespace, exposeServiceYAML, kubeconfig)).To(Succeed(), "Expose Service creation failed on Primary Cluster") + Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Primary Cluster") }) It("updates Gateway status to Available", func(ctx SpecContext) { @@ -179,31 +178,29 @@ spec: remoteIstioYAML := fmt.Sprintf(RemoteYAML, version.Name, remotePilotAddress) Log("RemoteIstio CR: ", remoteIstioYAML) By("Creating RemoteIstio CR on Remote Cluster") - Expect(kubectl.CreateFromString(remoteIstioYAML, kubeconfig2)).To(Succeed(), "RemoteIstio Resource creation failed on Remote Cluster") + Expect(kubectlClient2.CreateFromString(remoteIstioYAML)).To(Succeed(), "RemoteIstio Resource creation failed on Remote Cluster") // Set the controlplane cluster and network for Remote namespace By("Patching the istio-system namespace on Remote Cluster") Expect( - kubectl.Patch("", + kubectlClient2.Patch( "namespace", controlPlaneNamespace, "merge", - `{"metadata":{"annotations":{"topology.istio.io/controlPlaneClusters":"cluster1"}}}`, - kubeconfig2)). + `{"metadata":{"annotations":{"topology.istio.io/controlPlaneClusters":"cluster1"}}}`)). To(Succeed(), "Error patching istio-system namespace") Expect( - kubectl.Patch("", + kubectlClient2.Patch( "namespace", controlPlaneNamespace, "merge", - `{"metadata":{"labels":{"topology.istio.io/network":"network2"}}}`, - kubeconfig2)). + `{"metadata":{"labels":{"topology.istio.io/network":"network2"}}}`)). To(Succeed(), "Error patching istio-system namespace") // To be able to access the remote cluster from the primary cluster, we need to create a secret in the primary cluster // RemoteIstio resource will not be Ready until the secret is created // Get the internal IP of the control plane node in Remote cluster - internalIPRemote, err := kubectl.GetInternalIP("node-role.kubernetes.io/control-plane", kubeconfig2) + internalIPRemote, err := kubectlClient2.GetInternalIP("node-role.kubernetes.io/control-plane") Expect(internalIPRemote).NotTo(BeEmpty(), "Internal IP is empty for Remote Cluster") Expect(err).NotTo(HaveOccurred()) @@ -214,7 +211,7 @@ spec: By("Creating Remote Secret on Primary Cluster") secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "remote", internalIPRemote) Expect(err).NotTo(HaveOccurred()) - Expect(kubectl.ApplyString("", secret, kubeconfig)).To(Succeed(), "Remote secret creation failed on Primary Cluster") + Expect(kubectlClient1.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Primary Cluster") }) It("secret is created", func(ctx SpecContext) { @@ -234,7 +231,7 @@ spec: When("gateway is created in Remote cluster", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectl.Apply(controlPlaneNamespace, westGatewayYAML, kubeconfig2)).To(Succeed(), "Gateway creation failed on Remote Cluster") + Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Remote Cluster") Success("Gateway is created in Remote cluster") }) @@ -249,7 +246,7 @@ spec: When("sample apps are deployed in both clusters", func() { BeforeAll(func(ctx SpecContext) { // Deploy the sample app in both clusters - deploySampleApp("sample", version, kubeconfig, kubeconfig2) + deploySampleApp("sample", version) Success("Sample app is deployed in both clusters") }) @@ -287,12 +284,12 @@ spec: Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Remote Cluster") // Run the curl command from the sleep pod in the Remote Cluster and get response list to validate that we get responses from both clusters - remoteResponses := strings.Join(getListCurlResponses(sleepPodNameRemote, kubeconfig2), "\n") + remoteResponses := strings.Join(getListCurlResponses(kubectlClient2, sleepPodNameRemote), "\n") Expect(remoteResponses).To(ContainSubstring("Hello version: v1"), "Responses from Remote Cluster are not the expected") Expect(remoteResponses).To(ContainSubstring("Hello version: v2"), "Responses from Remote Cluster are not the expected") // Run the curl command from the sleep pod in the Primary Cluster and get response list to validate that we get responses from both clusters - primaryResponses := strings.Join(getListCurlResponses(sleepPodNamePrimary, kubeconfig), "\n") + primaryResponses := strings.Join(getListCurlResponses(kubectlClient1, sleepPodNamePrimary), "\n") Expect(primaryResponses).To(ContainSubstring("Hello version: v1"), "Responses from Primary Cluster are not the expected") Expect(primaryResponses).To(ContainSubstring("Hello version: v2"), "Responses from Primary Cluster are not the expected") Success("Sample app is accessible from both clusters") @@ -301,8 +298,8 @@ spec: When("Istio CR and RemoteIstio CR are deleted in both clusters", func() { BeforeEach(func() { - Expect(kubectl.Delete(controlPlaneNamespace, "istio", istioName, kubeconfig)).To(Succeed(), "Istio CR failed to be deleted") - Expect(kubectl.Delete(controlPlaneNamespace, "remoteistio", istioName, kubeconfig2)).To(Succeed(), "RemoteIstio CR failed to be deleted") + Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Delete("remoteistio", istioName)).To(Succeed(), "RemoteIstio CR failed to be deleted") Success("Istio and RemoteIstio are deleted") }) @@ -315,16 +312,16 @@ spec: AfterAll(func(ctx SpecContext) { // Delete namespace to ensure clean up for new tests iteration - Expect(kubectl.DeleteNamespace(controlPlaneNamespace, kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") - Expect(kubectl.DeleteNamespace(controlPlaneNamespace, kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + Expect(kubectlClient1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(kubectlClient2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) Success("ControlPlane Namespaces are empty") // Delete the entire sample namespace in both clusters - Expect(kubectl.DeleteNamespace("sample", kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") - Expect(kubectl.DeleteNamespace("sample", kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + Expect(kubectlClient1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(kubectlClient2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") common.CheckNamespaceEmpty(ctx, clPrimary, "sample") common.CheckNamespaceEmpty(ctx, clRemote, "sample") @@ -336,8 +333,8 @@ spec: AfterAll(func(ctx SpecContext) { // Delete the Sail Operator from both clusters - Expect(kubectl.DeleteNamespace(namespace, kubeconfig)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") - Expect(kubectl.DeleteNamespace(namespace, kubeconfig2)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + Expect(kubectlClient1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(kubectlClient2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") // Check that the namespace is empty common.CheckNamespaceEmpty(ctx, clPrimary, namespace) diff --git a/tests/e2e/multicluster/multicluster_suite_test.go b/tests/e2e/multicluster/multicluster_suite_test.go index 5c0cd061a..77515b124 100644 --- a/tests/e2e/multicluster/multicluster_suite_test.go +++ b/tests/e2e/multicluster/multicluster_suite_test.go @@ -25,6 +25,7 @@ import ( "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "sigs.k8s.io/controller-runtime/pkg/client" @@ -50,6 +51,9 @@ var ( westGatewayYAML string exposeServiceYAML string exposeIstiodYAML string + + kubectlClient1 *kubectl.KubectlBuilder + kubectlClient2 *kubectl.KubectlBuilder ) func TestInstall(t *testing.T) { @@ -59,6 +63,7 @@ func TestInstall(t *testing.T) { if ocp { t.Skip("Skipping test. Not valid for OCP") // TODO: Implement the steps to run the test on OCP + // https://github.com/istio-ecosystem/sail-operator/issues/365 } RegisterFailHandler(Fail) setup(t) @@ -92,4 +97,8 @@ func setup(t *testing.T) { westGatewayYAML = fmt.Sprintf("%s/docs/multicluster/east-west-gateway-net2.yaml", baseRepoDir) exposeServiceYAML = fmt.Sprintf("%s/docs/multicluster/expose-services.yaml", baseRepoDir) exposeIstiodYAML = fmt.Sprintf("%s/docs/multicluster/expose-istiod.yaml", baseRepoDir) + + // Initialize kubectl utilities, one for each cluster + kubectlClient1 = kubectl.NewKubectlBuilder().SetKubeconfig(kubeconfig) + kubectlClient2 = kubectl.NewKubectlBuilder().SetKubeconfig(kubeconfig2) } diff --git a/tests/e2e/operator/operator_install_test.go b/tests/e2e/operator/operator_install_test.go index cc6777d6c..cbd051feb 100644 --- a/tests/e2e/operator/operator_install_test.go +++ b/tests/e2e/operator/operator_install_test.go @@ -26,7 +26,6 @@ import ( common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" @@ -60,7 +59,7 @@ var _ = Describe("Operator", Ordered, func() { Describe("installation", func() { BeforeAll(func() { - Expect(kubectl.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") + Expect(k.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") extraArg := "" if ocp { @@ -125,7 +124,7 @@ var _ = Describe("Operator", Ordered, func() { Success("Operator uninstalled") By("Deleting the CRDs") - Expect(kubectl.DeleteCRDs(sailCRDs)).To(Succeed(), "CRDs failed to be deleted") + Expect(k.DeleteCRDs(sailCRDs)).To(Succeed(), "CRDs failed to be deleted") Success("CRDs deleted") }) }) diff --git a/tests/e2e/operator/operator_suite_test.go b/tests/e2e/operator/operator_suite_test.go index 32b737594..f0bd1261f 100644 --- a/tests/e2e/operator/operator_suite_test.go +++ b/tests/e2e/operator/operator_suite_test.go @@ -21,6 +21,7 @@ import ( k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "sigs.k8s.io/controller-runtime/pkg/client" @@ -34,6 +35,8 @@ var ( namespace = env.Get("NAMESPACE", "sail-operator") deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") multicluster = env.GetBool("MULTICLUSTER", false) + + k *kubectl.KubectlBuilder ) func TestInstall(t *testing.T) { @@ -58,4 +61,6 @@ func setup() { } else { GinkgoWriter.Println("Running on Kubernetes") } + + k = kubectl.NewKubectlBuilder() } diff --git a/tests/e2e/util/certs/certs.go b/tests/e2e/util/certs/certs.go index 78aaaa004..daddf56d9 100644 --- a/tests/e2e/util/certs/certs.go +++ b/tests/e2e/util/certs/certs.go @@ -227,7 +227,9 @@ func PushIntermediateCA(ns, kubeconfig, zone, network, basePath string, cl clien _, err := common.GetObject(context.Background(), cl, kube.Key("cacerts", ns), &corev1.Secret{}) if err != nil { // Label the namespace with the network - err = kubectl.Patch("", "namespace", ns, "merge", `{"metadata":{"labels":{"topology.istio.io/network":"`+network+`"}}}`, kubeconfig) + k := kubectl.NewKubectlBuilder() + k.SetKubeconfig(kubeconfig) + err = k.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"topology.istio.io/network":"`+network+`"}}}`) if err != nil { return fmt.Errorf("failed to label namespace: %w", err) } diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index e17e07686..50cbc0c7f 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -47,6 +47,8 @@ var ( // - 1.23.0-rc.1 // - 1.24-alpha istiodVersionRegex = regexp.MustCompile(`Version:"(\d+\.\d+(\.\d+)?(-\w+(\.\d+)?)?)`) + + k = kubectl.NewKubectlBuilder() ) // getObject returns the object with the given key @@ -135,52 +137,54 @@ func LogDebugInfo() { } func logOperatorDebugInfo() { - operator, err := kubectl.GetYAML(namespace, "deployment", deploymentName) + operator, err := k.SetNamespace(namespace).GetYAML("deployment", deploymentName) logDebugElement("Operator Deployment YAML", operator, err) - logs, err := kubectl.Logs(namespace, "deploy/"+deploymentName, ptr.Of(120*time.Second)) + logs, err := k.SetNamespace(namespace).Logs("deploy/"+deploymentName, ptr.Of(120*time.Second)) + k.ResetNamespace() logDebugElement("Operator logs", logs, err) - events, err := kubectl.GetEvents(namespace) + events, err := k.SetNamespace(namespace).GetEvents() logDebugElement("Events in "+namespace, events, err) // Temporaty information to gather more details about failure - pods, err := kubectl.GetPods(namespace, "", "-o wide") + pods, err := k.SetNamespace(namespace).GetPods("", "-o wide") logDebugElement("Pods in "+namespace, pods, err) - describe, err := kubectl.Describe(namespace, "deployment", deploymentName) + describe, err := k.SetNamespace(namespace).Describe("deployment", deploymentName) logDebugElement("Operator Deployment describe", describe, err) } func logIstioDebugInfo() { - resource, err := kubectl.GetYAML("", "istio", istioName) + resource, err := k.GetYAML("istio", istioName) logDebugElement("Istio YAML", resource, err) - output, err := kubectl.GetPods(controlPlaneNamespace, "", "-o wide") + output, err := k.SetNamespace(controlPlaneNamespace).GetPods("", "-o wide") logDebugElement("Pods in "+controlPlaneNamespace, output, err) - logs, err := kubectl.Logs(controlPlaneNamespace, "deploy/istiod", ptr.Of(120*time.Second)) + logs, err := k.SetNamespace(controlPlaneNamespace).Logs("deploy/istiod", ptr.Of(120*time.Second)) + k.ResetNamespace() logDebugElement("Istiod logs", logs, err) - events, err := kubectl.GetEvents(controlPlaneNamespace) + events, err := k.SetNamespace(controlPlaneNamespace).GetEvents() logDebugElement("Events in "+controlPlaneNamespace, events, err) } func logCNIDebugInfo() { - resource, err := kubectl.GetYAML("", "istiocni", istioCniName) + resource, err := k.GetYAML("istiocni", istioCniName) logDebugElement("IstioCNI YAML", resource, err) - ds, err := kubectl.GetYAML(istioCniNamespace, "daemonset", "istio-cni-node") + ds, err := k.SetNamespace(istioCniNamespace).GetYAML("daemonset", "istio-cni-node") logDebugElement("Istio CNI DaemonSet YAML", ds, err) - events, err := kubectl.GetEvents(istioCniNamespace) + events, err := k.SetNamespace(istioCniNamespace).GetEvents() logDebugElement("Events in "+istioCniNamespace, events, err) // Temporaty information to gather more details about failure - pods, err := kubectl.GetPods(istioCniNamespace, "", "-o wide") + pods, err := k.SetNamespace(istioCniNamespace).GetPods("", "-o wide") logDebugElement("Pods in "+istioCniNamespace, pods, err) - describe, err := kubectl.Describe(istioCniNamespace, "daemonset", "istio-cni-node") + describe, err := k.SetNamespace(istioCniNamespace).Describe("daemonset", "istio-cni-node") logDebugElement("Istio CNI DaemonSet describe", describe, err) } @@ -195,7 +199,8 @@ func logDebugElement(caption string, info string, err error) { } func GetVersionFromIstiod() (string, error) { - output, err := kubectl.Exec(controlPlaneNamespace, "deploy/istiod", "", "pilot-discovery version") + k := kubectl.NewKubectlBuilder() + output, err := k.SetNamespace(controlPlaneNamespace).Exec("deploy/istiod", "", "pilot-discovery version") if err != nil { return "", fmt.Errorf("error getting version from istiod: %w", err) } diff --git a/tests/e2e/util/kubectl/kubectl.go b/tests/e2e/util/kubectl/kubectl.go index 931470851..f07035513 100644 --- a/tests/e2e/util/kubectl/kubectl.go +++ b/tests/e2e/util/kubectl/kubectl.go @@ -23,181 +23,208 @@ import ( "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell" ) +type KubectlBuilder struct { + binary string + namespace string + kubeconfig string +} + const DefaultBinary = "kubectl" -// optionalKubeconfig add the flag --kubeconfig if the kubeconfig is set -func optionalKubeconfig(kubeconfig []string) string { - if len(kubeconfig) > 0 && kubeconfig[0] != "" { - return fmt.Sprintf("--kubeconfig %s", kubeconfig[0]) - } - return "" +func newKubectlBuilder() *KubectlBuilder { + return &KubectlBuilder{} } -// kubectl return the kubectl command -// If the environment variable COMMAND is set, it will return the value of COMMAND -// Otherwise, it will return the default value "kubectl" as default -// Arguments: -// - format: format of the command without kubeclt or oc -// - args: arguments of the command -func kubectl(format string, args ...interface{}) string { +func (k *KubectlBuilder) setBinary() { binary := DefaultBinary if cmd := os.Getenv("COMMAND"); cmd != "" { binary = cmd } - return binary + " " + fmt.Sprintf(format, args...) + k.binary = binary } -// CreateFromString creates a resource from the given yaml string -func CreateFromString(yamlString string, kubeconfig ...string) error { - cmd := kubectl("create %s -f -", optionalKubeconfig(kubeconfig)) - _, err := shell.ExecuteCommandWithInput(cmd, yamlString) - if err != nil { - return fmt.Errorf("error creating resource from yaml: %w", err) +func (k *KubectlBuilder) build(cmd string) string { + args := []string{k.binary} + + // Only append namespace if it's set + if k.namespace != "" { + args = append(args, k.namespace) } - return nil + + // Only append kubeconfig if it's set + if k.kubeconfig != "" { + args = append(args, k.kubeconfig) + } + + args = append(args, cmd) + + // Join all the arguments with a space + return strings.Join(args, " ") } -// ApplyString applies the given yaml string to the cluster -func ApplyString(ns, yamlString string, kubeconfig ...string) error { - nsflag := nsflag(ns) - // If the namespace is empty, we need to remove the flag because it will fail - // TODO: improve the nsflag function to handle this case +// NewKubectlBuilder creates a new KubectlBuilder +func NewKubectlBuilder() *KubectlBuilder { + k := newKubectlBuilder() + k.setBinary() + return k +} + +// SetNamespace sets the namespace +func (k *KubectlBuilder) SetNamespace(ns string) *KubectlBuilder { if ns == "" { - nsflag = "" + k.namespace = "--all-namespaces" + } else { + k.namespace = fmt.Sprintf("-n %s", ns) } + return k +} - cmd := kubectl("apply %s %s --server-side -f -", nsflag, optionalKubeconfig(kubeconfig)) - _, err := shell.ExecuteCommandWithInput(cmd, yamlString) +// SetKubeconfig sets the kubeconfig +func (k *KubectlBuilder) SetKubeconfig(kubeconfig string) *KubectlBuilder { + if kubeconfig != "" { + k.kubeconfig = fmt.Sprintf("--kubeconfig %s", kubeconfig) + } + return k +} + +// CreateNamespace creates a namespace +// If the namespace already exists, it will return nil +func (k *KubectlBuilder) CreateNamespace(ns string) error { + cmd := k.build(" create namespace " + ns) + output, err := k.executeCommand(cmd) if err != nil { - return fmt.Errorf("error applying yaml: %w", err) + if strings.Contains(output, "AlreadyExists") { + return nil + } + + return fmt.Errorf("error creating namespace: %w, output: %s", err, output) } return nil } -// Apply applies the given yaml file to the cluster -func Apply(ns, yamlFile string, kubeconfig ...string) error { - err := ApplyWithLabels(ns, yamlFile, "", kubeconfig...) - return err +// CreateFromString creates a resource from the given yaml string +func (k *KubectlBuilder) CreateFromString(yamlString string) error { + cmd := k.build(" create -f -") + _, err := shell.ExecuteCommandWithInput(cmd, yamlString) + k.ResetNamespace() + if err != nil { + return fmt.Errorf("error creating resource from yaml: %w", err) + } + return nil } -// ApplyWithLabels applies the given yaml file to the cluster with the given labels -func ApplyWithLabels(ns, yamlFile string, label string, kubeconfig ...string) error { - cmd := kubectl("apply -n %s %s -f %s %s", ns, labelFlag(label), yamlFile, optionalKubeconfig(kubeconfig)) - _, err := shell.ExecuteCommand(cmd) - if err != nil { - return fmt.Errorf("error applying yaml: %w", err) +// DeleteCRDs deletes the CRDs by given list of crds names +func (k *KubectlBuilder) DeleteCRDs(crds []string) error { + for _, crd := range crds { + cmd := k.build(" delete crd " + crd) + _, err := shell.ExecuteCommand(cmd) + if err != nil { + k.ResetNamespace() + return fmt.Errorf("error deleting crd %s: %w", crd, err) + } } + k.ResetNamespace() return nil } -// DeleteFromFile deletes a resource from the given yaml file -func DeleteFromFile(yamlFile string, kubeconfig ...string) error { - cmd := kubectl("delete -f %s %s", yamlFile, optionalKubeconfig(kubeconfig)) - _, err := shell.ExecuteCommand(cmd) +// DeleteNamespace deletes a namespace +func (k *KubectlBuilder) DeleteNamespace(ns string) error { + cmd := k.build(" delete namespace " + ns) + _, err := k.executeCommand(cmd) if err != nil { - return fmt.Errorf("error deleting resource from yaml: %w", err) + return fmt.Errorf("error deleting namespace: %w", err) } return nil } -// CreateNamespace creates a namespace -// If the namespace already exists, it will return nil -// Arguments: -// - ns: namespace -// - kubeconfig: optional kubeconfig to set the target file -func CreateNamespace(ns string, kubeconfig ...string) error { - cmd := kubectl("create namespace %s %s", ns, optionalKubeconfig(kubeconfig)) - output, err := shell.ExecuteCommand(cmd) +// ApplyString applies the given yaml string to the cluster +func (k *KubectlBuilder) ApplyString(yamlString string) error { + cmd := k.build(" apply --server-side -f -") + _, err := shell.ExecuteCommandWithInput(cmd, yamlString) + k.ResetNamespace() if err != nil { - if strings.Contains(output, "AlreadyExists") { - return nil - } - - return fmt.Errorf("error creating namespace: %w, output: %s", err, output) + return fmt.Errorf("error applying yaml: %w", err) } return nil } -// DeleteNamespace deletes a namespace -// Arguments: -// - ns: namespace -// - kubeconfig: optional kubeconfig to set the target file -func DeleteNamespace(ns string, kubeconfig ...string) error { - cmd := kubectl("delete namespace %s %s", ns, optionalKubeconfig(kubeconfig)) - _, err := shell.ExecuteCommand(cmd) +// Apply applies the given yaml file to the cluster +func (k *KubectlBuilder) Apply(yamlFile string) error { + err := k.ApplyWithLabels(yamlFile, "") + return err +} + +// ApplyWithLabels applies the given yaml file to the cluster with the given labels +func (k *KubectlBuilder) ApplyWithLabels(yamlFile, label string) error { + cmd := k.build(" apply " + labelFlag(label) + " -f " + yamlFile) + _, err := k.executeCommand(cmd) if err != nil { - return fmt.Errorf("error deleting namespace: %w", err) + return fmt.Errorf("error applying yaml: %w", err) } return nil } -// Delete deletes a resource based on the namespace, kind and the name. Optionally, you can provide a kubeconfig -func Delete(ns, kind, name string, kubeconfig ...string) error { - cmd := kubectl("delete %s %s %s %s", kind, name, nsflag(ns), optionalKubeconfig(kubeconfig)) - _, err := shell.ExecuteCommand(cmd) +// DeleteFromFile deletes a resource from the given yaml file +func (k *KubectlBuilder) DeleteFromFile(yamlFile string) error { + cmd := k.build(" delete -f " + yamlFile) + _, err := k.executeCommand(cmd) if err != nil { - return fmt.Errorf("error deleting deployment: %w", err) + return fmt.Errorf("error deleting resource from yaml: %w", err) } return nil } -// DeleteCRDs deletes the CRDs by given list of crds names -func DeleteCRDs(crds []string) error { - for _, crd := range crds { - cmd := kubectl("delete crd %s", crd) - _, err := shell.ExecuteCommand(cmd) - if err != nil { - return fmt.Errorf("error deleting crd %s: %w", crd, err) - } +// Delete deletes a resource based on the namespace, kind and the name +func (k *KubectlBuilder) Delete(kind, name string) error { + cmd := k.build(" delete " + kind + " " + name) + _, err := k.executeCommand(cmd) + if err != nil { + return fmt.Errorf("error deleting deployment: %w", err) } return nil } -// Patch patches a resource. -func Patch(ns, kind, name, patchType, patch string, kubeconfig ...string) error { - cmd := kubectl(`patch %s %s %s %s --type=%s -p=%q`, kind, name, prepend("-n", ns), optionalKubeconfig(kubeconfig), patchType, patch) - _, err := shell.ExecuteCommand(cmd) +// Patch patches a resource +func (k *KubectlBuilder) Patch(kind, name, patchType, patch string) error { + cmd := k.build(fmt.Sprintf(" patch %s %s --type=%s -p=%q", kind, name, patchType, patch)) + _, err := k.executeCommand(cmd) if err != nil { return fmt.Errorf("error patching resource: %w", err) } return nil } -// ForceDelete deletes a resource by removing its finalizers. -func ForceDelete(ns, kind, name string) error { +// ForceDelete deletes a resource by removing its finalizers +func (k *KubectlBuilder) ForceDelete(kind, name string) error { // Not all resources have finalizers, trying to remove them returns an error here. // We explicitly ignore the error and attempt to delete the resource anyway. - _ = Patch(ns, kind, name, "json", `[{"op": "remove", "path": "/metadata/finalizers"}]`) - return Delete(ns, kind, name) + _ = k.Patch(kind, name, "json", `[{"op": "remove", "path": "/metadata/finalizers"}]`) + return k.Delete(kind, name) } // GetYAML returns the yaml of a resource -// Arguments: -// - ns: namespace -// - kind: type of the resource -// - name: name of the resource -func GetYAML(ns, kind, name string) (string, error) { - cmd := kubectl("get %s %s %s -o yaml", kind, name, nsflag(ns)) - return shell.ExecuteCommand(cmd) +func (k *KubectlBuilder) GetYAML(kind, name string) (string, error) { + cmd := k.build(fmt.Sprintf(" get %s %s -o yaml", kind, name)) + output, err := k.executeCommand(cmd) + if err != nil { + return "", fmt.Errorf("error getting yaml: %w, output: %s", err, output) + } + + return output, nil } // GetPods returns the pods of a namespace -func GetPods(ns string, kubeconfig string, args ...string) (string, error) { - kubeconfigFlag := "" - if kubeconfig != "" { - kubeconfigFlag = fmt.Sprintf("--kubeconfig %s", kubeconfig) - } - - cmd := kubectl("get pods %s %s %s", nsflag(ns), strings.Join(args, " "), kubeconfigFlag) - output, err := shell.ExecuteCommand(cmd) +func (k *KubectlBuilder) GetPods(args ...string) (string, error) { + cmd := k.build(fmt.Sprintf(" get pods %s", strings.Join(args, " "))) + output, err := k.executeCommand(cmd) if err != nil { return "", fmt.Errorf("error getting pods: %w, output: %s", err, output) } @@ -205,70 +232,52 @@ func GetPods(ns string, kubeconfig string, args ...string) (string, error) { return output, nil } -// GetEvents returns the events of a namespace -func GetEvents(ns string) (string, error) { - cmd := kubectl("get events %s", nsflag(ns)) - output, err := shell.ExecuteCommand(cmd) +// GetInternalIP returns the internal IP of a node +func (k *KubectlBuilder) GetInternalIP(label string) (string, error) { + cmd := k.build(fmt.Sprintf(" get nodes -l %s -o jsonpath='{.items[0].status.addresses[?(@.type==\"InternalIP\")].address}'", label)) + output, err := k.executeCommand(cmd) if err != nil { - return "", fmt.Errorf("error getting events: %w, output: %s", err, output) + return "", fmt.Errorf("error getting internal IP: %w, output: %s", err, output) } return output, nil } -// Describe returns the description of a resource -// Arguments: -// - ns: namespace -// - kind: type of the resource -// - name: name of the resource -func Describe(ns, kind, name string) (string, error) { - cmd := kubectl("describe %s %s %s", kind, name, nsflag(ns)) - output, err := shell.ExecuteCommand(cmd) +// Exec executes a command in the pod or specific container +func (k *KubectlBuilder) Exec(pod, container, command string) (string, error) { + cmd := k.build(fmt.Sprintf(" exec %s %s -- %s", pod, containerflag(container), command)) + output, err := k.executeCommand(cmd) if err != nil { - return "", fmt.Errorf("error describing resource: %w, output: %s", err, output) + return "", err } - return output, nil } -// GetInternalIP returns the internal IP of a node -// Arguments: -// - label: label of the node -// - kubeconfig: optional kubeconfig to set the target file -func GetInternalIP(label string, kubeconfig ...string) (string, error) { - cmd := kubectl("get nodes -l %s -o jsonpath='{.items[0].status.addresses[?(@.type==\"InternalIP\")].address}' %s", label, optionalKubeconfig(kubeconfig)) - output, err := shell.ExecuteCommand(cmd) +// GetEvents returns the events of a namespace +func (k *KubectlBuilder) GetEvents() (string, error) { + cmd := k.build(" get events") + output, err := k.executeCommand(cmd) if err != nil { - return "", fmt.Errorf("error getting internal IP: %w, output: %s", err, output) + return "", fmt.Errorf("error getting events: %w, output: %s", err, output) } return output, nil } -// Logs returns the logs of a deployment -// Arguments: -// - ns: namespace -// - pod: the pod name, "kind/name", or "-l labelselector" -// - Since: time range -func Logs(ns, pod string, since *time.Duration) (string, error) { - cmd := kubectl("logs %s %s %s", pod, nsflag(ns), sinceFlag(since)) - output, err := shell.ExecuteCommand(cmd) +// Describe returns the description of a resource +func (k *KubectlBuilder) Describe(kind, name string) (string, error) { + cmd := k.build(fmt.Sprintf(" describe %s %s", kind, name)) + output, err := k.executeCommand(cmd) if err != nil { - return "", err + return "", fmt.Errorf("error describing resource: %w, output: %s", err, output) } - return output, nil -} -func sinceFlag(since *time.Duration) string { - if since == nil { - return "" - } - return "--since=" + since.String() + return output, nil } -// Exec executes a command in the pod or specific container -func Exec(ns, pod, container, command string, kubeconfig ...string) (string, error) { - cmd := kubectl("exec %s %s %s %s -- %s", pod, containerflag(container), nsflag(ns), optionalKubeconfig(kubeconfig), command) +// Logs returns the logs of a deployment +func (k *KubectlBuilder) Logs(pod string, since *time.Duration) (string, error) { + cmd := k.build(fmt.Sprintf(" logs %s %s", pod, sinceFlag(since))) output, err := shell.ExecuteCommand(cmd) if err != nil { return "", err @@ -276,19 +285,23 @@ func Exec(ns, pod, container, command string, kubeconfig ...string) (string, err return output, nil } -// prepend prepends the prefix, but only if str is not empty -func prepend(prefix, str string) string { - if str == "" { - return str - } - return prefix + str +// executeCommand handles running the command and then resets the namespace automatically +func (k *KubectlBuilder) executeCommand(cmd string) (string, error) { + result, err := shell.ExecuteCommand(cmd) + k.ResetNamespace() + return result, err } -func nsflag(ns string) string { - if ns == "" { - return "--all-namespaces" +// ResetNamespace resets the namespace +func (k *KubectlBuilder) ResetNamespace() { + k.namespace = "" +} + +func sinceFlag(since *time.Duration) string { + if since == nil { + return "" } - return "-n " + ns + return "--since=" + since.String() } func labelFlag(label string) string { From 4da701e28a038505937c5ecfc71ccfa5df672cf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Mon, 30 Sep 2024 12:10:27 +0200 Subject: [PATCH 19/68] Update dependencies and fix transform (#374) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- api/v1alpha1/values_types.gen.go | 48 +++++++++---------- .../manifests/sailoperator.io_istiocnis.yaml | 8 ++-- .../sailoperator.io_istiorevisions.yaml | 40 ++++++++-------- bundle/manifests/sailoperator.io_istios.yaml | 40 ++++++++-------- .../sailoperator.io_remoteistios.yaml | 40 ++++++++-------- chart/crds/sailoperator.io_istiocnis.yaml | 8 ++-- .../crds/sailoperator.io_istiorevisions.yaml | 40 ++++++++-------- chart/crds/sailoperator.io_istios.yaml | 40 ++++++++-------- chart/crds/sailoperator.io_remoteistios.yaml | 40 ++++++++-------- docs/api-reference/sailoperator.io.md | 48 +++++++++---------- go.mod | 6 +-- go.sum | 12 ++--- hack/api_transformer/transform.yaml | 4 +- 13 files changed, 188 insertions(+), 186 deletions(-) diff --git a/api/v1alpha1/values_types.gen.go b/api/v1alpha1/values_types.gen.go index 76ded79ff..276fc28b4 100644 --- a/api/v1alpha1/values_types.gen.go +++ b/api/v1alpha1/values_types.gen.go @@ -108,7 +108,7 @@ type CNIConfig struct { Affinity *k8sv1.Affinity `json:"affinity,omitempty"` // Additional annotations to apply to the istio-cni Pods. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. PodAnnotations map[string]string `json:"podAnnotations,omitempty"` // PodSecurityPolicy cluster role. No longer used anywhere. PspClusterRole string `json:"psp_cluster_role,omitempty"` @@ -126,7 +126,7 @@ type CNIConfig struct { Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` // No longer used for CNI. See: https://github.com/istio/istio/issues/49004 // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Privileged *bool `json:"privileged,omitempty"` // The Container seccompProfile // @@ -190,7 +190,7 @@ type CNIRepairConfig struct { RepairPods bool `json:"repairPods,omitempty"` // No longer used. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. CreateEvents string `json:"createEvents,omitempty"` // The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. // The mode defines the action the controller will take when a pod is detected as broken. @@ -240,7 +240,7 @@ type GlobalConfig struct { // // Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Arch *ArchConfig `json:"arch,omitempty"` // List of certSigners to allow "approve" action in the ClusterRole CertSigners []string `json:"certSigners,omitempty"` @@ -250,17 +250,17 @@ type GlobalConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultNodeSelector map[string]string `json:"defaultNodeSelector,omitempty"` // Specifies the default pod disruption budget configuration. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultPodDisruptionBudget *DefaultPodDisruptionBudgetConfig `json:"defaultPodDisruptionBudget,omitempty"` // Default k8s resources settings for all Istio control plane components. // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultResources *k8sv1.ResourceRequirements `json:"defaultResources,omitempty"` // Default node tolerations to be applied to all deployments so that all pods can be // scheduled to nodes with matching taints. Each component can overwrite @@ -269,7 +269,7 @@ type GlobalConfig struct { // Configure this field in case that all pods of Istio control plane are expected to // be scheduled to particular nodes with specified taints. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultTolerations []k8sv1.Toleration `json:"defaultTolerations,omitempty"` // Specifies the docker hub for Istio images. Hub string `json:"hub,omitempty"` @@ -363,7 +363,7 @@ type GlobalConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. PriorityClassName string `json:"priorityClassName,omitempty"` // Specifies how proxies are configured within Istio. Proxy *ProxyConfig `json:"proxy,omitempty"` @@ -387,7 +387,7 @@ type GlobalConfig struct { // Configure the policy for validating JWT. // This is deprecated and has no effect. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. JwtPolicy string `json:"jwtPolicy,omitempty"` // Specifies the configuration for Security Token Service. Sts *STSConfig `json:"sts,omitempty"` @@ -476,7 +476,7 @@ type PilotConfig struct { AutoscaleBehavior *autoscalingv2.HorizontalPodAutoscalerBehavior `json:"autoscaleBehavior,omitempty"` // Number of replicas in the Pilot Deployment. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. ReplicaCount uint32 `json:"replicaCount,omitempty"` // Image name used for Pilot. // @@ -494,19 +494,19 @@ type PilotConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` // Target CPU utilization used in HorizontalPodAutoscaler. // // See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Cpu *TargetUtilizationConfig `json:"cpu,omitempty"` // K8s node selector. // // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. NodeSelector map[string]string `json:"nodeSelector,omitempty"` // Maximum duration that a sidecar can be connected to a pilot. // @@ -539,7 +539,7 @@ type PilotConfig struct { Affinity *k8sv1.Affinity `json:"affinity,omitempty"` // K8s rolling update strategy // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. // +kubebuilder:validation:XIntOrString RollingMaxSurge *intstr.IntOrString `json:"rollingMaxSurge,omitempty"` // The number of pods that can be unavailable during a rolling update (see @@ -548,20 +548,20 @@ type PilotConfig struct { // May be specified as a number of pods or as a percent of the total number // of pods at the start of the update. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. // +kubebuilder:validation:XIntOrString RollingMaxUnavailable *intstr.IntOrString `json:"rollingMaxUnavailable,omitempty"` // The node tolerations to be applied to the Pilot deployment so that it can be // scheduled to particular nodes with matching taints. // More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Tolerations []k8sv1.Toleration `json:"tolerations,omitempty"` // K8s annotations for pods. // // See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. PodAnnotations map[string]string `json:"podAnnotations,omitempty"` // K8s annotations for the Service. // @@ -602,7 +602,7 @@ type PilotConfig struct { // // See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Memory *TargetUtilizationConfig `json:"memory,omitempty"` // Configures whether to use an existing CNI installation for workloads Cni *CNIUsageConfig `json:"cni,omitempty"` @@ -726,7 +726,7 @@ type ProxyConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` // Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. // If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. @@ -740,7 +740,7 @@ type ProxyConfig struct { // // Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. HoldApplicationUntilProxyStarts *bool `json:"holdApplicationUntilProxyStarts,omitempty"` // A comma separated list of inbound ports for which traffic is to be redirected to Envoy. // The wildcard character '*' can be used to configure redirection for all ports. @@ -772,7 +772,7 @@ type ProxyInitConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` } @@ -786,7 +786,7 @@ type ResourcesRequestsConfig struct { // Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates. type SDSConfig struct { - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Token *SDSConfigToken `json:"token,omitempty"` } @@ -964,7 +964,7 @@ type CNIGlobalConfig struct { // Default k8s resources settings for all Istio co // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultResources *k8sv1.ResourceRequirements `json:"defaultResources,omitempty"` // Specifies the docker hub for Istio images. diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml index 6b37a1d81..b5d619dee 100644 --- a/bundle/manifests/sailoperator.io_istiocnis.yaml +++ b/bundle/manifests/sailoperator.io_istiocnis.yaml @@ -1079,13 +1079,13 @@ spec: description: |- Additional annotations to apply to the istio-cni Pods. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object privileged: description: |- No longer used for CNI. See: https://github.com/istio/istio/issues/49004 - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean provider: description: |- @@ -1123,7 +1123,7 @@ spec: description: |- No longer used. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string deletePods: description: |- @@ -1291,7 +1291,7 @@ spec: description: |- See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index 091ee88d7..0db2183a7 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -118,7 +118,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -170,13 +170,13 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: description: |- Specifies the default pod disruption budget configuration. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -190,7 +190,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -251,7 +251,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -344,7 +344,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -566,7 +566,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -610,7 +610,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -901,7 +901,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1008,7 +1008,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1075,7 +1075,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -5429,7 +5429,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5507,7 +5507,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5525,7 +5525,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5535,7 +5535,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5549,7 +5549,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5558,7 +5558,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5617,7 +5617,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5630,7 +5630,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5693,7 +5693,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 4057df688..16fcbaf81 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -177,7 +177,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -229,13 +229,13 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: description: |- Specifies the default pod disruption budget configuration. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -249,7 +249,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -310,7 +310,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -403,7 +403,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -625,7 +625,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -669,7 +669,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -960,7 +960,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1067,7 +1067,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1134,7 +1134,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -5488,7 +5488,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5566,7 +5566,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5584,7 +5584,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5594,7 +5594,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5608,7 +5608,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5617,7 +5617,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5676,7 +5676,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5689,7 +5689,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5752,7 +5752,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml index 19c17f37d..a094c3731 100644 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ b/bundle/manifests/sailoperator.io_remoteistios.yaml @@ -172,7 +172,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -224,13 +224,13 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: description: |- Specifies the default pod disruption budget configuration. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -244,7 +244,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -305,7 +305,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -398,7 +398,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -620,7 +620,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -664,7 +664,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -955,7 +955,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1062,7 +1062,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1129,7 +1129,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -5483,7 +5483,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5561,7 +5561,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5579,7 +5579,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5589,7 +5589,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5603,7 +5603,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5612,7 +5612,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5671,7 +5671,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5684,7 +5684,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5747,7 +5747,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml index 3852ba680..d92a14591 100644 --- a/chart/crds/sailoperator.io_istiocnis.yaml +++ b/chart/crds/sailoperator.io_istiocnis.yaml @@ -1079,13 +1079,13 @@ spec: description: |- Additional annotations to apply to the istio-cni Pods. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object privileged: description: |- No longer used for CNI. See: https://github.com/istio/istio/issues/49004 - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean provider: description: |- @@ -1123,7 +1123,7 @@ spec: description: |- No longer used. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string deletePods: description: |- @@ -1291,7 +1291,7 @@ spec: description: |- See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index 0dabf6f01..a14357901 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -118,7 +118,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -170,13 +170,13 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: description: |- Specifies the default pod disruption budget configuration. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -190,7 +190,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -251,7 +251,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -344,7 +344,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -566,7 +566,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -610,7 +610,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -901,7 +901,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1008,7 +1008,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1075,7 +1075,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -5429,7 +5429,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5507,7 +5507,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5525,7 +5525,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5535,7 +5535,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5549,7 +5549,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5558,7 +5558,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5617,7 +5617,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5630,7 +5630,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5693,7 +5693,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index 8ccbb7dcc..e161d7172 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -177,7 +177,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -229,13 +229,13 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: description: |- Specifies the default pod disruption budget configuration. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -249,7 +249,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -310,7 +310,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -403,7 +403,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -625,7 +625,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -669,7 +669,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -960,7 +960,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1067,7 +1067,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1134,7 +1134,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -5488,7 +5488,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5566,7 +5566,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5584,7 +5584,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5594,7 +5594,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5608,7 +5608,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5617,7 +5617,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5676,7 +5676,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5689,7 +5689,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5752,7 +5752,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml index edc2c67d5..4fd75d9ea 100644 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ b/chart/crds/sailoperator.io_remoteistios.yaml @@ -172,7 +172,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -224,13 +224,13 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: description: |- Specifies the default pod disruption budget configuration. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -244,7 +244,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -305,7 +305,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -398,7 +398,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -620,7 +620,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -664,7 +664,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -955,7 +955,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1062,7 +1062,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1129,7 +1129,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -5483,7 +5483,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5561,7 +5561,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5579,7 +5579,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5589,7 +5589,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5603,7 +5603,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5612,7 +5612,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5671,7 +5671,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5684,7 +5684,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5747,7 +5747,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index ce6e08862..7268a9bcc 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -104,14 +104,14 @@ _Appears in:_ | `cniNetnsDir` _string_ | The directory path within the cluster node's filesystem where network namespaces are located. Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. | | | | `excludeNamespaces` _string array_ | List of namespaces that should be ignored by the CNI plugin. | | | | `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#affinity-v1-core)_ | K8s affinity to set on the istio-cni Pods. Can be used to exclude istio-cni from being scheduled on specified nodes. | | | -| `podAnnotations` _object (keys:string, values:string)_ | Additional annotations to apply to the istio-cni Pods. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `podAnnotations` _object (keys:string, values:string)_ | Additional annotations to apply to the istio-cni Pods. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `psp_cluster_role` _string_ | PodSecurityPolicy cluster role. No longer used anywhere. | | | | `logging` _[GlobalLoggingConfig](#globalloggingconfig)_ | Same as `global.logging.level`, but will override it if set | | | | `repair` _[CNIRepairConfig](#cnirepairconfig)_ | Configuration for the CNI Repair controller. | | | | `chained` _boolean_ | Configure the plugin as a chained CNI plugin. When true, the configuration is added to the CNI chain; when false, the configuration is added as a standalone file in the CNI configuration directory. | | | | `resource_quotas` _[ResourceQuotas](#resourcequotas)_ | The resource quotas configration for the CNI DaemonSet. | | | | `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | The k8s resource requests and limits for the istio-cni Pods. | | | -| `privileged` _boolean_ | No longer used for CNI. See: https://github.com/istio/istio/issues/49004 Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `privileged` _boolean_ | No longer used for CNI. See: https://github.com/istio/istio/issues/49004 Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `seccompProfile` _[SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#seccompprofile-v1-core)_ | The Container seccompProfile See: https://kubernetes.io/docs/tutorials/security/seccomp/ | | | | `provider` _string_ | Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an additional NetworkAttachmentDefinition resource is deployed to the cluster to allow the istio-cni plugin to be invoked in a cluster using the Multus CNI plugin. | | | | `rollingMaxUnavailable` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | The number of pods that can be unavailable during a rolling update of the CNI DaemonSet (see `updateStrategy.rollingUpdate.maxUnavailable` here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update. | | XIntOrString: \{\} | @@ -130,7 +130,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `hub` _string_ | Specifies the docker hub for Istio images. | | | | `imagePullPolicy` _[PullPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#pullpolicy-v1-core)_ | Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | Enum: [Always Never IfNotPresent] | | `imagePullSecrets` _string array_ | ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry. | | | @@ -159,7 +159,7 @@ _Appears in:_ | `image` _string_ | Image name to pull from. Image will be `Hub/Image:Tag-Variant`. If Image contains a "/", it will replace the entire `image` in the pod. | | | | `labelPods` _boolean_ | The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If labelPods is true, the controller will label all broken pods with =. This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. | | | | `repairPods` _boolean_ | The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If repairPods is true, the controller will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. This requires no RBAC privilege, but will require the CNI agent to run as a privileged pod. | | | -| `createEvents` _string_ | No longer used. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `createEvents` _string_ | No longer used. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `deletePods` _boolean_ | The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If deletePods is true, the controller will delete the broken pod. The pod will then be rescheduled, hopefully onto a node that is fully ready. Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. | | | | `brokenPodLabelKey` _string_ | The label key to apply to a broken pod when the controller is in labelPods mode. | | | | `brokenPodLabelValue` _string_ | The label value to apply to a broken pod when the controller is in labelPods mode. | | | @@ -375,13 +375,13 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `arch` _[ArchConfig](#archconfig)_ | Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: 0 - Never scheduled 1 - Least preferred 2 - No preference 3 - Most preferred Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `arch` _[ArchConfig](#archconfig)_ | Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: 0 - Never scheduled 1 - Least preferred 2 - No preference 3 - Most preferred Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `certSigners` _string array_ | List of certSigners to allow "approve" action in the ClusterRole | | | | `configValidation` _boolean_ | Controls whether the server-side validation is enabled. | | | -| `defaultNodeSelector` _object (keys:string, values:string)_ | Default k8s node selector for all the Istio control plane components See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `defaultPodDisruptionBudget` _[DefaultPodDisruptionBudgetConfig](#defaultpoddisruptionbudgetconfig)_ | Specifies the default pod disruption budget configuration. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | Default k8s resources settings for all Istio control plane components. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `defaultTolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | Default node tolerations to be applied to all deployments so that all pods can be scheduled to nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `defaultNodeSelector` _object (keys:string, values:string)_ | Default k8s node selector for all the Istio control plane components See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `defaultPodDisruptionBudget` _[DefaultPodDisruptionBudgetConfig](#defaultpoddisruptionbudgetconfig)_ | Specifies the default pod disruption budget configuration. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | Default k8s resources settings for all Istio control plane components. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `defaultTolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | Default node tolerations to be applied to all deployments so that all pods can be scheduled to nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `hub` _string_ | Specifies the docker hub for Istio images. | | | | `imagePullPolicy` _[PullPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#pullpolicy-v1-core)_ | Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | Enum: [Always Never IfNotPresent] | | `imagePullSecrets` _string array_ | ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry. | | | @@ -395,7 +395,7 @@ _Appears in:_ | `podDNSSearchNamespaces` _string array_ | Custom DNS config for the pod to resolve names of services in other clusters. Use this to add additional search domains, and other settings. see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config This does not apply to gateway pods as they typically need a different set of DNS settings than the normal application pods (e.g. in multicluster scenarios). | | | | `omitSidecarInjectorConfigMap` _boolean_ | Controls whether the creation of the sidecar injector ConfigMap should be skipped. Defaults to false. When set to true, the sidecar injector ConfigMap will not be created. | | | | `operatorManageWebhooks` _boolean_ | Controls whether the WebhookConfiguration resource(s) should be created. The current behavior of Istiod is to manage its own webhook configurations. When this option is set to true, Istio Operator, instead of webhooks, manages the webhook configurations. When this option is set as false, webhooks manage their own webhook configurations. | | | -| `priorityClassName` _string_ | Specifies the k8s priorityClassName for the istio control plane components. See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `priorityClassName` _string_ | Specifies the k8s priorityClassName for the istio control plane components. See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `proxy` _[ProxyConfig](#proxyconfig)_ | Specifies how proxies are configured within Istio. | | | | `proxy_init` _[ProxyInitConfig](#proxyinitconfig)_ | Specifies the Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic. | | | | `sds` _[SDSConfig](#sdsconfig)_ | Specifies the Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates. | | | @@ -405,7 +405,7 @@ _Appears in:_ | `remotePilotAddress` _string_ | Specifies the Istio control plane’s pilot Pod IP address or remote cluster DNS resolvable hostname. | | | | `istiod` _[IstiodConfig](#istiodconfig)_ | Specifies the configution of istiod | | | | `pilotCertProvider` _string_ | Configure the Pilot certificate provider. Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". | | | -| `jwtPolicy` _string_ | Configure the policy for validating JWT. This is deprecated and has no effect. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `jwtPolicy` _string_ | Configure the policy for validating JWT. This is deprecated and has no effect. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `sts` _[STSConfig](#stsconfig)_ | Specifies the configuration for Security Token Service. | | | | `revision` _string_ | Configures the revision this control plane is a part of | | | | `mountMtlsCerts` _boolean_ | Controls whether the in-cluster MTLS key and certs are loaded from the secret volume mounts. | | | @@ -2067,22 +2067,22 @@ _Appears in:_ | `autoscaleMin` _integer_ | Minimum number of replicas in the HorizontalPodAutoscaler for Pilot. | | | | `autoscaleMax` _integer_ | Maximum number of replicas in the HorizontalPodAutoscaler for Pilot. | | | | `autoscaleBehavior` _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior | | | -| `replicaCount` _integer_ | Number of replicas in the Pilot Deployment. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `replicaCount` _integer_ | Number of replicas in the Pilot Deployment. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `image` _string_ | Image name used for Pilot. This can be set either to image name if hub is also set, or can be set to the full hub:name string. Examples: custom-pilot, docker.io/someuser:custom-pilot | | | | `traceSampling` _float_ | Trace sampling fraction. Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. Allowed values: 0.0 to 1.0 | | | -| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `cpu` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target CPU utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `nodeSelector` _object (keys:string, values:string)_ | K8s node selector. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `cpu` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target CPU utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `nodeSelector` _object (keys:string, values:string)_ | K8s node selector. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `keepaliveMaxServerConnectionAge` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | Maximum duration that a sidecar can be connected to a pilot. This setting balances out load across pilot instances, but adds some resource overhead. Examples: 300s, 30m, 1h | | | | `deploymentLabels` _object (keys:string, values:string)_ | Labels that are added to Pilot deployment. See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | | | | `podLabels` _object (keys:string, values:string)_ | Labels that are added to Pilot pods. See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | | | | `configMap` _boolean_ | Configuration settings passed to Pilot as a ConfigMap. This controls whether the mesh config map, generated from values.yaml is generated. If false, pilot wil use default values or user-supplied values, in that order of preference. | | | | `env` _object (keys:string, values:string)_ | Environment variables passed to the Pilot container. Examples: env: ENV_VAR_1: value1 ENV_VAR_2: value2 | | | | `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#affinity-v1-core)_ | K8s affinity to set on the Pilot Pods. | | | -| `rollingMaxSurge` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | K8s rolling update strategy Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | XIntOrString: \{\} | -| `rollingMaxUnavailable` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | The number of pods that can be unavailable during a rolling update (see `strategy.rollingUpdate.maxUnavailable` here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | XIntOrString: \{\} | -| `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | The node tolerations to be applied to the Pilot deployment so that it can be scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `podAnnotations` _object (keys:string, values:string)_ | K8s annotations for pods. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `rollingMaxSurge` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | K8s rolling update strategy Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | XIntOrString: \{\} | +| `rollingMaxUnavailable` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | The number of pods that can be unavailable during a rolling update (see `strategy.rollingUpdate.maxUnavailable` here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | XIntOrString: \{\} | +| `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | The node tolerations to be applied to the Pilot deployment so that it can be scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `podAnnotations` _object (keys:string, values:string)_ | K8s annotations for pods. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `serviceAnnotations` _object (keys:string, values:string)_ | K8s annotations for the Service. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | | | | `serviceAccountAnnotations` _object (keys:string, values:string)_ | K8s annotations for the service account | | | | `jwksResolverExtraRootCA` _string_ | Specifies an extra root certificate in PEM format. This certificate will be trusted by pilot when resolving JWKS URIs. | | | @@ -2096,7 +2096,7 @@ _Appears in:_ | `volumes` _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#volume-v1-core) array_ | Additional volumes to add to the Pilot Pod. | | | | `ipFamilies` _string array_ | Defines which IP family to use for single stack or the order of IP families for dual-stack. Valid list items are "IPv4", "IPv6". More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | | | `ipFamilyPolicy` _string_ | Controls whether Services are configured to use IPv4, IPv6, or both. Valid options are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | | -| `memory` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target memory utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `memory` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target memory utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `cni` _[CNIUsageConfig](#cniusageconfig)_ | Configures whether to use an existing CNI installation for workloads | | | | `taint` _[PilotTaintControllerConfig](#pilottaintcontrollerconfig)_ | | | | | `trustedZtunnelNamespace` _string_ | If set, `istiod` will allow connections from trusted node proxy ztunnels in the provided namespace. | | | @@ -2200,11 +2200,11 @@ _Appears in:_ | `readinessFailureThreshold` _integer_ | Sets the number of successive failed probes before indicating readiness failure. | | | | `startupProbe` _[StartupProbe](#startupprobe)_ | Configures the startup probe for the istio-proxy container. | | | | `statusPort` _integer_ | Default port used for the Pilot agent's health checks. | | | -| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `tracer` _[Tracer](#tracer)_ | Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. | | Enum: [zipkin lightstep datadog stackdriver openCensusAgent none] | | `excludeOutboundPorts` _string_ | A comma separated list of outbound ports to be excluded from redirection to Envoy. | | | | `lifecycle` _[Lifecycle](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#lifecycle-v1-core)_ | The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks | | | -| `holdApplicationUntilProxyStarts` _boolean_ | Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `holdApplicationUntilProxyStarts` _boolean_ | Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `includeInboundPorts` _string_ | A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. | | | | `includeOutboundPorts` _string_ | A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP. | | | @@ -2391,7 +2391,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `image` _string_ | Specifies the image for the proxy_init container. | | | -| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | #### RemoteIstio @@ -2626,7 +2626,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `token` _[SDSConfigToken](#sdsconfigtoken)_ | Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `token` _[SDSConfigToken](#sdsconfigtoken)_ | Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | #### SDSConfigToken diff --git a/go.mod b/go.mod index b47511cb4..93d5c2519 100644 --- a/go.mod +++ b/go.mod @@ -21,8 +21,8 @@ require ( gomodules.xyz/jsonpatch/v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.15.1 - istio.io/client-go v1.23.0-alpha.0.0.20240809192551-f32a7326ae19 - istio.io/istio v0.0.0-20240813230019-b191b039631b + istio.io/client-go v1.23.0-alpha.0.0.20240815005320-98e06cc71273 + istio.io/istio v0.0.0-20240815163146-1ad41e17ee31 k8s.io/api v0.30.3 k8s.io/apiextensions-apiserver v0.30.3 k8s.io/apimachinery v0.30.3 @@ -159,7 +159,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gotest.tools/v3 v3.5.1 // indirect - istio.io/api v1.23.0-alpha.0.0.20240809192158-5302fff8a801 // indirect + istio.io/api v1.23.0-alpha.0.0.20240815004820-dd780031d531 // indirect k8s.io/apiserver v0.30.3 // indirect k8s.io/component-base v0.30.3 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/go.sum b/go.sum index 21e138aac..81a3e2c53 100644 --- a/go.sum +++ b/go.sum @@ -520,12 +520,12 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= helm.sh/helm/v3 v3.15.1 h1:22ztacHz4gMqhXNqCQ9NAg6BFWoRUryNLvnkz6OVyw0= helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg= -istio.io/api v1.23.0-alpha.0.0.20240809192158-5302fff8a801 h1:7cxaHipka0v7rK9/kcthjmIucVnV3jHEROUBHONYeCo= -istio.io/api v1.23.0-alpha.0.0.20240809192158-5302fff8a801/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= -istio.io/client-go v1.23.0-alpha.0.0.20240809192551-f32a7326ae19 h1:NwuYY0d6HZLNLHBrgtfZ6Q/dw+DwGYTFPtqoP7XNx7g= -istio.io/client-go v1.23.0-alpha.0.0.20240809192551-f32a7326ae19/go.mod h1:VarGlJP6p95t2P7KKKAPKpnG5XA4fv/y8V6EfgcYRcw= -istio.io/istio v0.0.0-20240813230019-b191b039631b h1:1EWcxrdpcuaNKqOf93hcxS42+n23bfMRJWQHc7MtTOw= -istio.io/istio v0.0.0-20240813230019-b191b039631b/go.mod h1:4YypioCIdszSllDb9Vo+U79ThLw6ilpnsmlJxvVaJ9c= +istio.io/api v1.23.0-alpha.0.0.20240815004820-dd780031d531 h1:SzRpQFb33yZ5/RWNEMkEzwSKihIoaqS6l6bz/Pixq18= +istio.io/api v1.23.0-alpha.0.0.20240815004820-dd780031d531/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= +istio.io/client-go v1.23.0-alpha.0.0.20240815005320-98e06cc71273 h1:vVlZ6fCq+e+SkKNsg06LVF4842k9ycOQSoamLlPPFeU= +istio.io/client-go v1.23.0-alpha.0.0.20240815005320-98e06cc71273/go.mod h1:Y4vkrP/cgEbtlOi4E++YhCvLkMotuWFtoQTvv+nWBLY= +istio.io/istio v0.0.0-20240815163146-1ad41e17ee31 h1:aL+yEfXFRWZgxall6phMbGP/CId65TVyR94sdm6pwo0= +istio.io/istio v0.0.0-20240815163146-1ad41e17ee31/go.mod h1:vg5Yp9IKYRlIsFRd5MOQh0/3zjk0WCWe0NVu1Q9DpZQ= k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U= diff --git a/hack/api_transformer/transform.yaml b/hack/api_transformer/transform.yaml index 4c5ed04bd..5a9a0c95a 100644 --- a/hack/api_transformer/transform.yaml +++ b/hack/api_transformer/transform.yaml @@ -42,8 +42,10 @@ globalTransformations: inputFiles: - module: istio.io/istio - path: /operator/pkg/apis/istio/v1alpha1/values_types.pb.go + path: /operator/pkg/apis/values_types.pb.go transformations: + renameImports: + v1: k8sv1 removeTypes: - EgressGatewayConfig - IngressGatewayConfig From 196dc486d5beff1b1e866872a61fc936db4bd107 Mon Sep 17 00:00:00 2001 From: Tyler Schade Date: Mon, 30 Sep 2024 08:06:27 -0400 Subject: [PATCH 20/68] Add ability to specify resources in helm chart (#375) * add ability to specify resources in helm chart Signed-off-by: Tyler Schade * --amend Signed-off-by: Tyler Schade * --amend Signed-off-by: Tyler Schade --------- Signed-off-by: Tyler Schade --- chart/templates/deployment.yaml | 16 ++++++++-------- chart/values.yaml | 15 +++++++++++++++ 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index d9fdcfd85..96d389713 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -64,11 +64,11 @@ spec: protocol: TCP resources: limits: - cpu: 500m - memory: 128Mi + cpu: {{ .Values.proxy.resources.limits.cpu }} + memory: {{ .Values.proxy.resources.limits.memory }} requests: - cpu: 5m - memory: 64Mi + cpu: {{ .Values.proxy.resources.requests.cpu }} + memory: {{ .Values.proxy.resources.requests.memory }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -101,11 +101,11 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m - memory: 512Mi + cpu: {{ .Values.operator.resources.limits.cpu }} + memory: {{ .Values.operator.resources.limits.memory }} requests: - cpu: 10m - memory: 64Mi + cpu: {{ .Values.operator.resources.requests.cpu }} + memory: {{ .Values.operator.resources.requests.memory }} securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/chart/values.yaml b/chart/values.yaml index 9dae758ca..54acfceb6 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -49,6 +49,21 @@ proxy: image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 # We're commenting out the imagePullPolicy to use k8s defaults # imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi +operator: + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 10m + memory: 64Mi # setting this to true will add resources required to generate the bundle using operator-sdk bundleGeneration: false From 2a194f0ce9a7117f4a8e8d963deeacb5c0a97a55 Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Mon, 30 Sep 2024 18:16:28 +0300 Subject: [PATCH 21/68] Improve pull request template (#376) Current pull request template overloads with fields. By reducing the amount of fields in the template, it will improve contributors expiriense. Signed-off-by: Maxim Babushkin --- .github/pull_request_template.md | 32 +------------------------------- 1 file changed, 1 insertion(+), 31 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index fc34ef026..9a3170f7f 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -25,9 +25,7 @@ Please, use the following labels, according to the PR type: - [ ] Documentation Update #### What this PR does / why we need it: -```text -``` #### Which issue(s) this PR fixes: -```release-note - -``` - -#### Additional documentation: -```text - -``` - -#### Does this PR introduce a breaking change? -```text - -``` - -#### Other information: -```text - -``` +#### Additional information: From e1fcbdb9517a87c42df6d82a7e7c38450344534c Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Mon, 30 Sep 2024 21:50:27 +0530 Subject: [PATCH 22/68] Implement e2e dualStack control plane tests (#373) * Implement e2e dualStack control plane tests This PR includes the necessary support 1. to deploy dualStack/IPv6 KIND clusters 2. to deploy the supported Istio versions in a dualStack mode and verifies that Istiod is properly configured to support dualStack use-cases. To run e2e dualStack tests, use the following command. $ export IP_FAMILY=dual $ make test.e2e.kind Related to: https://github.com/istio-ecosystem/sail-operator/issues/372 Signed-off-by: Sridhar Gaddam * Modify the text used in Describe and other blocks Signed-off-by: Sridhar Gaddam --------- Signed-off-by: Sridhar Gaddam --- tests/e2e/common-operator-integ-suite.sh | 2 +- tests/e2e/dualstack/dualstack_suite_test.go | 65 ++++++ tests/e2e/dualstack/dualstack_test.go | 213 ++++++++++++++++++++ tests/e2e/integ-suite-kind.sh | 2 +- 4 files changed, 280 insertions(+), 2 deletions(-) create mode 100644 tests/e2e/dualstack/dualstack_suite_test.go create mode 100644 tests/e2e/dualstack/dualstack_test.go diff --git a/tests/e2e/common-operator-integ-suite.sh b/tests/e2e/common-operator-integ-suite.sh index 304c2b005..e54f57465 100755 --- a/tests/e2e/common-operator-integ-suite.sh +++ b/tests/e2e/common-operator-integ-suite.sh @@ -284,7 +284,7 @@ fi # Run the go test passing the env variables defined that are going to be used in the operator tests # shellcheck disable=SC2086 -IMAGE="${HUB}/${IMAGE_BASE}:${TAG}" SKIP_DEPLOY="${SKIP_DEPLOY}" OCP="${OCP}" ISTIO_MANIFEST="${ISTIO_MANIFEST}" \ +IMAGE="${HUB}/${IMAGE_BASE}:${TAG}" SKIP_DEPLOY="${SKIP_DEPLOY}" OCP="${OCP}" IP_FAMILY="${IP_FAMILY}" ISTIO_MANIFEST="${ISTIO_MANIFEST}" \ NAMESPACE="${NAMESPACE}" CONTROL_PLANE_NS="${CONTROL_PLANE_NS}" DEPLOYMENT_NAME="${DEPLOYMENT_NAME}" MULTICLUSTER="${MULTICLUSTER}" ARTIFACTS="${ARTIFACTS}" \ ISTIO_NAME="${ISTIO_NAME}" COMMAND="${COMMAND}" VERSIONS_YAML_FILE="${VERSIONS_YAML_FILE}" KUBECONFIG="${KUBECONFIG}" ISTIOCTL_PATH="${ISTIOCTL}" \ go run github.com/onsi/ginkgo/v2/ginkgo -tags e2e --timeout 30m --junit-report=report.xml ${GINKGO_FLAGS} "${WD}"/... diff --git a/tests/e2e/dualstack/dualstack_suite_test.go b/tests/e2e/dualstack/dualstack_suite_test.go new file mode 100644 index 000000000..20661a840 --- /dev/null +++ b/tests/e2e/dualstack/dualstack_suite_test.go @@ -0,0 +1,65 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package dualstack + +import ( + "testing" + + k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" + env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +var ( + cl client.Client + err error + ocp = env.GetBool("OCP", false) + namespace = env.Get("NAMESPACE", "sail-operator") + deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") + controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system") + istioName = env.Get("ISTIO_NAME", "default") + image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") + skipDeploy = env.GetBool("SKIP_DEPLOY", false) + expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io") + multicluster = env.GetBool("MULTICLUSTER", false) + ipFamily = env.Get("IP_FAMILY", "ipv4") + + k *kubectl.KubectlBuilder +) + +func TestDualStack(t *testing.T) { + if ipFamily != "dual" || multicluster { + t.Skip("Skipping the dualStack tests") + } + + RegisterFailHandler(Fail) + setup() + RunSpecs(t, "DualStack test suite") +} + +func setup() { + GinkgoWriter.Println("************ Running Setup ************") + + GinkgoWriter.Println("Initializing k8s client") + cl, err = k8sclient.InitK8sClient("") + Expect(err).NotTo(HaveOccurred()) + + k = kubectl.NewKubectlBuilder() +} diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go new file mode 100644 index 000000000..3479a141b --- /dev/null +++ b/tests/e2e/dualstack/dualstack_test.go @@ -0,0 +1,213 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR Condition OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package dualstack + +import ( + "fmt" + "path/filepath" + "time" + + "github.com/istio-ecosystem/sail-operator/api/v1alpha1" + "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/pkg/test/project" + . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" + "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" + common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "github.com/onsi/gomega/types" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +var _ = Describe("DualStack configuration ", Ordered, func() { + SetDefaultEventuallyTimeout(180 * time.Second) + SetDefaultEventuallyPollingInterval(time.Second) + + debugInfoLogged := false + + BeforeAll(func(ctx SpecContext) { + Expect(k.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") + + extraArg := "" + if ocp { + extraArg = "--set=platform=openshift" + } + + if skipDeploy { + Success("Skipping operator installation because it was deployed externally") + } else { + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, extraArg)). + To(Succeed(), "Operator failed to be deployed") + } + + Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the namespace and Running") + }) + + Describe("for supported versions", func() { + for _, version := range supportedversion.List { + // Note: This var version is needed to avoid the closure of the loop + version := version + + // The minimum supported version is 1.23 (and above) + if version.Major == 1 && version.Minor < 23 { + continue + } + + Context("Istio version is: "+version.Version, func() { + BeforeAll(func() { + Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") + }) + + When("the Istio CR is created with DualStack configuration", func() { + BeforeAll(func() { + istioYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +metadata: + name: default +spec: + values: + meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_DUAL_STACK: "true" + pilot: + ipFamilyPolicy: %s + env: + ISTIO_DUAL_STACK: "true" + version: %s + namespace: %s` + istioYAML = fmt.Sprintf(istioYAML, corev1.IPFamilyPolicyRequireDualStack, version.Name, controlPlaneNamespace) + Log("Istio YAML:", istioYAML) + Expect(k.CreateFromString(istioYAML)). + To(Succeed(), "Istio CR failed to be created") + Success("Istio CR created") + }) + + It("updates the Istio CR status to Reconciled", func(ctx SpecContext) { + Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReconciled, metav1.ConditionTrue), "Istio is not Reconciled; unexpected Condition") + Success("Istio CR is Reconciled") + }) + + It("updates the Istio CR status to Ready", func(ctx SpecContext) { + Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready; unexpected Condition") + Success("Istio CR is Ready") + }) + + It("deploys istiod", func(ctx SpecContext) { + Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available; unexpected Condition") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Success("Istiod is deployed in the namespace and Running") + }) + + It("uses the correct image", func(ctx SpecContext) { + Expect(common.GetObject(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{})). + To(HaveContainersThat(HaveEach(ImageFromRegistry(expectedRegistry)))) + }) + + It("has ISTIO_DUAL_STACK env variable set", func(ctx SpecContext) { + Expect(common.GetObject(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{})). + To(HaveContainersThat(ContainElement(WithTransform(getEnvVars, ContainElement(corev1.EnvVar{Name: "ISTIO_DUAL_STACK", Value: "true"})))), + "Expected ISTIO_DUAL_STACK to be set to true, but not found") + }) + + It("deploys istiod service in dualStack mode", func(ctx SpecContext) { + var istiodSvcObj corev1.Service + + Eventually(func() error { + _, err := common.GetObject(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &istiodSvcObj) + return err + }).Should(Succeed(), "Expected to retrieve the 'istiod' service") + + Expect(istiodSvcObj.Spec.IPFamilyPolicy).ToNot(BeNil(), "Expected IPFamilyPolicy to be set") + Expect(*istiodSvcObj.Spec.IPFamilyPolicy).To(Equal(corev1.IPFamilyPolicyRequireDualStack), "Expected ipFamilyPolicy to be 'RequireDualStack'") + Success("Istio Service is deployed in the namespace and Running") + }) + }) + + When("the Istio CR is deleted", func() { + BeforeEach(func() { + Expect(k.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Success("Istio CR deleted") + }) + + It("removes everything from the namespace", func(ctx SpecContext) { + Eventually(cl.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(ReturnNotFoundError(), "Istiod should not exist anymore") + common.CheckNamespaceEmpty(ctx, cl, controlPlaneNamespace) + Success("Namespace is empty") + }) + }) + }) + } + + AfterAll(func(ctx SpecContext) { + if CurrentSpecReport().Failed() { + common.LogDebugInfo() + debugInfoLogged = true + } + + By("Cleaning up the Istio namespace") + Expect(cl.Delete(ctx, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: controlPlaneNamespace}})).To(Succeed(), "Istio Namespace failed to be deleted") + + By("Deleting any left-over Istio and IstioRevision resources") + Success("Resources deleted") + Success("Cleanup done") + }) + }) + + AfterAll(func() { + if CurrentSpecReport().Failed() && !debugInfoLogged { + common.LogDebugInfo() + debugInfoLogged = true + } + + if skipDeploy { + Success("Skipping operator undeploy because it was deployed externally") + return + } + + By("Deleting operator deployment") + Expect(helm.Uninstall("sail-operator", "--namespace "+namespace)). + To(Succeed(), "Operator failed to be deleted") + GinkgoWriter.Println("Operator uninstalled") + + Expect(k.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted") + Success("Namespace deleted") + }) +}) + +func HaveContainersThat(matcher types.GomegaMatcher) types.GomegaMatcher { + return HaveField("Spec.Template.Spec.Containers", matcher) +} + +func ImageFromRegistry(regexp string) types.GomegaMatcher { + return HaveField("Image", MatchRegexp(regexp)) +} + +func getEnvVars(container corev1.Container) []corev1.EnvVar { + return container.Env +} diff --git a/tests/e2e/integ-suite-kind.sh b/tests/e2e/integ-suite-kind.sh index 90a939851..e4442e278 100755 --- a/tests/e2e/integ-suite-kind.sh +++ b/tests/e2e/integ-suite-kind.sh @@ -101,5 +101,5 @@ echo "Running integration tests" if [ "${MULTICLUSTER}" == "true" ]; then ARTIFACTS="${ARTIFACTS}" ISTIOCTL="${ISTIOCTL}" ./tests/e2e/common-operator-integ-suite.sh --kind --multicluster else -ARTIFACTS="${ARTIFACTS}" ./tests/e2e/common-operator-integ-suite.sh --kind +ARTIFACTS="${ARTIFACTS}" IP_FAMILY="${IP_FAMILY}" ./tests/e2e/common-operator-integ-suite.sh --kind fi \ No newline at end of file From c6f30e2197c94c717818cbdcef02d66fe4393b3c Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Tue, 1 Oct 2024 18:24:30 +0530 Subject: [PATCH 23/68] Fix broken url for sample gateway (#377) Signed-off-by: Sridhar Gaddam --- docs/common/create-and-configure-gateways.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/common/create-and-configure-gateways.md b/docs/common/create-and-configure-gateways.md index 00fdca0ee..29e35bd75 100644 --- a/docs/common/create-and-configure-gateways.md +++ b/docs/common/create-and-configure-gateways.md @@ -16,7 +16,7 @@ that can be made accessible from outside the cluster. For more information, see [Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). To configure gateway injection with the `bookinfo` application, we have provided -a [sample gateway configuration](../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace +a [sample gateway configuration](../../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace where the application is installed: 1. Create the `istio-ingressgateway` deployment and service: From 93cd45543893d47f6262b77f2bc9fec80d7a9254 Mon Sep 17 00:00:00 2001 From: Jamie Longmuir Date: Tue, 1 Oct 2024 09:40:29 -0400 Subject: [PATCH 24/68] Update/Fix Istioctl links and docs (#349) * Update/Fix istioctl links in README.md Update/Fix istioctl links to use install-istioctl-tool.md, which provides instructions for installing istioctl independent of Istio. Signed-off-by: Jamie Longmuir * Update install-istioctl-tool.md to clarify steps and link to upstream doc Signed-off-by: Jamie Longmuir * remove namespace from get istio command Signed-off-by: Jamie Longmuir --------- Signed-off-by: Jamie Longmuir --- docs/README.md | 6 +++--- docs/common/install-istioctl-tool.md | 7 +++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/README.md b/docs/README.md index a950d7ac6..e2c1572fd 100644 --- a/docs/README.md +++ b/docs/README.md @@ -265,7 +265,7 @@ When the `InPlace` strategy is used, the existing Istio control plane is replace Prerequisites: * Sail Operator is installed. -* `istioctl` is [installed](common/istio-addons-integrations.md). +* `istioctl` is [installed](common/install-istioctl-tool.md). Steps: 1. Create the `istio-system` namespace. @@ -341,7 +341,7 @@ When the `RevisionBased` strategy is used, a new Istio control plane instance is Prerequisites: * Sail Operator is installed. -* `istioctl` is [installed](common/istio-addons-integrations.md). +* `istioctl` is [installed](common/install-istioctl-tool.md). Steps: @@ -479,7 +479,7 @@ You can use the Sail Operator and the Sail CRDs to manage a multi-cluster Istio ### Prerequisites -- Install [istioctl](https://istio.io/latest/docs/setup/install/istioctl) and have it included in your `$PATH`. +- Install [istioctl](common/install-istioctl-tool.md). - Two kubernetes clusters with external lb support. (If using kind, `cloud-provider-kind` is running in the background) - kubeconfig file with a context for each cluster. - Install the Sail Operator and the Sail CRDs to every cluster. diff --git a/docs/common/install-istioctl-tool.md b/docs/common/install-istioctl-tool.md index ec489105e..68fa0dcf3 100644 --- a/docs/common/install-istioctl-tool.md +++ b/docs/common/install-istioctl-tool.md @@ -8,8 +8,7 @@ operators to debug and diagnose Istio service mesh deployments. Use an `istioctl` version that is the same version as the Istio control plane for the Service Mesh deployment. See [Istio Releases](https://github.com/istio/istio/releases) for a list of valid -releases, including Beta releases. - +releases, including Beta releases. ### Procedure @@ -24,7 +23,7 @@ the following command at the terminal: at the terminal: ```sh - $ oc -n istio-system get istio + $ oc get istio ``` 3. Install `istioctl` by running the following command at the terminal: @@ -47,6 +46,6 @@ at the terminal: ```sh $ istioctl version ``` - +For more information on usage, see the [Istioctl documentation](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). *Note*: `istioctl install` is not supported. The Sail Operator installs Istio. From c7164d4a99dd5483d9fbca30297d6f8e03de1002 Mon Sep 17 00:00:00 2001 From: Filip Brychta Date: Tue, 1 Oct 2024 19:52:28 +0200 Subject: [PATCH 25/68] Adding default value for IP_FAMILY (#378) This fixing ./tests/e2e/common-operator-integ-suite.sh: line 287: IP_FAMILY: unbound variable Signed-off-by: Filip Brychta --- tests/e2e/common-operator-integ-suite.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/e2e/common-operator-integ-suite.sh b/tests/e2e/common-operator-integ-suite.sh index e54f57465..8ad6b80c5 100755 --- a/tests/e2e/common-operator-integ-suite.sh +++ b/tests/e2e/common-operator-integ-suite.sh @@ -120,6 +120,7 @@ initialize_variables() { ISTIOCTL="${ISTIOCTL:-"istioctl"}" LOCALBIN="${LOCALBIN:-${HOME}/bin}" OPERATOR_SDK=${LOCALBIN}/operator-sdk + IP_FAMILY=${IP_FAMILY:-ipv4} if [ "${OCP}" == "true" ]; then COMMAND="oc" From 9de503cf7fdad467fc9769f0b9cd828d3360e7b2 Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Mon, 7 Oct 2024 13:50:22 +0530 Subject: [PATCH 26/68] Fix error handling in deployBookinfo (#384) Signed-off-by: Sridhar Gaddam --- tests/e2e/controlplane/control_plane_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go index 8beb63065..d0135cb79 100644 --- a/tests/e2e/controlplane/control_plane_test.go +++ b/tests/e2e/controlplane/control_plane_test.go @@ -388,7 +388,7 @@ func getBookinfoURL(version supportedversion.VersionInfo) string { func deployBookinfo(version supportedversion.VersionInfo) error { bookinfoURL := getBookinfoURL(version) - k.SetNamespace(bookinfoNamespace).Apply(bookinfoURL) + err := k.SetNamespace(bookinfoNamespace).Apply(bookinfoURL) if err != nil { return fmt.Errorf("error deploying bookinfo: %w", err) } From e4ffa4708c57b5a2d0de36e31732ffc5b93ddc29 Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Mon, 7 Oct 2024 22:06:42 +0530 Subject: [PATCH 27/68] Implement e2e dualStack data plane tests (#383) * Implement e2e dualStack data plane tests This PR validates the following use-cases It spawns a 1. dualStack service in dual-stack namespace which listens on both IPv4 and IPv6 addresses 2. ipv4 only service in ipv4 namespace which listens only on IPv4 address 3. ipv6 only service in ipv6 namespace which listens only on IPv6 address After spawning the above pods, it uses a sleep pod and tries to connect to all the three services to verify that connectivity is successful for all the services. To run the tests, use the following command. $ export IP_FAMILY=dual $ make test.e2e.kind Related to: https://github.com/istio-ecosystem/sail-operator/issues/372 Signed-off-by: Sridhar Gaddam * Rename getPodURL and couple of minor changes Signed-off-by: Sridhar Gaddam * Move checkPodsReady to e2e_utils file Signed-off-by: Sridhar Gaddam --------- Signed-off-by: Sridhar Gaddam --- tests/e2e/dualstack/dualstack_suite_test.go | 2 + tests/e2e/dualstack/dualstack_test.go | 148 ++++++++++++++++++++ tests/e2e/util/common/e2e_utils.go | 21 +++ 3 files changed, 171 insertions(+) diff --git a/tests/e2e/dualstack/dualstack_suite_test.go b/tests/e2e/dualstack/dualstack_suite_test.go index 20661a840..f27e09ec6 100644 --- a/tests/e2e/dualstack/dualstack_suite_test.go +++ b/tests/e2e/dualstack/dualstack_suite_test.go @@ -35,6 +35,8 @@ var ( deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system") istioName = env.Get("ISTIO_NAME", "default") + istioCniNamespace = env.Get("ISTIOCNI_NAMESPACE", "istio-cni") + istioCniName = env.Get("ISTIOCNI_NAME", "default") image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") skipDeploy = env.GetBool("SKIP_DEPLOY", false) expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io") diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go index 3479a141b..6b14e2e1e 100644 --- a/tests/e2e/dualstack/dualstack_test.go +++ b/tests/e2e/dualstack/dualstack_test.go @@ -37,6 +37,13 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +const ( + DualStackNamespace = "dual-stack" + IPv4Namespace = "ipv4" + IPv6Namespace = "ipv6" + SleepNamespace = "sleep" +) + var _ = Describe("DualStack configuration ", Ordered, func() { SetDefaultEventuallyTimeout(180 * time.Second) SetDefaultEventuallyPollingInterval(time.Second) @@ -76,6 +83,34 @@ var _ = Describe("DualStack configuration ", Ordered, func() { Context("Istio version is: "+version.Version, func() { BeforeAll(func() { Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") + Expect(k.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created") + }) + + When("the IstioCNI CR is created", func() { + BeforeAll(func() { + cniYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: IstioCNI +metadata: + name: default +spec: + version: %s + namespace: %s` + cniYAML = fmt.Sprintf(cniYAML, version.Name, istioCniNamespace) + Log("IstioCNI YAML:", cniYAML) + Expect(k.CreateFromString(cniYAML)).To(Succeed(), "IstioCNI creation failed") + Success("IstioCNI created") + }) + + It("deploys the CNI DaemonSet", func(ctx SpecContext) { + Eventually(func(g Gomega) { + daemonset := &appsv1.DaemonSet{} + g.Expect(cl.Get(ctx, kube.Key("istio-cni-node", istioCniNamespace), daemonset)).To(Succeed(), "Error getting IstioCNI DaemonSet") + g.Expect(daemonset.Status.NumberAvailable). + To(Equal(daemonset.Status.CurrentNumberScheduled), "CNI DaemonSet Pods not Available; expected numberAvailable to be equal to currentNumberScheduled") + }).Should(Succeed(), "CNI DaemonSet Pods are not Available") + Success("CNI DaemonSet is deployed in the namespace and Running") + }) }) When("the Istio CR is created with DualStack configuration", func() { @@ -148,6 +183,74 @@ spec: }) }) + // We spawn the following pods to verify the data-path connectivity. + // 1. a dualStack service in dual-stack namespace which listens on both IPv4 and IPv6 addresses + // 2. an ipv4 only service in ipv4 namespace which listens only on IPv4 address + // 3. an ipv6 only service in ipv6 namespace which listens only on IPv6 address + // Using a sleep pod from the sleep namespace, we try to connect to all the three services to verify that connectivity is successful. + When("sample apps are deployed in the cluster", func() { + BeforeAll(func(ctx SpecContext) { + Expect(k.CreateNamespace(DualStackNamespace)).To(Succeed(), "Failed to create dual-stack namespace") + Expect(k.CreateNamespace(IPv4Namespace)).To(Succeed(), "Failed to create ipv4 namespace") + Expect(k.CreateNamespace(IPv6Namespace)).To(Succeed(), "Failed to create ipv6 namespace") + Expect(k.CreateNamespace(SleepNamespace)).To(Succeed(), "Failed to create sleep namespace") + + Expect(k.Patch("namespace", DualStackNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching dual-stack namespace") + Expect(k.Patch("namespace", IPv4Namespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching ipv4 namespace") + Expect(k.Patch("namespace", IPv6Namespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching ipv6 namespace") + Expect(k.Patch("namespace", SleepNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching sleep namespace") + + Expect(k.SetNamespace(DualStackNamespace).Apply(getYAMLPodURL(version, DualStackNamespace))).To(Succeed(), "error deploying tcpDualStack pod") + Expect(k.SetNamespace(IPv4Namespace).Apply(getYAMLPodURL(version, IPv4Namespace))).To(Succeed(), "error deploying ipv4 pod") + Expect(k.SetNamespace(IPv6Namespace).Apply(getYAMLPodURL(version, IPv6Namespace))).To(Succeed(), "error deploying ipv6 pod") + Expect(k.SetNamespace(SleepNamespace).Apply(getYAMLPodURL(version, SleepNamespace))).To(Succeed(), "error deploying sleep pod") + + Success("dualStack validation pods deployed") + }) + + sleepPod := &corev1.PodList{} + It("updates the status of pods to Running", func(ctx SpecContext) { + _, err = common.CheckPodsReady(ctx, cl, DualStackNamespace) + Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of dual-stack pods: %v", err)) + + _, err = common.CheckPodsReady(ctx, cl, IPv4Namespace) + Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of ipv4 pods: %v", err)) + + _, err = common.CheckPodsReady(ctx, cl, IPv6Namespace) + Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of ipv6 pods: %v", err)) + + sleepPod, err = common.CheckPodsReady(ctx, cl, SleepNamespace) + Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of sleep pods: %v", err)) + + Success("Pods are ready") + }) + + It("can access the dual-stack service from the sleep pod", func(ctx SpecContext) { + checkPodConnectivity(sleepPod.Items[0].Name, SleepNamespace, DualStackNamespace) + }) + + It("can access the ipv4 only service from the sleep pod", func(ctx SpecContext) { + checkPodConnectivity(sleepPod.Items[0].Name, SleepNamespace, IPv4Namespace) + }) + + It("can access the ipv6 only service from the sleep pod", func(ctx SpecContext) { + checkPodConnectivity(sleepPod.Items[0].Name, SleepNamespace, IPv6Namespace) + }) + + AfterAll(func(ctx SpecContext) { + By("Deleting the pods") + Expect(k.DeleteNamespace(DualStackNamespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", DualStackNamespace)) + Expect(k.DeleteNamespace(IPv4Namespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", IPv4Namespace)) + Expect(k.DeleteNamespace(IPv6Namespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", IPv6Namespace)) + Expect(k.DeleteNamespace(SleepNamespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", SleepNamespace)) + Success("DualStack validation pods deleted") + }) + }) + When("the Istio CR is deleted", func() { BeforeEach(func() { Expect(k.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") @@ -161,6 +264,21 @@ spec: Success("Namespace is empty") }) }) + + When("the IstioCNI CR is deleted", func() { + BeforeEach(func() { + Expect(k.SetNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") + Success("IstioCNI deleted") + }) + + It("removes everything from the CNI namespace", func(ctx SpecContext) { + daemonset := &appsv1.DaemonSet{} + Eventually(cl.Get).WithArguments(ctx, kube.Key("istio-cni-node", istioCniNamespace), daemonset). + Should(ReturnNotFoundError(), "IstioCNI DaemonSet should not exist anymore") + common.CheckNamespaceEmpty(ctx, cl, istioCniNamespace) + Success("CNI namespace is empty") + }) + }) }) } @@ -211,3 +329,33 @@ func ImageFromRegistry(regexp string) types.GomegaMatcher { func getEnvVars(container corev1.Container) []corev1.EnvVar { return container.Env } + +func getYAMLPodURL(version supportedversion.VersionInfo, namespace string) string { + var url string + + switch namespace { + case DualStackNamespace: + url = "samples/tcp-echo/tcp-echo-dual-stack.yaml" + case IPv4Namespace: + url = "samples/tcp-echo/tcp-echo-ipv4.yaml" + case IPv6Namespace: + url = "samples/tcp-echo/tcp-echo-ipv6.yaml" + case SleepNamespace: + url = "samples/sleep/sleep.yaml" + default: + return "" + } + + if version.Name == "latest" { + return fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/master/%s", url) + } + + return fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/%s", version.Version, url) +} + +func checkPodConnectivity(podName, namespace, echoStr string) { + command := fmt.Sprintf(`sh -c 'echo %s | nc tcp-echo.%s 9000'`, echoStr, echoStr) + response, err := k.SetNamespace(namespace).Exec(podName, "sleep", command) + Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("error connecting to the %q pod", podName)) + Expect(response).To(ContainSubstring(fmt.Sprintf("hello %s", echoStr)), fmt.Sprintf("Unexpected response from %s pod", podName)) +} diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index 50cbc0c7f..877f40231 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -23,12 +23,15 @@ import ( "strings" "time" + "github.com/istio-ecosystem/sail-operator/pkg/kube" env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" "istio.io/istio/pkg/ptr" @@ -211,3 +214,21 @@ func GetVersionFromIstiod() (string, error) { } return "", fmt.Errorf("error getting version from istiod: version not found in output: %s", output) } + +func CheckPodsReady(ctx SpecContext, cl client.Client, namespace string) (*corev1.PodList, error) { + podList := &corev1.PodList{} + + err := cl.List(ctx, podList, client.InNamespace(namespace)) + if err != nil { + return nil, fmt.Errorf("failed to list pods in %s namespace: %w", namespace, err) + } + + Expect(podList.Items).ToNot(BeEmpty(), fmt.Sprintf("No pods found in %s namespace", namespace)) + + for _, pod := range podList.Items { + Eventually(GetObject).WithArguments(ctx, cl, kube.Key(pod.Name, namespace), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), fmt.Sprintf("%q Pod in %q namespace is not Ready", pod.Name, namespace)) + } + + return podList, nil +} From baada7cdeb9c98c5c8416a2b87e2b6d5f9d5d1b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 8 Oct 2024 10:41:43 +0200 Subject: [PATCH 28/68] Clean up code (#392) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - add error handling where missing - remove unnecessary import aliases - remove unnecessary parentheses - fix comments - fix typos Signed-off-by: Marko Lukša --- controllers/istio/istio_controller_test.go | 2 +- pkg/kube/key.go | 2 +- pkg/reconciler/reconciler.go | 2 +- tests/e2e/controlplane/control_plane_suite_test.go | 2 +- tests/e2e/controlplane/control_plane_test.go | 4 ++-- tests/e2e/dualstack/dualstack_suite_test.go | 2 +- tests/e2e/dualstack/dualstack_test.go | 2 +- .../multicluster/multicluster_multiprimary_test.go | 14 +++++++------- .../multicluster_primaryremote_test.go | 12 ++++++------ tests/e2e/multicluster/multicluster_suite_test.go | 2 +- tests/e2e/operator/operator_install_test.go | 2 +- tests/e2e/operator/operator_suite_test.go | 2 +- tests/e2e/util/certs/certs.go | 2 +- tests/e2e/util/common/e2e_utils.go | 14 +++++++------- tests/e2e/util/istioctl/istioctl.go | 2 +- 15 files changed, 33 insertions(+), 33 deletions(-) diff --git a/controllers/istio/istio_controller_test.go b/controllers/istio/istio_controller_test.go index 1a5150a53..fe8e199fb 100644 --- a/controllers/istio/istio_controller_test.go +++ b/controllers/istio/istio_controller_test.go @@ -379,7 +379,7 @@ func TestDetermineStatus(t *testing.T) { name: "shows correct revision counts", wantErr: false, revisions: []v1alpha1.IstioRevision{ - // owned by the Istio under test; 3 todal, 2 ready, 1 in use + // owned by the Istio under test; 3 total, 2 ready, 1 in use revision(istioKey.Name, ownedByIstio, true, true, true), revision(istioKey.Name+"-old1", ownedByIstio, true, true, false), revision(istioKey.Name+"-old2", ownedByIstio, true, false, false), diff --git a/pkg/kube/key.go b/pkg/kube/key.go index 116359fd3..98e3f1946 100644 --- a/pkg/kube/key.go +++ b/pkg/kube/key.go @@ -16,7 +16,7 @@ package kube import "sigs.k8s.io/controller-runtime/pkg/client" -// key returns the client.ObjectKey for the given name and namespace. If no namespace is provided, it returns a key cluster scoped +// Key returns the client.ObjectKey for the given name and namespace. If no namespace is provided, it returns a key cluster scoped func Key(name string, namespace ...string) client.ObjectKey { if len(namespace) > 1 { panic("you can only provide one namespace") diff --git a/pkg/reconciler/reconciler.go b/pkg/reconciler/reconciler.go index 1502f5f0c..d61cf03e7 100644 --- a/pkg/reconciler/reconciler.go +++ b/pkg/reconciler/reconciler.go @@ -32,7 +32,7 @@ type ReconcileFunc[T client.Object] func(ctx context.Context, obj T) (ctrl.Resul // FinalizeFunc is a function that finalizes an object. It does not remove the finalizer. type FinalizeFunc[T client.Object] func(ctx context.Context, obj T) error -// StandardRecociler encapsulates common reconciler behavior, allowing you to +// StandardReconciler encapsulates common reconciler behavior, allowing you to // implement a reconciler simply by providing a ReconcileFunc and an optional // FinalizeFunc. These functions are invoked at the appropriate time and are // passed the object being reconciled. diff --git a/tests/e2e/controlplane/control_plane_suite_test.go b/tests/e2e/controlplane/control_plane_suite_test.go index 627edfc5d..b8e073099 100644 --- a/tests/e2e/controlplane/control_plane_suite_test.go +++ b/tests/e2e/controlplane/control_plane_suite_test.go @@ -20,7 +20,7 @@ import ( "testing" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" - env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go index d0135cb79..96810be46 100644 --- a/tests/e2e/controlplane/control_plane_test.go +++ b/tests/e2e/controlplane/control_plane_test.go @@ -27,7 +27,7 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" - common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" . "github.com/onsi/ginkgo/v2" @@ -240,7 +240,7 @@ spec: bookinfoPods := &corev1.PodList{} It("updates the pods status to Running", func(ctx SpecContext) { - cl.List(ctx, bookinfoPods, client.InNamespace(bookinfoNamespace)) + Expect(cl.List(ctx, bookinfoPods, client.InNamespace(bookinfoNamespace))).To(Succeed()) Expect(bookinfoPods.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") for _, pod := range bookinfoPods.Items { diff --git a/tests/e2e/dualstack/dualstack_suite_test.go b/tests/e2e/dualstack/dualstack_suite_test.go index f27e09ec6..d2fc4211f 100644 --- a/tests/e2e/dualstack/dualstack_suite_test.go +++ b/tests/e2e/dualstack/dualstack_suite_test.go @@ -20,7 +20,7 @@ import ( "testing" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" - env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go index 6b14e2e1e..9b58989e3 100644 --- a/tests/e2e/dualstack/dualstack_test.go +++ b/tests/e2e/dualstack/dualstack_test.go @@ -26,7 +26,7 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" - common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" . "github.com/onsi/ginkgo/v2" diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go index 687e763f7..5601a418d 100644 --- a/tests/e2e/multicluster/multicluster_multiprimary_test.go +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -29,7 +29,7 @@ import ( . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" - common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" @@ -80,8 +80,8 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Expect(kubectlClient2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") // Push the intermediate CA to both clusters - certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig, "east", "network1", artifacts, clPrimary) - certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig2, "west", "network2", artifacts, clRemote) + Expect(certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig, "east", "network1", artifacts, clPrimary)).To(Succeed()) + Expect(certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig2, "west", "network2", artifacts, clRemote)).To(Succeed()) // Wait for the secret to be created in both clusters Eventually(func() error { @@ -156,11 +156,11 @@ spec: }) It("updates both Gateway status to Available", func(ctx SpecContext) { - Eventually((common.GetObject)). + Eventually(common.GetObject). WithArguments(ctx, clPrimary, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Cluster #1; unexpected Condition") - Eventually((common.GetObject)). + Eventually(common.GetObject). WithArguments(ctx, clRemote, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Cluster #2; unexpected Condition") Success("Gateway is created and available in both clusters") @@ -211,7 +211,7 @@ spec: It("updates the pods status to Ready", func(ctx SpecContext) { samplePodsCluster1 := &corev1.PodList{} - clPrimary.List(ctx, samplePodsCluster1, client.InNamespace("sample")) + Expect(clPrimary.List(ctx, samplePodsCluster1, client.InNamespace("sample"))).To(Succeed()) Expect(samplePodsCluster1.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") for _, pod := range samplePodsCluster1.Items { @@ -221,7 +221,7 @@ spec: } samplePodsCluster2 := &corev1.PodList{} - clRemote.List(ctx, samplePodsCluster2, client.InNamespace("sample")) + Expect(clRemote.List(ctx, samplePodsCluster2, client.InNamespace("sample"))).To(Succeed()) Expect(samplePodsCluster2.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") for _, pod := range samplePodsCluster2.Items { diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index d7a200c66..5c8345c9c 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -28,8 +28,8 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" - certs "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" - common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" @@ -150,7 +150,7 @@ spec: }) It("updates Gateway status to Available", func(ctx SpecContext) { - Eventually((common.GetObject)). + Eventually(common.GetObject). WithArguments(ctx, clPrimary, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Primary; unexpected Condition") }) @@ -236,7 +236,7 @@ spec: }) It("updates Gateway status to Available", func(ctx SpecContext) { - Eventually((common.GetObject)). + Eventually(common.GetObject). WithArguments(ctx, clRemote, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Remote; unexpected Condition") Success("Gateway is created and available in Remote cluster") @@ -253,7 +253,7 @@ spec: It("updates the pods status to Ready", func(ctx SpecContext) { samplePodsPrimary := &corev1.PodList{} - clPrimary.List(ctx, samplePodsPrimary, client.InNamespace("sample")) + Expect(clPrimary.List(ctx, samplePodsPrimary, client.InNamespace("sample"))).To(Succeed()) Expect(samplePodsPrimary.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") for _, pod := range samplePodsPrimary.Items { @@ -263,7 +263,7 @@ spec: } samplePodsRemote := &corev1.PodList{} - clRemote.List(ctx, samplePodsRemote, client.InNamespace("sample")) + Expect(clRemote.List(ctx, samplePodsRemote, client.InNamespace("sample"))).To(Succeed()) Expect(samplePodsRemote.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") for _, pod := range samplePodsRemote.Items { diff --git a/tests/e2e/multicluster/multicluster_suite_test.go b/tests/e2e/multicluster/multicluster_suite_test.go index 77515b124..a31105df8 100644 --- a/tests/e2e/multicluster/multicluster_suite_test.go +++ b/tests/e2e/multicluster/multicluster_suite_test.go @@ -24,7 +24,7 @@ import ( "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" - env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" diff --git a/tests/e2e/operator/operator_install_test.go b/tests/e2e/operator/operator_install_test.go index cbd051feb..28b760ad9 100644 --- a/tests/e2e/operator/operator_install_test.go +++ b/tests/e2e/operator/operator_install_test.go @@ -23,7 +23,7 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/kube" "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" - common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" . "github.com/onsi/ginkgo/v2" diff --git a/tests/e2e/operator/operator_suite_test.go b/tests/e2e/operator/operator_suite_test.go index f0bd1261f..560855caa 100644 --- a/tests/e2e/operator/operator_suite_test.go +++ b/tests/e2e/operator/operator_suite_test.go @@ -20,7 +20,7 @@ import ( "testing" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" - env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" diff --git a/tests/e2e/util/certs/certs.go b/tests/e2e/util/certs/certs.go index daddf56d9..c2fd599c6 100644 --- a/tests/e2e/util/certs/certs.go +++ b/tests/e2e/util/certs/certs.go @@ -23,7 +23,7 @@ import ( "path/filepath" "github.com/istio-ecosystem/sail-operator/pkg/kube" - common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell" corev1 "k8s.io/api/core/v1" diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index 877f40231..a0e4fdc8f 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -24,7 +24,7 @@ import ( "time" "github.com/istio-ecosystem/sail-operator/pkg/kube" - env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" @@ -54,13 +54,13 @@ var ( k = kubectl.NewKubectlBuilder() ) -// getObject returns the object with the given key +// GetObject returns the object with the given key func GetObject(ctx context.Context, cl client.Client, key client.ObjectKey, obj client.Object) (client.Object, error) { err := cl.Get(ctx, key, obj) return obj, err } -// getList invokes client.List and returns the list +// GetList invokes client.List and returns the list func GetList(ctx context.Context, cl client.Client, list client.ObjectList, opts ...client.ListOption) (client.ObjectList, error) { err := cl.List(ctx, list, opts...) return list, err @@ -79,7 +79,7 @@ func GetPodNameByLabel(ctx context.Context, cl client.Client, ns, labelKey, labe return podList.Items[0].Name, nil } -// GetSVCAddress returns the address of the service with the given name +// GetSVCLoadBalancerAddress returns the address of the service with the given name func GetSVCLoadBalancerAddress(ctx context.Context, cl client.Client, ns, svcName string) (string, error) { svc := &corev1.Service{} err := cl.Get(ctx, client.ObjectKey{Namespace: ns, Name: svcName}, svc) @@ -96,7 +96,7 @@ func GetSVCLoadBalancerAddress(ctx context.Context, cl client.Client, ns, svcNam return svc.Status.LoadBalancer.Ingress[0].IP, nil } -// checkNamespaceEmpty checks if the given namespace is empty +// CheckNamespaceEmpty checks if the given namespace is empty func CheckNamespaceEmpty(ctx SpecContext, cl client.Client, ns string) { // TODO: Check to add more validations Eventually(func() ([]corev1.Pod, error) { @@ -150,7 +150,7 @@ func logOperatorDebugInfo() { events, err := k.SetNamespace(namespace).GetEvents() logDebugElement("Events in "+namespace, events, err) - // Temporaty information to gather more details about failure + // Temporary information to gather more details about failure pods, err := k.SetNamespace(namespace).GetPods("", "-o wide") logDebugElement("Pods in "+namespace, pods, err) @@ -183,7 +183,7 @@ func logCNIDebugInfo() { events, err := k.SetNamespace(istioCniNamespace).GetEvents() logDebugElement("Events in "+istioCniNamespace, events, err) - // Temporaty information to gather more details about failure + // Temporary information to gather more details about failure pods, err := k.SetNamespace(istioCniNamespace).GetPods("", "-o wide") logDebugElement("Pods in "+istioCniNamespace, pods, err) diff --git a/tests/e2e/util/istioctl/istioctl.go b/tests/e2e/util/istioctl/istioctl.go index e055f5828..7186ed6b1 100644 --- a/tests/e2e/util/istioctl/istioctl.go +++ b/tests/e2e/util/istioctl/istioctl.go @@ -19,7 +19,7 @@ package istioctl import ( "fmt" - env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell" ) From a7f09801f456291db858d1d2df1008c249c885b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 8 Oct 2024 12:15:44 +0200 Subject: [PATCH 29/68] Simplify supportedversion.go and add unit tests (#391) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Simplify supportedversion.go and add unit tests These tests will not just ensure that the functions in supportedversion.go are okay, but also that the versions.yaml file is valid and is parsed successfully. Signed-off-by: Marko Lukša * Make GetVersionFromIstiod return a semver.Version Signed-off-by: Marko Lukša * Make getProxyVersion() return semver.Version Signed-off-by: Marko Lukša * Include commit hash in latest version in versions.yaml Without the commit hash, the version number doesn't specify a single version, but a set of versions. For example, "1.24-alpha" is not just one single version, whereas "1.24-alpha." is. Signed-off-by: Marko Lukša --------- Signed-off-by: Marko Lukša --- go.mod | 4 +- hack/update-istio.sh | 21 +++-- .../util/supportedversion/supportedversion.go | 63 ++++++--------- .../supportedversion/supportedversion_test.go | 78 +++++++++++++++++++ tests/e2e/controlplane/control_plane_test.go | 18 +++-- tests/e2e/dualstack/dualstack_test.go | 5 +- .../multicluster_multiprimary_test.go | 4 +- .../multicluster_primaryremote_test.go | 5 +- tests/e2e/util/common/e2e_utils.go | 13 ++-- versions.yaml | 2 +- 10 files changed, 142 insertions(+), 71 deletions(-) create mode 100644 pkg/test/util/supportedversion/supportedversion_test.go diff --git a/go.mod b/go.mod index 93d5c2519..907f2213c 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,7 @@ go 1.22.0 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5 require ( + github.com/Masterminds/semver/v3 v3.2.1 github.com/elastic/crd-ref-docs v0.1.0 github.com/go-logr/logr v1.4.2 github.com/google/go-cmp v0.6.0 @@ -15,6 +16,7 @@ require ( github.com/onsi/ginkgo/v2 v2.17.3 github.com/onsi/gomega v1.33.1 github.com/prometheus/common v0.55.0 + github.com/stretchr/testify v1.9.0 golang.org/x/mod v0.19.0 golang.org/x/text v0.16.0 golang.org/x/tools v0.23.0 @@ -38,7 +40,6 @@ require ( github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver v1.5.0 // indirect - github.com/Masterminds/semver/v3 v3.2.1 // indirect github.com/Masterminds/sprig v2.22.0+incompatible // indirect github.com/Masterminds/sprig/v3 v3.2.3 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect @@ -121,6 +122,7 @@ require ( github.com/opencontainers/image-spec v1.1.0-rc6 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.19.1 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/procfs v0.15.1 // indirect diff --git a/hack/update-istio.sh b/hack/update-istio.sh index 80f76cf1c..8a1dae33a 100755 --- a/hack/update-istio.sh +++ b/hack/update-istio.sh @@ -110,22 +110,19 @@ function update_latest() { done echo - FULL_VERSION=$(curl -sSfL "${URL}") - echo Full version: "${FULL_VERSION}" - - PARTIAL_VERSION="${FULL_VERSION%.*}" - echo Partial version: "${PARTIAL_VERSION}" + VERSION=$(curl -sSfL "${URL}") + echo Version: "${VERSION}" yq -i ' - (.versions[] | select(.name == "latest") | .version) = "'"${PARTIAL_VERSION}"'" | + (.versions[] | select(.name == "latest") | .version) = "'"${VERSION}"'" | (.versions[] | select(.name == "latest") | .commit) = "'"${COMMIT}"'" | (.versions[] | select(.name == "latest") | .charts) = [ - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/base-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/cni-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/gateway-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/istiod-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/istiod-remote-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/ztunnel-'"${FULL_VERSION}"'.tgz" + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/base-'"${VERSION}"'.tgz", + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/cni-'"${VERSION}"'.tgz", + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/gateway-'"${VERSION}"'.tgz", + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/istiod-'"${VERSION}"'.tgz", + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/istiod-remote-'"${VERSION}"'.tgz", + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/ztunnel-'"${VERSION}"'.tgz" ]' "${VERSIONS_YAML_FILE}" } diff --git a/pkg/test/util/supportedversion/supportedversion.go b/pkg/test/util/supportedversion/supportedversion.go index 58778d956..86a89013e 100644 --- a/pkg/test/util/supportedversion/supportedversion.go +++ b/pkg/test/util/supportedversion/supportedversion.go @@ -17,15 +17,15 @@ package supportedversion import ( "os" "path/filepath" - "regexp" - "strconv" + "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/pkg/test/project" "gopkg.in/yaml.v3" ) var ( List []VersionInfo + Map map[string]VersionInfo Default string Old string New string @@ -43,40 +43,28 @@ func init() { panic(err) } - versions := Versions{} - err = yaml.Unmarshal(versionsBytes, &versions) - if err != nil { - panic(err) - } - - // Major, Minor and Patch needs to be set from parsing the version string - for i := range versions.Versions { - v := &versions.Versions[i] - v.Major, v.Minor, v.Patch = parseVersion(v.Version) - } + List, Default, Old, New = mustParseVersionsYaml(versionsBytes) - List = versions.Versions - Default = List[0].Name - if len(List) > 1 { - Old = List[1].Name + Map = make(map[string]VersionInfo) + for _, v := range List { + Map[v.Name] = v } - New = List[0].Name } -func parseVersion(version string) (int, int, int) { - // The version can have this formats: "1.22.2", "1.23.0-rc.1", "1.24-alpha" - re := regexp.MustCompile(`^(\d+)\.(\d+)\.?(\d*)`) - - matches := re.FindStringSubmatch(version) - if len(matches) < 4 { - return 0, 0, 0 +func mustParseVersionsYaml(yamlBytes []byte) (list []VersionInfo, defaultVersion string, oldVersion string, newVersion string) { + versions := Versions{} + err := yaml.Unmarshal(yamlBytes, &versions) + if err != nil { + panic(err) } - major, _ := strconv.Atoi(matches[1]) - minor, _ := strconv.Atoi(matches[2]) - patch, _ := strconv.Atoi(matches[3]) - - return major, minor, patch + list = versions.Versions + defaultVersion = list[0].Name + if len(list) > 1 { + oldVersion = list[1].Name + } + newVersion = list[0].Name + return list, defaultVersion, oldVersion, newVersion } type Versions struct { @@ -84,13 +72,10 @@ type Versions struct { } type VersionInfo struct { - Name string `json:"name"` - Version string `json:"version"` - Major int `json:"major"` - Minor int `json:"minor"` - Patch int `json:"patch"` - Repo string `json:"repo"` - Branch string `json:"branch,omitempty"` - Commit string `json:"commit"` - Charts []string `json:"charts,omitempty"` + Name string `json:"name"` + Version *semver.Version `json:"version"` + Repo string `json:"repo"` + Branch string `json:"branch,omitempty"` + Commit string `json:"commit"` + Charts []string `json:"charts,omitempty"` } diff --git a/pkg/test/util/supportedversion/supportedversion_test.go b/pkg/test/util/supportedversion/supportedversion_test.go new file mode 100644 index 000000000..a850ebbae --- /dev/null +++ b/pkg/test/util/supportedversion/supportedversion_test.go @@ -0,0 +1,78 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package supportedversion + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestInit(t *testing.T) { + // no need to call init(), since it's called automatically + assert.True(t, len(List) > 0, "List should not be empty") + assert.True(t, len(Map) > 0, "M should not be empty") + assert.True(t, Default != "", "Default should not be empty") + assert.True(t, Old != "", "Default should not be empty") + assert.True(t, New != "", "Default should not be empty") + + assert.Equal(t, len(List), len(Map), "Map should be same size as List") + for _, vi := range List { + assert.Equal(t, vi, Map[vi.Name]) + } +} + +func TestParseVersionsYaml_ValidYaml(t *testing.T) { + yamlBytes := []byte(` +versions: + - name: "1.0.0" + repo: "repo1" + commit: "commit1" + - name: "2.0.0" + repo: "repo2" + commit: "commit2" +`) + + list, defaultVersion, oldVersion, newVersion := mustParseVersionsYaml(yamlBytes) + + assert.Len(t, list, 2) + assert.Equal(t, "1.0.0", defaultVersion) + assert.Equal(t, "2.0.0", oldVersion) + assert.Equal(t, "1.0.0", newVersion) +} + +func TestParseVersionsYaml_SingleVersion(t *testing.T) { + yamlBytes := []byte(` +versions: + - name: "1.0.0" + repo: "repo1" + commit: "commit1" +`) + + list, defaultVersion, oldVersion, newVersion := mustParseVersionsYaml(yamlBytes) + + assert.Len(t, list, 1) + assert.Equal(t, "1.0.0", defaultVersion) + assert.Equal(t, "", oldVersion) + assert.Equal(t, "1.0.0", newVersion) +} + +func TestParseVersionsYaml_InvalidYaml(t *testing.T) { + yamlBytes := []byte(`invalid yaml`) + + assert.Panics(t, func() { + mustParseVersionsYaml(yamlBytes) + }) +} diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go index 96810be46..c6db61e89 100644 --- a/tests/e2e/controlplane/control_plane_test.go +++ b/tests/e2e/controlplane/control_plane_test.go @@ -22,6 +22,7 @@ import ( "strings" "time" + "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/kube" "github.com/istio-ecosystem/sail-operator/pkg/test/project" @@ -253,8 +254,8 @@ spec: It("has sidecars with the correct istio version", func(ctx SpecContext) { for _, pod := range bookinfoPods.Items { sidecarVersion, err := getProxyVersion(pod.Name, bookinfoNamespace) - Expect(err).To(Succeed(), "Error getting sidecar version") - Expect(sidecarVersion).To(ContainSubstring(version.Version), "Sidecar Istio version does not match the expected version") + Expect(err).NotTo(HaveOccurred(), "Error getting sidecar version") + Expect(sidecarVersion).To(Equal(version.Version), "Sidecar Istio version does not match the expected version") } Success("Istio sidecar version matches the expected Istio version") }) @@ -396,14 +397,19 @@ func deployBookinfo(version supportedversion.VersionInfo) error { return nil } -func getProxyVersion(podName, namespace string) (string, error) { - proxyVersion, err := k.SetNamespace(namespace).Exec( +func getProxyVersion(podName, namespace string) (*semver.Version, error) { + output, err := k.SetNamespace(namespace).Exec( podName, "istio-proxy", `curl -s http://localhost:15000/server_info | grep "ISTIO_VERSION" | awk -F '"' '{print $4}'`) if err != nil { - return "", fmt.Errorf("error getting sidecar version: %w", err) + return nil, fmt.Errorf("error getting sidecar version: %w", err) } - return proxyVersion, nil + versionStr := strings.TrimSpace(output) + version, err := semver.NewVersion(versionStr) + if err != nil { + return version, fmt.Errorf("error parsing sidecar version %q: %w", versionStr, err) + } + return version, err } diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go index 9b58989e3..3a4aae4fe 100644 --- a/tests/e2e/dualstack/dualstack_test.go +++ b/tests/e2e/dualstack/dualstack_test.go @@ -21,6 +21,7 @@ import ( "path/filepath" "time" + "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/kube" "github.com/istio-ecosystem/sail-operator/pkg/test/project" @@ -76,11 +77,11 @@ var _ = Describe("DualStack configuration ", Ordered, func() { version := version // The minimum supported version is 1.23 (and above) - if version.Major == 1 && version.Minor < 23 { + if version.Version.LessThan(semver.MustParse("1.23.0")) { continue } - Context("Istio version is: "+version.Version, func() { + Context("Istio version is: "+version.Version.String(), func() { BeforeAll(func() { Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") Expect(k.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created") diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go index 5601a418d..6f5397e2a 100644 --- a/tests/e2e/multicluster/multicluster_multiprimary_test.go +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -73,7 +73,7 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Describe("Multi-Primary Multi-Network configuration", func() { // Test the Multi-Primary Multi-Network configuration for each supported Istio version for _, version := range supportedversion.List { - Context("Istio version is: "+version.Version, func() { + Context("Istio version is: "+version.Version.String(), func() { When("Istio resources are created in both clusters with multicluster configuration", func() { BeforeAll(func(ctx SpecContext) { Expect(kubectlClient1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") @@ -315,7 +315,7 @@ func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo) { Expect(kubectlClient2.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). To(Succeed(), "Error patching sample namespace") - version := istioVersion.Version + version := istioVersion.Version.String() // Deploy the sample app from upstream URL in both clusters if istioVersion.Name == "latest" { version = "master" diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index 5c8345c9c..0b55a1dac 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -23,6 +23,7 @@ import ( "strings" "time" + "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/kube" "github.com/istio-ecosystem/sail-operator/pkg/test/project" @@ -73,11 +74,11 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { // Test the Primary-Remote - Multi-Network configuration for each supported Istio version for _, version := range supportedversion.List { // The Primary-Remote - Multi-Network configuration is only supported in Istio 1.23 and later - if version.Major < 1 || (version.Major == 1 && version.Minor < 23) { + if version.Version.LessThan(semver.MustParse("1.23.0")) { continue } - Context("Istio version is: "+version.Version, func() { + Context("Istio version is: "+version.Version.String(), func() { When("Istio resources are created in both clusters", func() { BeforeAll(func(ctx SpecContext) { Expect(kubectlClient1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index a0e4fdc8f..cbc9d68c8 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -23,6 +23,7 @@ import ( "strings" "time" + "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/pkg/kube" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" @@ -48,8 +49,8 @@ var ( // version can have one of the following formats: // - 1.22.2 // - 1.23.0-rc.1 - // - 1.24-alpha - istiodVersionRegex = regexp.MustCompile(`Version:"(\d+\.\d+(\.\d+)?(-\w+(\.\d+)?)?)`) + // - 1.24-alpha.feabc1234 + istiodVersionRegex = regexp.MustCompile(`Version:"([^"]*)"`) k = kubectl.NewKubectlBuilder() ) @@ -201,18 +202,18 @@ func logDebugElement(caption string, info string, err error) { } } -func GetVersionFromIstiod() (string, error) { +func GetVersionFromIstiod() (*semver.Version, error) { k := kubectl.NewKubectlBuilder() output, err := k.SetNamespace(controlPlaneNamespace).Exec("deploy/istiod", "", "pilot-discovery version") if err != nil { - return "", fmt.Errorf("error getting version from istiod: %w", err) + return nil, fmt.Errorf("error getting version from istiod: %w", err) } matches := istiodVersionRegex.FindStringSubmatch(output) if len(matches) > 1 && matches[1] != "" { - return matches[1], nil + return semver.NewVersion(matches[1]) } - return "", fmt.Errorf("error getting version from istiod: version not found in output: %s", output) + return nil, fmt.Errorf("error getting version from istiod: version not found in output: %s", output) } func CheckPodsReady(ctx SpecContext, cl client.Client, namespace string) (*corev1.PodList, error) { diff --git a/versions.yaml b/versions.yaml index c579186aa..f0bee7530 100644 --- a/versions.yaml +++ b/versions.yaml @@ -43,7 +43,7 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.5.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.5.tgz - name: latest - version: 1.24-alpha + version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe repo: https://github.com/istio/istio branch: master commit: fe2a04689d3b7abf7630dc5646bf825e0c0592fe From 2593bcb323ebf2de920a3221cbb7dcd76cb762a9 Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Tue, 8 Oct 2024 14:44:43 +0300 Subject: [PATCH 30/68] Add Helm artifacts publish automation (#385) When a release being created, the helm artifacts stored as an assets of the release. In order to make those artifacts available for "helm repo add" flow, an "index.yaml" file under "gh-pages" branch needs to be updated. Once updated, it will serve the helm deployment method with the new artifacts version. Add an automation flow to github actions that could be triggered and will make the required updates. At the end, a pull request with the changes will be created. Signed-off-by: Maxim Babushkin --- .github/workflows/helm.yaml | 32 ++++++++++ Makefile.core.mk | 7 ++ hack/helm-artifacts.sh | 123 ++++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+) create mode 100644 .github/workflows/helm.yaml create mode 100755 hack/helm-artifacts.sh diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml new file mode 100644 index 000000000..c4772fabd --- /dev/null +++ b/.github/workflows/helm.yaml @@ -0,0 +1,32 @@ +name: Publish Helm artifact + +on: + workflow_dispatch: + inputs: + release_version: + description: "Release version" + required: true + +run-name: Publish Helm artifact ${{ inputs.release_version }} + +env: + GIT_USER: ${{ secrets.GIT_USER }} + GITHUB_TOKEN: ${{ secrets.GIT_TOKEN }} + VERSION: ${{ inputs.release_version }} + +jobs: + helm: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Publish Helm artifact to "gh-pages" branch + run: | + make helm-artifacts-publish \ + -e GIT_CONFIG_USER_NAME="$GIT_CONFIG_USER_NAME" \ + -e GIT_CONFIG_USER_EMAIL="$GIT_CONFIG_USER_EMAIL" \ + -e OPERATOR_VERSION=$VERSION + env: + GIT_CONFIG_USER_NAME: "${{ github.actor }}" + GIT_CONFIG_USER_EMAIL: "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" diff --git a/Makefile.core.mk b/Makefile.core.mk index f8f34e443..b953d1d0a 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -592,6 +592,13 @@ bundle-publish-nightly: OPERATOR_VERSION=$(VERSION)-nightly-$(TODAY) ## Publish bundle-publish-nightly: TAG=$(MINOR_VERSION)-nightly-$(TODAY) bundle-publish-nightly: bundle-nightly bundle-publish +.PHONY: helm-artifacts-publish +helm-artifacts-publish: helm ## Publish Helm artifacts to be available for "Helm repo add" + @export GIT_USER=$(GITHUB_USER); \ + export GITHUB_TOKEN=$(GITHUB_TOKEN); \ + export OPERATOR_VERSION=${OPERATOR_VERSION}; \ + ./hack/helm-artifacts.sh + .PHONY: opm $(OPM) opm: $(OPM) opm: OS=$(shell go env GOOS) diff --git a/hack/helm-artifacts.sh b/hack/helm-artifacts.sh new file mode 100755 index 000000000..248d81c40 --- /dev/null +++ b/hack/helm-artifacts.sh @@ -0,0 +1,123 @@ +#!/bin/bash +# shellcheck disable=SC1091 + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +CUR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +source "${CUR_DIR}"/validate_semver.sh + +GITHUB_TOKEN="${GITHUB_TOKEN:-}" + +GIT_CONFIG_USER_NAME="${GIT_CONFIG_USER_NAME:-}" +GIT_CONFIG_USER_EMAIL="${GIT_CONFIG_USER_EMAIL:-}" + +UPSTREAM_OPERATOR_NAME="${UPSTREAM_OPERATOR_NAME:-"sail-operator"}" +OWNER="${OWNER:-"istio-ecosystem"}" +HUB_REPO_URL="${HUB_REPO_URL:-github.com/${OWNER}/${UPSTREAM_OPERATOR_NAME}}" +HUB_HELM_BRANCH="${HUB_HIVE_BRANCH:-"gh-pages"}" +HUB_HELM_ARTIFACT_URL="https://${HUB_REPO_URL}/releases/download/${OPERATOR_VERSION}"/ + +: "${OPERATOR_VERSION:?"Missing OPERATOR_VERSION variable"}" + +show_help() { + cat < /dev/null; then + die "Helm command is missing" + fi + + TMP_DIR=$(mktemp -d) + trap 'rm -rf "${TMP_DIR}"' EXIT + + git clone --single-branch --depth=1 --branch "${HUB_HELM_BRANCH}" "https://${GIT_USER}:${GITHUB_TOKEN}@${HUB_REPO_URL}" "${TMP_DIR}/${UPSTREAM_OPERATOR_NAME}" + cd "${TMP_DIR}/${UPSTREAM_OPERATOR_NAME}" + + if ! git config user.name; then + git config user.name "${GIT_CONFIG_USER_NAME}" + fi + + if ! git config user.email; then + git config user.email "${GIT_CONFIG_USER_EMAIL}" + fi +} + +function fetch_released_artifact() { + echo "Fetch released helm artifact" + + wget "${HUB_HELM_ARTIFACT_URL}/${UPSTREAM_OPERATOR_NAME}-${OPERATOR_VERSION}.tgz" +} + +function update_helm_repo_index() { + echo "Update index of Helm repo" + local helm_branch="update_helm_artifact_${OPERATOR_VERSION}" + + git checkout -b "$helm_branch" + helm repo index --merge index.yaml . --url "${HUB_HELM_ARTIFACT_URL}" + git add index.yaml + git commit -m "Add new sail-operator chart release - ${OPERATOR_VERSION}" + git push origin "$helm_branch" + + PAYLOAD="${TMP_DIR}/PAYLOAD" + + jq -c -n \ + --arg msg "Add new sail-operator chart release - ${OPERATOR_VERSION}" \ + --arg head "${OWNER}:${helm_branch}" \ + --arg base "${HUB_HELM_BRANCH}" \ + --arg title "Helm artifact ${OPERATOR_VERSION}" \ + '{head: $head, base: $base, title: $title, body: $msg }' > "${PAYLOAD}" + + curl --fail-with-body -X POST \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/"${OWNER}/${UPSTREAM_OPERATOR_NAME}"/pulls \ + --data-binary "@${PAYLOAD}" +} + +while test $# -gt 0; do + case "$1" in + -h|--help) + show_help + exit 0 + ;; + *) + echo "Unknown param $1" + exit 1 + ;; + esac +done + +prepare_repo +fetch_released_artifact +update_helm_repo_index From a9acf5aa1c81ea24465cb8a847f86d00242016d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Mon, 7 Oct 2024 14:43:49 +0200 Subject: [PATCH 31/68] Ensure crd-all.gen.yaml file is found in newer and older Istio versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The file was recently moved from manifests/charts/base/crds to manifests/charts/base/files. Signed-off-by: Marko Lukša --- hack/extract-istio-crds.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hack/extract-istio-crds.sh b/hack/extract-istio-crds.sh index d693be103..6045c8a57 100755 --- a/hack/extract-istio-crds.sh +++ b/hack/extract-istio-crds.sh @@ -16,7 +16,11 @@ set -euo pipefail -INPUT_FILE="$(go list -m -f '{{.Dir}}' istio.io/istio)/manifests/charts/base/crds/crd-all.gen.yaml" +INPUT_FILE="$(go list -m -f '{{.Dir}}' istio.io/istio)/manifests/charts/base/files/crd-all.gen.yaml" +# check if the file exists and adjust the file path if necessary (this is needed because older Istio versions have the CRDs in a different location) +if [ ! -f "${INPUT_FILE}" ]; then + INPUT_FILE="$(go list -m -f '{{.Dir}}' istio.io/istio)/manifests/charts/base/crds/crd-all.gen.yaml" +fi SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) REPO_ROOT=$(dirname "${SCRIPT_DIR}") From 9be869979be4fd04f7af6176a5ec5577faef9869 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Mon, 7 Oct 2024 14:46:15 +0200 Subject: [PATCH 32/68] Remove reference to istiod-remote chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The istiod-remote chart has been removed. We'll have to rewrite the code around this later, but for now, we're removing the chart. Signed-off-by: Marko Lukša --- versions.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/versions.yaml b/versions.yaml index f0bee7530..cad5acf9f 100644 --- a/versions.yaml +++ b/versions.yaml @@ -52,5 +52,4 @@ versions: - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/cni-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/gateway-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/istiod-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/istiod-remote-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/ztunnel-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz From 477c4c70695989e68891ff001c14b89189205d06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Mon, 7 Oct 2024 14:44:39 +0200 Subject: [PATCH 33/68] Update Istio versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- .devcontainer/devcontainer.json | 2 +- Makefile.core.mk | 10 +- api/v1alpha1/istio_types.go | 14 +- api/v1alpha1/istiocni_types.go | 14 +- api/v1alpha1/istiorevision_types.go | 6 +- api/v1alpha1/remoteistio_types.go | 14 +- api/v1alpha1/values_types.gen.go | 210 ++- api/v1alpha1/zz_generated.deepcopy.go | 122 +- bundle.Dockerfile | 2 +- .../extensions.istio.io_wasmplugins.yaml | 4 + .../networking.istio.io_envoyfilters.yaml | 9 + .../networking.istio.io_serviceentries.yaml | 126 ++ .../networking.istio.io_sidecars.yaml | 15 + .../networking.istio.io_workloadentries.yaml | 6 - .../networking.istio.io_workloadgroups.yaml | 72 +- .../sailoperator.clusterserviceversion.yaml | 142 +- .../manifests/sailoperator.io_istiocnis.yaml | 45 +- .../sailoperator.io_istiorevisions.yaml | 1617 +++++++++++++++- bundle/manifests/sailoperator.io_istios.yaml | 1624 ++++++++++++++++- .../sailoperator.io_remoteistios.yaml | 1624 ++++++++++++++++- ...curity.istio.io_authorizationpolicies.yaml | 8 + ...urity.istio.io_requestauthentications.yaml | 6 +- .../telemetry.istio.io_telemetries.yaml | 8 + bundle/metadata/annotations.yaml | 2 +- bundle/tests/scorecard/config.yaml | 10 +- .../crds/extensions.istio.io_wasmplugins.yaml | 4 + .../networking.istio.io_envoyfilters.yaml | 9 + .../networking.istio.io_serviceentries.yaml | 126 ++ chart/crds/networking.istio.io_sidecars.yaml | 15 + .../networking.istio.io_workloadentries.yaml | 6 - .../networking.istio.io_workloadgroups.yaml | 72 +- chart/crds/sailoperator.io_istiocnis.yaml | 45 +- .../crds/sailoperator.io_istiorevisions.yaml | 1617 +++++++++++++++- chart/crds/sailoperator.io_istios.yaml | 1624 ++++++++++++++++- chart/crds/sailoperator.io_remoteistios.yaml | 1624 ++++++++++++++++- ...curity.istio.io_authorizationpolicies.yaml | 8 + ...urity.istio.io_requestauthentications.yaml | 6 +- .../crds/telemetry.istio.io_telemetries.yaml | 8 + chart/samples/istio-sample-kubernetes.yaml | 2 +- chart/samples/istio-sample-openshift.yaml | 2 +- chart/samples/istiocni-sample.yaml | 2 +- chart/templates/olm/scorecard.yaml | 10 +- chart/values.yaml | 8 +- common/.commonfiles.sha | 2 +- common/scripts/kind_provisioner.sh | 2 +- common/scripts/run.sh | 2 +- common/scripts/setup_env.sh | 2 +- docs/api-reference/sailoperator.io.md | 111 +- go.mod | 109 +- go.sum | 291 ++- resources/latest/charts/base/Chart.yaml | 4 +- .../base/{crds => files}/crd-all.gen.yaml | 248 ++- .../charts/base/files/profile-remote.yaml | 13 + .../latest/charts/base/templates/crds.yaml | 18 +- ...ltrevision-validatingadmissionpolicy.yaml} | 0 ...ision-validatingwebhookconfiguration.yaml} | 0 .../charts/base/templates/endpoints.yaml | 26 - .../base/templates/reader-serviceaccount.yaml | 4 +- .../charts/base/templates/services.yaml | 40 - .../base/templates/zzy_descope_legacy.yaml | 3 - .../charts/base/templates/zzz_profile.yaml | 19 +- resources/latest/charts/base/values.yaml | 24 +- resources/latest/charts/cni/Chart.yaml | 4 +- .../charts/cni/files/profile-remote.yaml | 13 + .../charts/cni/templates/zzz_profile.yaml | 19 +- resources/latest/charts/cni/values.yaml | 8 +- resources/latest/charts/gateway/Chart.yaml | 4 +- .../charts/gateway/files/profile-remote.yaml | 13 + .../charts/gateway/templates/zzz_profile.yaml | 19 +- resources/latest/charts/gateway/values.yaml | 6 +- .../latest/charts/istiod-remote/Chart.yaml | 11 - .../files/injection-template.yaml | 538 ------ .../istiod-remote/files/profile-ambient.yaml | 17 - .../profile-compatibility-version-1.21.yaml | 33 - .../profile-compatibility-version-1.22.yaml | 26 - .../profile-compatibility-version-1.23.yaml | 19 - .../istiod-remote/files/profile-demo.yaml | 90 - .../files/profile-platform-k3d.yaml | 7 - .../files/profile-platform-k3s.yaml | 7 - .../files/profile-platform-microk8s.yaml | 7 - .../files/profile-platform-minikube.yaml | 6 - .../files/profile-platform-openshift.yaml | 17 - .../istiod-remote/templates/_helpers.tpl | 23 - .../istiod-remote/templates/clusterrole.yaml | 186 -- .../templates/clusterrolebinding.yaml | 39 - .../istiod-remote/templates/configmap.yaml | 114 -- .../istiod-remote/templates/default.yaml | 58 - ...aultrevisionvalidatingadmissionpolicy.yaml | 55 - .../templates/istiod-injector-configmap.yaml | 82 - .../templates/mutatingwebhook.yaml | 160 -- .../templates/reader-clusterrole.yaml | 62 - .../templates/reader-clusterrolebinding.yaml | 17 - .../templates/reader-serviceaccount.yaml | 18 - .../charts/istiod-remote/templates/role.yaml | 34 - .../istiod-remote/templates/rolebinding.yaml | 20 - .../templates/serviceaccount.yaml | 23 - .../templates/validatingadmissionpolicy.yaml | 62 - .../validatingwebhookconfiguration.yaml | 67 - .../templates/zzy_descope_legacy.yaml | 3 - .../istiod-remote/templates/zzz_profile.yaml | 69 - .../latest/charts/istiod-remote/values.yaml | 454 ----- resources/latest/charts/istiod/Chart.yaml | 4 +- .../charts/istiod/files/kube-gateway.yaml | 4 + .../charts/istiod/files/profile-remote.yaml | 13 + .../latest/charts/istiod/files/waypoint.yaml | 7 +- .../charts/istiod/templates/autoscale.yaml | 3 + .../charts/istiod/templates/clusterrole.yaml | 3 + .../istiod/templates/clusterrolebinding.yaml | 3 + .../istiod/templates/configmap-jwks.yaml | 3 + .../charts/istiod/templates/deployment.yaml | 3 + .../istiod/templates/mutatingwebhook.yaml | 5 + .../istiod/templates/poddisruptionbudget.yaml | 3 + .../templates/remote-istiod-endpoints.yaml} | 11 +- .../templates/remote-istiod-service.yaml} | 13 +- .../istiod/templates/revision-tags.yaml | 8 + .../latest/charts/istiod/templates/role.yaml | 3 + .../charts/istiod/templates/rolebinding.yaml | 3 + .../charts/istiod/templates/service.yaml | 3 + .../istiod/templates/serviceaccount.yaml | 3 + .../templates/validatingadmissionpolicy.yaml | 3 + .../validatingwebhookconfiguration.yaml | 3 + .../charts/istiod/templates/zzz_profile.yaml | 19 +- resources/latest/charts/istiod/values.yaml | 13 +- resources/latest/charts/ztunnel/Chart.yaml | 4 +- .../charts/ztunnel/files/profile-remote.yaml | 13 + .../charts/ztunnel/templates/zzz_profile.yaml | 19 +- resources/latest/charts/ztunnel/values.yaml | 8 +- .../charts/base/Chart.yaml | 4 +- .../charts/base/README.md | 0 .../charts/base/crds/crd-all.gen.yaml | 0 .../charts/base/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../charts/base/files/profile-demo.yaml | 0 .../charts/base/files/profile-openshift.yaml | 0 .../charts/base/files/profile-preview.yaml | 0 .../charts/base/templates/NOTES.txt | 0 .../charts/base/templates/crds.yaml | 0 .../charts/base/templates/default.yaml | 0 .../charts/base/templates/endpoints.yaml | 0 .../base/templates/reader-serviceaccount.yaml | 0 .../charts/base/templates/services.yaml | 0 .../charts/base/templates/zzz_profile.yaml | 0 .../charts/base/values.yaml | 0 .../charts/cni/Chart.yaml | 4 +- .../{v1.21.5 => v1.21.6}/charts/cni/README.md | 0 .../charts/cni/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../charts/cni/files/profile-demo.yaml | 0 .../charts/cni/files/profile-openshift.yaml | 0 .../charts/cni/files/profile-preview.yaml | 0 .../charts/cni/templates/NOTES.txt | 0 .../charts/cni/templates/clusterrole.yaml | 0 .../cni/templates/clusterrolebinding.yaml | 0 .../charts/cni/templates/configmap-cni.yaml | 0 .../charts/cni/templates/daemonset.yaml | 0 .../network-attachment-definition.yaml | 0 .../charts/cni/templates/resourcequota.yaml | 0 .../charts/cni/templates/serviceaccount.yaml | 0 .../charts/cni/templates/zzz_profile.yaml | 0 .../charts/cni/values.yaml | 2 +- .../charts/gateway/Chart.yaml | 4 +- .../charts/gateway/README.md | 0 .../charts/gateway/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../charts/gateway/files/profile-demo.yaml | 0 .../gateway/files/profile-openshift.yaml | 0 .../charts/gateway/files/profile-preview.yaml | 0 .../charts/gateway/templates/NOTES.txt | 0 .../charts/gateway/templates/_helpers.tpl | 0 .../charts/gateway/templates/deployment.yaml | 0 .../charts/gateway/templates/hpa.yaml | 0 .../templates/poddisruptionbudget.yaml | 0 .../charts/gateway/templates/role.yaml | 0 .../charts/gateway/templates/service.yaml | 0 .../gateway/templates/serviceaccount.yaml | 0 .../charts/gateway/templates/zzz_profile.yaml | 0 .../charts/gateway/values.schema.json | 0 .../charts/gateway/values.yaml | 0 .../charts/istiod/Chart.yaml | 4 +- .../charts/istiod/README.md | 0 .../files/gateway-injection-template.yaml | 0 .../charts/istiod/files/grpc-agent.yaml | 0 .../charts/istiod/files/grpc-simple.yaml | 0 .../istiod/files/injection-template.yaml | 0 .../charts/istiod/files/kube-gateway.yaml | 0 .../charts/istiod/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../charts/istiod/files/profile-demo.yaml | 0 .../istiod/files/profile-openshift.yaml | 0 .../charts/istiod/files/profile-preview.yaml | 0 .../charts/istiod/files/waypoint.yaml | 0 .../charts/istiod/templates/NOTES.txt | 0 .../charts/istiod/templates/_helpers.tpl | 0 .../charts/istiod/templates/autoscale.yaml | 0 .../charts/istiod/templates/clusterrole.yaml | 0 .../istiod/templates/clusterrolebinding.yaml | 0 .../istiod/templates/configmap-jwks.yaml | 0 .../charts/istiod/templates/configmap.yaml | 0 .../charts/istiod/templates/deployment.yaml | 0 .../templates/istiod-injector-configmap.yaml | 0 .../istiod/templates/mutatingwebhook.yaml | 0 .../istiod/templates/poddisruptionbudget.yaml | 0 .../istiod/templates/reader-clusterrole.yaml | 0 .../templates/reader-clusterrolebinding.yaml | 0 .../istiod/templates/revision-tags.yaml | 0 .../charts/istiod/templates/role.yaml | 0 .../charts/istiod/templates/rolebinding.yaml | 0 .../charts/istiod/templates/service.yaml | 0 .../istiod/templates/serviceaccount.yaml | 0 .../validatingwebhookconfiguration.yaml | 0 .../charts/istiod/templates/zzz_profile.yaml | 0 .../charts/istiod/values.yaml | 2 +- .../charts/ztunnel/Chart.yaml | 4 +- .../charts/ztunnel/README.md | 0 .../charts/ztunnel/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../charts/ztunnel/files/profile-demo.yaml | 0 .../ztunnel/files/profile-openshift.yaml | 0 .../charts/ztunnel/files/profile-preview.yaml | 0 .../charts/ztunnel/templates/NOTES.txt | 0 .../charts/ztunnel/templates/daemonset.yaml | 0 .../charts/ztunnel/templates/rbac.yaml | 0 .../charts/ztunnel/templates/zzz_profile.yaml | 0 .../charts/ztunnel/values.yaml | 2 +- .../profiles/ambient.yaml | 0 .../profiles/default.yaml | 0 .../{v1.21.5 => v1.21.6}/profiles/demo.yaml | 0 .../{v1.21.5 => v1.21.6}/profiles/empty.yaml | 0 .../profiles/external.yaml | 0 .../profiles/openshift.yaml | 0 .../profiles/preview.yaml | 0 .../profile-compatibility-version-1.21.yaml | 17 - .../charts/ztunnel/templates/zzz_profile.yaml | 38 - .../charts/base/Chart.yaml | 4 +- .../charts/base/README.md | 0 .../charts/base/crds/crd-all.gen.yaml | 0 .../charts/base/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 4 +- .../charts/base/files/profile-demo.yaml | 0 .../base/files/profile-openshift-ambient.yaml | 0 .../charts/base/files/profile-openshift.yaml | 0 .../charts/base}/files/profile-preview.yaml | 0 .../charts/base}/files/profile-stable.yaml | 0 .../charts/base/templates/NOTES.txt | 0 .../charts/base/templates/crds.yaml | 0 .../charts/base/templates/default.yaml | 0 .../charts/base/templates/endpoints.yaml | 0 .../base/templates/reader-serviceaccount.yaml | 0 .../charts/base/templates/services.yaml | 0 .../templates/validatingadmissionpolicy.yaml | 0 .../charts/base/templates/zzz_profile.yaml | 0 .../charts/base/values.yaml | 0 .../charts/cni/Chart.yaml | 4 +- .../{v1.22.3 => v1.22.5}/charts/cni/README.md | 0 .../charts/cni/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 4 +- .../charts/cni/files/profile-demo.yaml | 0 .../cni/files/profile-openshift-ambient.yaml | 0 .../charts/cni/files/profile-openshift.yaml | 0 .../charts/cni}/files/profile-preview.yaml | 0 .../charts/cni}/files/profile-stable.yaml | 0 .../charts/cni/templates/NOTES.txt | 0 .../charts/cni/templates/clusterrole.yaml | 0 .../cni/templates/clusterrolebinding.yaml | 0 .../charts/cni/templates/configmap-cni.yaml | 0 .../charts/cni/templates/daemonset.yaml | 0 .../network-attachment-definition.yaml | 0 .../charts/cni/templates/resourcequota.yaml | 0 .../charts/cni/templates/serviceaccount.yaml | 0 .../charts/cni/templates/zzz_profile.yaml | 0 .../charts/cni/values.yaml | 2 +- .../charts/gateway/Chart.yaml | 4 +- .../charts/gateway/README.md | 0 .../charts/gateway/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 4 +- .../charts/gateway/files/profile-demo.yaml | 0 .../files/profile-openshift-ambient.yaml | 0 .../gateway/files/profile-openshift.yaml | 0 .../gateway}/files/profile-preview.yaml | 0 .../charts/gateway}/files/profile-stable.yaml | 0 .../charts/gateway/templates/NOTES.txt | 0 .../charts/gateway/templates/_helpers.tpl | 0 .../charts/gateway/templates/deployment.yaml | 0 .../charts/gateway/templates/hpa.yaml | 0 .../templates/poddisruptionbudget.yaml | 0 .../charts/gateway/templates/role.yaml | 0 .../charts/gateway/templates/service.yaml | 0 .../gateway/templates/serviceaccount.yaml | 0 .../charts/gateway/templates/zzz_profile.yaml | 0 .../charts/gateway/values.schema.json | 0 .../charts/gateway/values.yaml | 0 .../charts/istiod/Chart.yaml | 4 +- .../charts/istiod/README.md | 0 .../files/gateway-injection-template.yaml | 0 .../charts/istiod/files/grpc-agent.yaml | 0 .../charts/istiod/files/grpc-simple.yaml | 0 .../istiod/files/injection-template.yaml | 0 .../charts/istiod/files/kube-gateway.yaml | 0 .../charts/istiod/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 4 +- .../charts/istiod/files/profile-demo.yaml | 0 .../files/profile-openshift-ambient.yaml | 0 .../istiod/files/profile-openshift.yaml | 0 .../charts/istiod}/files/profile-preview.yaml | 0 .../charts/istiod}/files/profile-stable.yaml | 0 .../charts/istiod/files/waypoint.yaml | 0 .../charts/istiod/templates/NOTES.txt | 3 +- .../charts/istiod/templates/_helpers.tpl | 0 .../charts/istiod/templates/autoscale.yaml | 0 .../charts/istiod/templates/clusterrole.yaml | 0 .../istiod/templates/clusterrolebinding.yaml | 0 .../istiod/templates/configmap-jwks.yaml | 0 .../charts/istiod/templates/configmap.yaml | 0 .../charts/istiod/templates/deployment.yaml | 0 .../templates/istiod-injector-configmap.yaml | 0 .../istiod/templates/mutatingwebhook.yaml | 0 .../istiod/templates/poddisruptionbudget.yaml | 0 .../istiod/templates/reader-clusterrole.yaml | 0 .../templates/reader-clusterrolebinding.yaml | 0 .../istiod/templates/revision-tags.yaml | 0 .../charts/istiod/templates/role.yaml | 0 .../charts/istiod/templates/rolebinding.yaml | 0 .../charts/istiod/templates/service.yaml | 0 .../istiod/templates/serviceaccount.yaml | 0 .../templates/validatingadmissionpolicy.yaml | 0 .../validatingwebhookconfiguration.yaml | 0 .../charts/istiod}/templates/zzz_profile.yaml | 0 .../charts/istiod/values.yaml | 2 +- .../charts/ztunnel/Chart.yaml | 4 +- .../charts/ztunnel/README.md | 0 .../charts/ztunnel/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 17 + .../charts/ztunnel/files/profile-demo.yaml | 0 .../files/profile-openshift-ambient.yaml | 0 .../ztunnel/files/profile-openshift.yaml | 0 .../ztunnel}/files/profile-preview.yaml | 0 .../charts/ztunnel}/files/profile-stable.yaml | 0 .../charts/ztunnel/templates/NOTES.txt | 0 .../charts/ztunnel/templates/_helpers.tpl | 0 .../charts/ztunnel/templates/daemonset.yaml | 3 +- .../charts/ztunnel/templates/rbac.yaml | 3 +- .../charts/ztunnel/templates/zzz_profile.yaml | 0 .../charts/ztunnel/values.yaml | 2 +- .../profiles/ambient.yaml | 0 .../profiles/default.yaml | 0 .../{v1.22.3 => v1.22.5}/profiles/demo.yaml | 0 .../{v1.22.3 => v1.22.5}/profiles/empty.yaml | 0 .../profiles/openshift-ambient.yaml | 0 .../profiles/openshift.yaml | 0 .../profiles/preview.yaml | 0 .../{v1.22.3 => v1.22.5}/profiles/stable.yaml | 0 .../v1.23.0/charts/istiod-remote/NOTES.txt | 4 - .../files/gateway-injection-template.yaml | 250 --- .../profile-compatibility-version-1.21.yaml | 19 - .../profile-compatibility-version-1.22.yaml | 11 - .../profile-compatibility-version-1.21.yaml | 19 - .../profile-compatibility-version-1.22.yaml | 11 - .../charts/ztunnel/files/profile-preview.yaml | 13 - .../charts/ztunnel/files/profile-stable.yaml | 8 - .../charts/base/Chart.yaml | 4 +- .../charts/base/README.md | 0 .../charts/base/crds/crd-all.gen.yaml | 6 - .../charts/base/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 4 + .../profile-compatibility-version-1.22.yaml | 7 +- .../charts/base/files/profile-demo.yaml | 0 .../base/files/profile-openshift-ambient.yaml | 0 .../charts/base/files/profile-openshift.yaml | 0 .../charts/base}/files/profile-preview.yaml | 0 .../charts/base}/files/profile-stable.yaml | 0 .../charts/base/templates/NOTES.txt | 0 .../charts/base/templates/crds.yaml | 0 .../charts/base/templates/default.yaml | 0 .../charts/base/templates/endpoints.yaml | 0 .../base/templates/reader-serviceaccount.yaml | 0 .../charts/base/templates/services.yaml | 0 .../templates/validatingadmissionpolicy.yaml | 0 .../charts/base}/templates/zzz_profile.yaml | 0 .../charts/base/values.yaml | 0 .../charts/cni/Chart.yaml | 4 +- .../{v1.23.0 => v1.23.2}/charts/cni/README.md | 0 .../charts/cni/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 4 + .../profile-compatibility-version-1.22.yaml | 7 +- .../charts/cni/files/profile-demo.yaml | 0 .../cni/files/profile-openshift-ambient.yaml | 0 .../charts/cni/files/profile-openshift.yaml | 0 .../charts/cni}/files/profile-preview.yaml | 0 .../charts/cni}/files/profile-stable.yaml | 0 .../charts/cni/templates/NOTES.txt | 0 .../charts/cni/templates/_helpers.tpl | 0 .../charts/cni/templates/clusterrole.yaml | 0 .../cni/templates/clusterrolebinding.yaml | 0 .../charts/cni/templates/configmap-cni.yaml | 0 .../charts/cni/templates/daemonset.yaml | 0 .../network-attachment-definition.yaml | 0 .../charts/cni/templates/resourcequota.yaml | 0 .../charts/cni/templates/serviceaccount.yaml | 0 .../charts/cni}/templates/zzz_profile.yaml | 5 + .../charts/cni/values.yaml | 2 +- .../charts/gateway/Chart.yaml | 4 +- .../charts/gateway/README.md | 0 .../charts/gateway/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 4 + .../profile-compatibility-version-1.22.yaml | 7 +- .../charts/gateway/files/profile-demo.yaml | 0 .../files/profile-openshift-ambient.yaml | 0 .../gateway/files/profile-openshift.yaml | 0 .../gateway}/files/profile-preview.yaml | 0 .../charts/gateway}/files/profile-stable.yaml | 0 .../charts/gateway/templates/NOTES.txt | 0 .../charts/gateway/templates/_helpers.tpl | 0 .../charts/gateway/templates/deployment.yaml | 0 .../charts/gateway/templates/hpa.yaml | 0 .../templates/poddisruptionbudget.yaml | 0 .../charts/gateway/templates/role.yaml | 0 .../charts/gateway/templates/service.yaml | 0 .../gateway/templates/serviceaccount.yaml | 0 .../charts/gateway/templates/zzz_profile.yaml | 5 + .../charts/gateway/values.schema.json | 8 +- .../charts/gateway/values.yaml | 0 .../charts/istiod-remote/Chart.yaml | 4 +- .../charts/istiod-remote/NOTES.txt | 0 .../files/gateway-injection-template.yaml | 0 .../files/injection-template.yaml | 0 .../istiod-remote/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 4 + .../profile-compatibility-version-1.22.yaml | 7 +- .../istiod-remote/files/profile-demo.yaml | 0 .../files/profile-openshift-ambient.yaml | 0 .../files/profile-openshift.yaml | 0 .../istiod-remote}/files/profile-preview.yaml | 0 .../istiod-remote}/files/profile-stable.yaml | 0 .../istiod-remote/templates/_helpers.tpl | 0 .../istiod-remote/templates/clusterrole.yaml | 0 .../templates/clusterrolebinding.yaml | 0 .../istiod-remote/templates/configmap.yaml | 0 .../istiod-remote/templates/default.yaml | 0 ...aultrevisionvalidatingadmissionpolicy.yaml | 0 .../istiod-remote/templates/endpoints.yaml | 0 .../templates/istiod-injector-configmap.yaml | 0 .../templates/mutatingwebhook.yaml | 0 .../templates/reader-clusterrole.yaml | 0 .../templates/reader-clusterrolebinding.yaml | 0 .../templates/reader-serviceaccount.yaml | 0 .../charts/istiod-remote/templates/role.yaml | 0 .../istiod-remote/templates/rolebinding.yaml | 0 .../templates/serviceaccount.yaml | 0 .../istiod-remote/templates/services.yaml | 0 .../templates/validatingadmissionpolicy.yaml | 0 .../validatingwebhookconfiguration.yaml | 0 .../istiod-remote}/templates/zzz_profile.yaml | 5 + .../charts/istiod-remote/values.yaml | 2 +- .../charts/istiod/Chart.yaml | 4 +- .../charts/istiod/README.md | 0 .../files/gateway-injection-template.yaml | 0 .../charts/istiod/files/grpc-agent.yaml | 0 .../charts/istiod/files/grpc-simple.yaml | 0 .../istiod/files/injection-template.yaml | 0 .../charts/istiod/files/kube-gateway.yaml | 0 .../charts/istiod/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 23 + .../profile-compatibility-version-1.22.yaml | 16 + .../charts/istiod/files/profile-demo.yaml | 0 .../files/profile-openshift-ambient.yaml | 0 .../istiod/files/profile-openshift.yaml | 0 .../charts/istiod}/files/profile-preview.yaml | 0 .../charts/istiod}/files/profile-stable.yaml | 0 .../charts/istiod/files/waypoint.yaml | 0 .../charts/istiod/templates/NOTES.txt | 0 .../charts/istiod/templates/_helpers.tpl | 0 .../charts/istiod/templates/autoscale.yaml | 0 .../charts/istiod/templates/clusterrole.yaml | 0 .../istiod/templates/clusterrolebinding.yaml | 0 .../istiod/templates/configmap-jwks.yaml | 0 .../charts/istiod/templates/configmap.yaml | 0 .../charts/istiod/templates/deployment.yaml | 3 +- .../templates/istiod-injector-configmap.yaml | 0 .../istiod/templates/mutatingwebhook.yaml | 0 .../istiod/templates/poddisruptionbudget.yaml | 0 .../istiod/templates/reader-clusterrole.yaml | 0 .../templates/reader-clusterrolebinding.yaml | 0 .../istiod/templates/revision-tags.yaml | 0 .../charts/istiod/templates/role.yaml | 0 .../charts/istiod/templates/rolebinding.yaml | 0 .../charts/istiod/templates/service.yaml | 0 .../istiod/templates/serviceaccount.yaml | 0 .../templates/validatingadmissionpolicy.yaml | 0 .../validatingwebhookconfiguration.yaml | 0 .../charts/istiod/templates/zzz_profile.yaml | 43 + .../charts/istiod/values.yaml | 2 +- .../charts/ztunnel/Chart.yaml | 4 +- .../charts/ztunnel/README.md | 0 .../charts/ztunnel/files/profile-ambient.yaml | 0 .../profile-compatibility-version-1.20.yaml | 0 .../profile-compatibility-version-1.21.yaml | 23 + .../profile-compatibility-version-1.22.yaml | 16 + .../charts/ztunnel/files/profile-demo.yaml | 0 .../files/profile-openshift-ambient.yaml | 0 .../ztunnel/files/profile-openshift.yaml | 0 .../ztunnel}/files/profile-preview.yaml | 0 .../charts/ztunnel}/files/profile-stable.yaml | 0 .../charts/ztunnel/templates/NOTES.txt | 0 .../charts/ztunnel/templates/_helpers.tpl | 0 .../charts/ztunnel/templates/daemonset.yaml | 0 .../charts/ztunnel/templates/rbac.yaml | 0 .../ztunnel}/templates/zzz_profile.yaml | 5 + .../charts/ztunnel/values.yaml | 2 +- .../profiles/ambient.yaml | 0 .../profiles/default.yaml | 0 .../{v1.23.0 => v1.23.2}/profiles/demo.yaml | 0 .../{v1.23.0 => v1.23.2}/profiles/empty.yaml | 0 .../profiles/openshift-ambient.yaml | 0 .../profiles/openshift.yaml | 0 .../profiles/preview.yaml | 0 .../{v1.23.0 => v1.23.2}/profiles/stable.yaml | 0 versions.yaml | 64 +- 527 files changed, 11169 insertions(+), 4018 deletions(-) rename resources/latest/charts/base/{crds => files}/crd-all.gen.yaml (98%) create mode 100644 resources/latest/charts/base/files/profile-remote.yaml rename resources/latest/charts/base/templates/{validatingadmissionpolicy.yaml => defaultrevision-validatingadmissionpolicy.yaml} (100%) rename resources/latest/charts/base/templates/{default.yaml => defaultrevision-validatingwebhookconfiguration.yaml} (100%) delete mode 100644 resources/latest/charts/base/templates/endpoints.yaml delete mode 100644 resources/latest/charts/base/templates/services.yaml delete mode 100644 resources/latest/charts/base/templates/zzy_descope_legacy.yaml create mode 100644 resources/latest/charts/cni/files/profile-remote.yaml create mode 100644 resources/latest/charts/gateway/files/profile-remote.yaml delete mode 100644 resources/latest/charts/istiod-remote/Chart.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/injection-template.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-ambient.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-demo.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-platform-k3d.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-platform-k3s.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-platform-microk8s.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-platform-minikube.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-platform-openshift.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/_helpers.tpl delete mode 100644 resources/latest/charts/istiod-remote/templates/clusterrole.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/configmap.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/default.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/role.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/rolebinding.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/serviceaccount.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/zzz_profile.yaml delete mode 100644 resources/latest/charts/istiod-remote/values.yaml create mode 100644 resources/latest/charts/istiod/files/profile-remote.yaml rename resources/latest/charts/{istiod-remote/templates/endpoints.yaml => istiod/templates/remote-istiod-endpoints.yaml} (82%) rename resources/latest/charts/{istiod-remote/templates/services.yaml => istiod/templates/remote-istiod-service.yaml} (71%) create mode 100644 resources/latest/charts/ztunnel/files/profile-remote.yaml rename resources/{v1.21.5 => v1.21.6}/charts/base/Chart.yaml (86%) rename resources/{v1.21.5 => v1.21.6}/charts/base/README.md (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/crds/crd-all.gen.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/files/profile-ambient.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/files/profile-demo.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/files/profile-openshift.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/files/profile-preview.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/templates/NOTES.txt (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/templates/crds.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/templates/default.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/templates/endpoints.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/templates/reader-serviceaccount.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/templates/services.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/templates/zzz_profile.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/base/values.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/Chart.yaml (86%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/README.md (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/files/profile-ambient.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/files/profile-demo.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/files/profile-openshift.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/files/profile-preview.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/templates/NOTES.txt (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/templates/clusterrole.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/templates/clusterrolebinding.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/templates/configmap-cni.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/templates/daemonset.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/templates/network-attachment-definition.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/templates/resourcequota.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/templates/serviceaccount.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/templates/zzz_profile.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/cni/values.yaml (99%) rename resources/{v1.22.3 => v1.21.6}/charts/gateway/Chart.yaml (86%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/README.md (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/files/profile-ambient.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/files/profile-demo.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/files/profile-openshift.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/files/profile-preview.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/templates/NOTES.txt (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/templates/_helpers.tpl (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/templates/deployment.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/templates/hpa.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/templates/poddisruptionbudget.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/templates/role.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/templates/service.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/templates/serviceaccount.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/templates/zzz_profile.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/values.schema.json (100%) rename resources/{v1.21.5 => v1.21.6}/charts/gateway/values.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/Chart.yaml (86%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/README.md (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/gateway-injection-template.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/grpc-agent.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/grpc-simple.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/injection-template.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/kube-gateway.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/profile-ambient.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/profile-demo.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/profile-openshift.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/profile-preview.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/files/waypoint.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/NOTES.txt (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/_helpers.tpl (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/autoscale.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/clusterrole.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/clusterrolebinding.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/configmap-jwks.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/configmap.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/deployment.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/istiod-injector-configmap.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/mutatingwebhook.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/poddisruptionbudget.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/reader-clusterrole.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/reader-clusterrolebinding.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/revision-tags.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/role.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/rolebinding.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/service.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/serviceaccount.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/validatingwebhookconfiguration.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/templates/zzz_profile.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/istiod/values.yaml (99%) rename resources/{v1.22.3 => v1.21.6}/charts/ztunnel/Chart.yaml (86%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/README.md (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/files/profile-ambient.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/files/profile-demo.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/files/profile-openshift.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/files/profile-preview.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/templates/NOTES.txt (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/templates/daemonset.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/templates/rbac.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/templates/zzz_profile.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/charts/ztunnel/values.yaml (99%) rename resources/{v1.21.5 => v1.21.6}/profiles/ambient.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/profiles/default.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/profiles/demo.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/profiles/empty.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/profiles/external.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/profiles/openshift.yaml (100%) rename resources/{v1.21.5 => v1.21.6}/profiles/preview.yaml (100%) delete mode 100644 resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml rename resources/{v1.22.3 => v1.22.5}/charts/base/Chart.yaml (86%) rename resources/{v1.22.3 => v1.22.5}/charts/base/README.md (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/crds/crd-all.gen.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/files/profile-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.22.3/charts/istiod => v1.22.5/charts/base}/files/profile-compatibility-version-1.21.yaml (90%) rename resources/{v1.22.3 => v1.22.5}/charts/base/files/profile-demo.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/files/profile-openshift.yaml (100%) rename resources/{latest/charts/istiod-remote => v1.22.5/charts/base}/files/profile-preview.yaml (100%) rename resources/{latest/charts/istiod-remote => v1.22.5/charts/base}/files/profile-stable.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/templates/NOTES.txt (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/templates/crds.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/templates/default.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/templates/endpoints.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/templates/reader-serviceaccount.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/templates/services.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/templates/validatingadmissionpolicy.yaml (100%) rename resources/{v1.23.0 => v1.22.5}/charts/base/templates/zzz_profile.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/base/values.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/Chart.yaml (85%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/README.md (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/files/profile-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.22.3/charts/gateway => v1.22.5/charts/cni}/files/profile-compatibility-version-1.21.yaml (90%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/files/profile-demo.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/files/profile-openshift.yaml (100%) rename resources/{v1.22.3/charts/base => v1.22.5/charts/cni}/files/profile-preview.yaml (100%) rename resources/{v1.22.3/charts/base => v1.22.5/charts/cni}/files/profile-stable.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/templates/NOTES.txt (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/templates/clusterrole.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/templates/clusterrolebinding.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/templates/configmap-cni.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/templates/daemonset.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/templates/network-attachment-definition.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/templates/resourcequota.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/templates/serviceaccount.yaml (100%) rename resources/{v1.23.0 => v1.22.5}/charts/cni/templates/zzz_profile.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/cni/values.yaml (99%) rename resources/{v1.23.0 => v1.22.5}/charts/gateway/Chart.yaml (86%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/README.md (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/files/profile-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.22.3/charts/base => v1.22.5/charts/gateway}/files/profile-compatibility-version-1.21.yaml (90%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/files/profile-demo.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/files/profile-openshift.yaml (100%) rename resources/{v1.22.3/charts/cni => v1.22.5/charts/gateway}/files/profile-preview.yaml (100%) rename resources/{v1.22.3/charts/cni => v1.22.5/charts/gateway}/files/profile-stable.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/templates/NOTES.txt (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/templates/_helpers.tpl (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/templates/deployment.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/templates/hpa.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/templates/poddisruptionbudget.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/templates/role.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/templates/service.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/templates/serviceaccount.yaml (100%) rename resources/{v1.23.0 => v1.22.5}/charts/gateway/templates/zzz_profile.yaml (100%) rename resources/{v1.23.0 => v1.22.5}/charts/gateway/values.schema.json (100%) rename resources/{v1.22.3 => v1.22.5}/charts/gateway/values.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/Chart.yaml (86%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/README.md (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/gateway-injection-template.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/grpc-agent.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/grpc-simple.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/injection-template.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/kube-gateway.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/profile-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.22.3/charts/cni => v1.22.5/charts/istiod}/files/profile-compatibility-version-1.21.yaml (90%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/profile-demo.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/profile-openshift.yaml (100%) rename resources/{v1.22.3/charts/gateway => v1.22.5/charts/istiod}/files/profile-preview.yaml (100%) rename resources/{v1.22.3/charts/gateway => v1.22.5/charts/istiod}/files/profile-stable.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/files/waypoint.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/NOTES.txt (98%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/_helpers.tpl (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/autoscale.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/clusterrole.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/clusterrolebinding.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/configmap-jwks.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/configmap.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/deployment.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/istiod-injector-configmap.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/mutatingwebhook.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/poddisruptionbudget.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/reader-clusterrole.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/reader-clusterrolebinding.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/revision-tags.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/role.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/rolebinding.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/service.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/serviceaccount.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/validatingadmissionpolicy.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/templates/validatingwebhookconfiguration.yaml (100%) rename resources/{v1.23.0/charts/istiod-remote => v1.22.5/charts/istiod}/templates/zzz_profile.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/istiod/values.yaml (99%) rename resources/{v1.21.5 => v1.22.5}/charts/ztunnel/Chart.yaml (86%) rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/README.md (100%) rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/files/profile-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/files/profile-compatibility-version-1.20.yaml (100%) create mode 100644 resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.21.yaml rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/files/profile-demo.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/files/profile-openshift.yaml (100%) rename resources/{v1.22.3/charts/istiod => v1.22.5/charts/ztunnel}/files/profile-preview.yaml (100%) rename resources/{v1.22.3/charts/istiod => v1.22.5/charts/ztunnel}/files/profile-stable.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/templates/NOTES.txt (100%) rename resources/{latest => v1.22.5}/charts/ztunnel/templates/_helpers.tpl (100%) rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/templates/daemonset.yaml (98%) rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/templates/rbac.yaml (93%) rename resources/{v1.23.0 => v1.22.5}/charts/ztunnel/templates/zzz_profile.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/charts/ztunnel/values.yaml (99%) rename resources/{v1.22.3 => v1.22.5}/profiles/ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/profiles/default.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/profiles/demo.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/profiles/empty.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/profiles/openshift-ambient.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/profiles/openshift.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/profiles/preview.yaml (100%) rename resources/{v1.22.3 => v1.22.5}/profiles/stable.yaml (100%) delete mode 100644 resources/v1.23.0/charts/istiod-remote/NOTES.txt delete mode 100644 resources/v1.23.0/charts/istiod/files/gateway-injection-template.yaml delete mode 100644 resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.22.yaml delete mode 100644 resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml delete mode 100644 resources/v1.23.0/charts/ztunnel/files/profile-preview.yaml delete mode 100644 resources/v1.23.0/charts/ztunnel/files/profile-stable.yaml rename resources/{v1.23.0 => v1.23.2}/charts/base/Chart.yaml (86%) rename resources/{v1.23.0 => v1.23.2}/charts/base/README.md (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/crds/crd-all.gen.yaml (99%) rename resources/{v1.23.0 => v1.23.2}/charts/base/files/profile-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/files/profile-compatibility-version-1.21.yaml (88%) rename resources/{v1.23.0/charts/gateway => v1.23.2/charts/base}/files/profile-compatibility-version-1.22.yaml (72%) rename resources/{v1.23.0 => v1.23.2}/charts/base/files/profile-demo.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/files/profile-openshift.yaml (100%) rename resources/{v1.22.3/charts/ztunnel => v1.23.2/charts/base}/files/profile-preview.yaml (100%) rename resources/{v1.22.3/charts/ztunnel => v1.23.2/charts/base}/files/profile-stable.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/templates/NOTES.txt (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/templates/crds.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/templates/default.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/templates/endpoints.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/templates/reader-serviceaccount.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/templates/services.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/templates/validatingadmissionpolicy.yaml (100%) rename resources/{v1.23.0/charts/istiod => v1.23.2/charts/base}/templates/zzz_profile.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/base/values.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/Chart.yaml (85%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/README.md (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/files/profile-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/files/profile-compatibility-version-1.21.yaml (88%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/files/profile-compatibility-version-1.22.yaml (72%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/files/profile-demo.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/files/profile-openshift.yaml (100%) rename resources/{v1.23.0/charts/base => v1.23.2/charts/cni}/files/profile-preview.yaml (100%) rename resources/{v1.23.0/charts/base => v1.23.2/charts/cni}/files/profile-stable.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/templates/NOTES.txt (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/templates/_helpers.tpl (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/templates/clusterrole.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/templates/clusterrolebinding.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/templates/configmap-cni.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/templates/daemonset.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/templates/network-attachment-definition.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/templates/resourcequota.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/templates/serviceaccount.yaml (100%) rename resources/{v1.22.3/charts/base => v1.23.2/charts/cni}/templates/zzz_profile.yaml (88%) rename resources/{v1.23.0 => v1.23.2}/charts/cni/values.yaml (99%) rename resources/{v1.21.5 => v1.23.2}/charts/gateway/Chart.yaml (86%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/README.md (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/files/profile-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/files/profile-compatibility-version-1.21.yaml (88%) rename resources/{v1.23.0/charts/istiod-remote => v1.23.2/charts/gateway}/files/profile-compatibility-version-1.22.yaml (72%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/files/profile-demo.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/files/profile-openshift.yaml (100%) rename resources/{v1.23.0/charts/cni => v1.23.2/charts/gateway}/files/profile-preview.yaml (100%) rename resources/{v1.23.0/charts/cni => v1.23.2/charts/gateway}/files/profile-stable.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/templates/NOTES.txt (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/templates/_helpers.tpl (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/templates/deployment.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/templates/hpa.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/templates/poddisruptionbudget.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/templates/role.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/templates/service.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/templates/serviceaccount.yaml (100%) rename resources/{v1.22.3 => v1.23.2}/charts/gateway/templates/zzz_profile.yaml (88%) rename resources/{v1.22.3 => v1.23.2}/charts/gateway/values.schema.json (97%) rename resources/{v1.23.0 => v1.23.2}/charts/gateway/values.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/Chart.yaml (87%) rename resources/{latest => v1.23.2}/charts/istiod-remote/NOTES.txt (100%) rename resources/{latest => v1.23.2}/charts/istiod-remote/files/gateway-injection-template.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/files/injection-template.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/files/profile-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml (88%) rename resources/{v1.23.0/charts/base => v1.23.2/charts/istiod-remote}/files/profile-compatibility-version-1.22.yaml (72%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/files/profile-demo.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/files/profile-openshift.yaml (100%) rename resources/{v1.23.0/charts/gateway => v1.23.2/charts/istiod-remote}/files/profile-preview.yaml (100%) rename resources/{v1.23.0/charts/gateway => v1.23.2/charts/istiod-remote}/files/profile-stable.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/_helpers.tpl (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/clusterrole.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/clusterrolebinding.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/configmap.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/default.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/endpoints.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/istiod-injector-configmap.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/mutatingwebhook.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/reader-clusterrole.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/reader-clusterrolebinding.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/reader-serviceaccount.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/role.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/rolebinding.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/serviceaccount.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/services.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/validatingadmissionpolicy.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml (100%) rename resources/{v1.22.3/charts/istiod => v1.23.2/charts/istiod-remote}/templates/zzz_profile.yaml (88%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod-remote/values.yaml (99%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/Chart.yaml (86%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/README.md (100%) rename resources/{v1.23.0/charts/istiod-remote => v1.23.2/charts/istiod}/files/gateway-injection-template.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/grpc-agent.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/grpc-simple.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/injection-template.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/kube-gateway.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/profile-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/profile-compatibility-version-1.20.yaml (100%) create mode 100644 resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.22.yaml rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/profile-demo.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/profile-openshift.yaml (100%) rename resources/{v1.23.0/charts/istiod-remote => v1.23.2/charts/istiod}/files/profile-preview.yaml (100%) rename resources/{v1.23.0/charts/istiod-remote => v1.23.2/charts/istiod}/files/profile-stable.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/files/waypoint.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/NOTES.txt (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/_helpers.tpl (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/autoscale.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/clusterrole.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/clusterrolebinding.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/configmap-jwks.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/configmap.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/deployment.yaml (97%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/istiod-injector-configmap.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/mutatingwebhook.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/poddisruptionbudget.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/reader-clusterrole.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/reader-clusterrolebinding.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/revision-tags.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/role.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/rolebinding.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/service.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/serviceaccount.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/validatingadmissionpolicy.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/istiod/templates/validatingwebhookconfiguration.yaml (100%) create mode 100644 resources/v1.23.2/charts/istiod/templates/zzz_profile.yaml rename resources/{v1.23.0 => v1.23.2}/charts/istiod/values.yaml (99%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/Chart.yaml (86%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/README.md (100%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/files/profile-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/files/profile-compatibility-version-1.20.yaml (100%) create mode 100644 resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.22.yaml rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/files/profile-demo.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/files/profile-openshift-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/files/profile-openshift.yaml (100%) rename resources/{v1.23.0/charts/istiod => v1.23.2/charts/ztunnel}/files/profile-preview.yaml (100%) rename resources/{v1.23.0/charts/istiod => v1.23.2/charts/ztunnel}/files/profile-stable.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/templates/NOTES.txt (100%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/templates/_helpers.tpl (100%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/templates/daemonset.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/templates/rbac.yaml (100%) rename resources/{v1.22.3/charts/cni => v1.23.2/charts/ztunnel}/templates/zzz_profile.yaml (88%) rename resources/{v1.23.0 => v1.23.2}/charts/ztunnel/values.yaml (99%) rename resources/{v1.23.0 => v1.23.2}/profiles/ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/profiles/default.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/profiles/demo.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/profiles/empty.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/profiles/openshift-ambient.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/profiles/openshift.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/profiles/preview.yaml (100%) rename resources/{v1.23.0 => v1.23.2}/profiles/stable.yaml (100%) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 591b24ffa..2cb39e8ca 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:master-8584ca511549c1cd96d9cb8b900297de83f4cb64", + "image": "gcr.io/istio-testing/build-tools:master-8463430ba963638b35745d773045701f6d02014d", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/Makefile.core.mk b/Makefile.core.mk index b953d1d0a..432245601 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -461,11 +461,11 @@ OPM ?= $(LOCALBIN)/opm ISTIOCTL ?= $(LOCALBIN)/istioctl ## Tool Versions -OPERATOR_SDK_VERSION ?= v1.36.1 -HELM_VERSION ?= v3.15.3 -CONTROLLER_TOOLS_VERSION ?= v0.16.0 -OPM_VERSION ?= v1.45.0 -GITLEAKS_VERSION ?= v8.18.4 +OPERATOR_SDK_VERSION ?= v1.37.0 +HELM_VERSION ?= v3.16.1 +CONTROLLER_TOOLS_VERSION ?= v0.16.3 +OPM_VERSION ?= v1.47.0 +GITLEAKS_VERSION ?= v8.20.0 ISTIOCTL_VERSION ?= 1.23.0 # GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go index ba39fdc06..2f5c80b1d 100644 --- a/api/v1alpha1/istio_types.go +++ b/api/v1alpha1/istio_types.go @@ -37,10 +37,10 @@ const ( type IstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest - // +kubebuilder:default=v1.23.0 + // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.23.2 Version string `json:"version"` // Defines the update strategy to use when the version in the Istio CR is updated. @@ -51,10 +51,10 @@ type IstioSpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio components should be installed. @@ -257,7 +257,7 @@ type Istio struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.0", namespace: "istio-system", updateStrategy: {type:"InPlace"}} + // +kubebuilder:default={version: "v1.23.2", namespace: "istio-system", updateStrategy: {type:"InPlace"}} Spec IstioSpec `json:"spec,omitempty"` Status IstioStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/istiocni_types.go b/api/v1alpha1/istiocni_types.go index 0bceffb8c..e3decef59 100644 --- a/api/v1alpha1/istiocni_types.go +++ b/api/v1alpha1/istiocni_types.go @@ -28,19 +28,19 @@ const ( type IstioCNISpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest - // +kubebuilder:default=v1.23.0 + // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.23.2 Version string `json:"version"` // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio CNI component should be installed. @@ -177,7 +177,7 @@ type IstioCNI struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.0", namespace: "istio-cni"} + // +kubebuilder:default={version: "v1.23.2", namespace: "istio-cni"} Spec IstioCNISpec `json:"spec,omitempty"` Status IstioCNIStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/istiorevision_types.go b/api/v1alpha1/istiorevision_types.go index 9500341f3..289d2f067 100644 --- a/api/v1alpha1/istiorevision_types.go +++ b/api/v1alpha1/istiorevision_types.go @@ -35,9 +35,9 @@ type IstioRevisionSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest + // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest Version string `json:"version"` // Namespace to which the Istio components should be installed. diff --git a/api/v1alpha1/remoteistio_types.go b/api/v1alpha1/remoteistio_types.go index dbfe3707c..50f773d33 100644 --- a/api/v1alpha1/remoteistio_types.go +++ b/api/v1alpha1/remoteistio_types.go @@ -27,10 +27,10 @@ const RemoteIstioKind = "RemoteIstio" type RemoteIstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest - // +kubebuilder:default=v1.23.0 + // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.23.2 Version string `json:"version"` // Defines the update strategy to use when the version in the RemoteIstio CR is updated. @@ -41,10 +41,10 @@ type RemoteIstioSpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio components should be installed. @@ -197,7 +197,7 @@ type RemoteIstio struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.0", namespace: "istio-system", updateStrategy: {type:"InPlace"}} + // +kubebuilder:default={version: "v1.23.2", namespace: "istio-system", updateStrategy: {type:"InPlace"}} Spec RemoteIstioSpec `json:"spec,omitempty"` Status RemoteIstioStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/values_types.gen.go b/api/v1alpha1/values_types.gen.go index 276fc28b4..f1d55adb4 100644 --- a/api/v1alpha1/values_types.gen.go +++ b/api/v1alpha1/values_types.gen.go @@ -253,8 +253,6 @@ type GlobalConfig struct { // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultNodeSelector map[string]string `json:"defaultNodeSelector,omitempty"` // Specifies the default pod disruption budget configuration. - // - // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultPodDisruptionBudget *DefaultPodDisruptionBudgetConfig `json:"defaultPodDisruptionBudget,omitempty"` // Default k8s resources settings for all Istio control plane components. // @@ -610,6 +608,8 @@ type PilotConfig struct { // If set, `istiod` will allow connections from trusted node proxy ztunnels // in the provided namespace. TrustedZtunnelNamespace string `json:"trustedZtunnelNamespace,omitempty"` + // Configuration for the istio-discovery chart when istiod is running in a remote cluster (e.g. "remote control plane"). + IstiodRemote *IstiodRemoteConfig `json:"istiodRemote,omitempty"` } type PilotTaintControllerConfig struct { @@ -884,6 +884,8 @@ type TracerStackdriverConfig struct { } type BaseConfig struct { + // CRDs to exclude. Requires `enableCRDTemplates` + ExcludedCRDs []string `json:"excludedCRDs,omitempty"` // URL to use for validating webhook. ValidationURL string `json:"validationURL,omitempty"` @@ -898,6 +900,8 @@ type IstiodRemoteConfig struct { InjectionPath string `json:"injectionPath,omitempty"` // injector ca bundle InjectionCABundle string `json:"injectionCABundle,omitempty"` + // Indicates if this cluster/install should consume a "remote" istiod instance, + Enabled *bool `json:"enabled,omitempty"` } type Values struct { @@ -921,6 +925,10 @@ type Values struct { // Configuration for the base component. Base *BaseConfig `json:"base,omitempty"` // Configuration for istiod-remote. + // DEPRECATED - istiod-remote chart is removed and replaced with + // `istio-discovery --set values.istiodRemote.enabled=true` + // + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. IstiodRemote *IstiodRemoteConfig `json:"istiodRemote,omitempty"` // Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration // is created for each alias. @@ -957,6 +965,22 @@ type WaypointConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` + // K8s affinity settings for waypoint pods. + // + // See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + Affinity *k8sv1.Affinity `json:"affinity,omitempty"` + // K8s topology spread constraints settings. + // + // See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + TopologySpreadConstraints []*k8sv1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` + // K8s node labels settings. + // + // See https://kubernetes.io/docs/user-guide/node-selection/ + NodeSelector *k8sv1.NodeSelector `json:"nodeSelector,omitempty"` + // K8s tolerations settings. + // + // See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + Toleration []*k8sv1.Toleration `json:"toleration,omitempty"` } // CNIGlobalConfig is a subset of the Global Configuration used in the Istio CNI chart. @@ -1012,12 +1036,12 @@ const ( MeshConfigIngressControllerModeOff MeshConfigIngressControllerMode = "OFF" // Istio ingress controller will act on ingress resources that do not // contain any annotation or whose annotations match the value - // specified in the ingress_class parameter described earlier. Use this + // specified in the ingressClass parameter described earlier. Use this // mode if Istio ingress controller will be the default ingress // controller for the entire Kubernetes cluster. MeshConfigIngressControllerModeDefault MeshConfigIngressControllerMode = "DEFAULT" // Istio ingress controller will only act on ingress resources whose - // annotations match the value specified in the ingress_class parameter + // annotations match the value specified in the ingressClass parameter // described earlier. Use this mode if Istio ingress controller will be // a secondary ingress controller (e.g., in addition to a // cloud-provided ingress controller). @@ -1190,7 +1214,7 @@ type MeshConfig struct { // the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. // By default, `ingressgateway` is used, which will select the default IngressGateway as it has the // `istio: ingressgateway` labels. - // It is recommended that this is the same value as ingress_service. + // It is recommended that this is the same value as ingressService. IngressSelector string `json:"ingressSelector,omitempty"` // Flag to control generation of trace spans and request IDs. // Requires a trace span collector defined in the proxy configuration. @@ -1251,7 +1275,7 @@ type MeshConfig struct { // The trust domain corresponds to the trust root of a system. // Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) TrustDomain string `json:"trustDomain,omitempty"` - // The trust domain aliases represent the aliases of `trust_domain`. + // The trust domain aliases represent the aliases of `trustDomain`. // For example, if we have // ```yaml // trustDomain: td1 @@ -1265,7 +1289,7 @@ type MeshConfig struct { // are automatically added by Istiod. // The CA certificate that signs the workload certificates is automatically added by Istio Agent. CaCertificates []*MeshConfigCertificateData `json:"caCertificates,omitempty"` - // The default value for the ServiceEntry.export_to field and services + // The default value for the ServiceEntry.exportTo field and services // imported through container registry integrations, e.g. this applies to // Kubernetes Service resources. The value is a list of namespace names and // reserved namespace aliases. The allowed namespace aliases are: @@ -1290,14 +1314,14 @@ type MeshConfig struct { // For further discussion see the reference documentation for `ServiceEntry`, // `Sidecar`, and `Gateway`. DefaultServiceExportTo []string `json:"defaultServiceExportTo,omitempty"` - // The default value for the VirtualService.export_to field. Has the same - // syntax as `default_service_export_to`. + // The default value for the VirtualService.exportTo field. Has the same + // syntax as `defaultServiceExportTo`. // // If not set the system will use "*" as the default value which implies that // virtual services are exported to all namespaces DefaultVirtualServiceExportTo []string `json:"defaultVirtualServiceExportTo,omitempty"` - // The default value for the `DestinationRule.export_to` field. Has the same - // syntax as `default_service_export_to`. + // The default value for the `DestinationRule.exportTo` field. Has the same + // syntax as `defaultServiceExportTo`. // // If not set the system will use "*" as the default value which implies that // destination rules are exported to all namespaces @@ -1478,7 +1502,7 @@ type MeshConfig struct { // Note: Mesh mTLS does not respect ECDH curves. MeshMTLS *MeshConfigTLSConfig `json:"meshMTLS,omitempty"` // Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - // Currently, this supports configuration of ecdh_curves and cipher_suites only. + // Currently, this supports configuration of ecdhCurves and cipherSuites only. // For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. TlsDefaults *MeshConfigTLSConfig `json:"tlsDefaults,omitempty"` } @@ -1492,7 +1516,7 @@ type ConfigSource struct { // Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or // fs:/// to specify a file-based backend with absolute path to the directory. Address string `json:"address,omitempty"` - // Use the tls_settings to specify the tls mode to use. If the MCP server + // Use the tlsSettings to specify the tls mode to use. If the MCP server // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS // mode as `ISTIO_MUTUAL`. TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"` @@ -1559,12 +1583,12 @@ type MeshConfigCertificateData struct { // Optional. Specify the list of trust domains to which this trustAnchor data belongs. // If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain // and its aliases. - // Note that we can have multiple trustAnchor data for a same trust_domain. + // Note that we can have multiple trustAnchor data for a same trustDomain. // In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - // If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - // If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - // If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - // If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + // If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + // If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + // If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + // If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. TrustDomains []string `json:"trustDomains,omitempty"` } @@ -1577,7 +1601,7 @@ type MeshConfigCertificateData struct { // ```yaml // serviceSettings: // - settings: -// cluster_local: true +// clusterLocal: true // hosts: // - "*.foo.svc.cluster.local" // - "bar.baz.svc.cluster.local" @@ -1599,8 +1623,8 @@ type MeshConfigCA struct { // Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 // +kubebuilder:validation:Required Address string `json:"address"` - // Use the tls_settings to specify the tls mode to use. - // Regarding tls_settings: + // Use the tlsSettings to specify the tls mode to use. + // Regarding tlsSettings: // - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. // DISABLE MODE can also be used for testing // - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1610,7 +1634,7 @@ type MeshConfigCA struct { // timeout for forward CSR requests from Istiod to External CA // Default: 10s RequestTimeout *metav1.Duration `json:"requestTimeout,omitempty"` - // Use istiod_side to specify CA Server integrate to Istiod side or Agent side + // Use istiodSide to specify CA Server integrate to Istiod side or Agent side // Default: true IstiodSide bool `json:"istiodSide,omitempty"` } @@ -1675,7 +1699,7 @@ type MeshConfigExtensionProvider struct { // Holds the name references to the providers that will be used by default // in other Istio configuration resources if the provider is not specified. // -// These names must match a provider defined in `extension_providers` that is +// These names must match a provider defined in `extensionProviders` that is // one of the supported tracing providers. type MeshConfigDefaultProviders struct { // Name of the default provider(s) for tracing. @@ -1739,12 +1763,12 @@ type MeshConfigServiceSettingsSettings struct { type MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody struct { // Sets the maximum size of a message body that the ext-authz filter will hold in memory. - // If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + // If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). // Otherwise the request will be sent to the provider with a partial message. - // Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - // fail_open is set to true. + // Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + // failOpen is set to true. MaxRequestBytes uint32 `json:"maxRequestBytes,omitempty"` - // When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + // When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. // The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. // A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message // indicating if the body data is partial. @@ -1752,7 +1776,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody struct { // If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes // in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). // Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - // This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + // This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. PackAsBytes bool `json:"packAsBytes,omitempty"` } @@ -1770,7 +1794,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct { Port uint32 `json:"port"` // The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). // When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - // In this situation, the response sent back to the client will depend on the configured `fail_open` field. + // In this situation, the response sent back to the client will depend on the configured `failOpen` field. Timeout *metav1.Duration `json:"timeout,omitempty"` // Sets a prefix to the value of authorization request header *Path*. // For example, setting this to "/check" for an original user request at path "/admin" will cause the @@ -1783,7 +1807,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct { // Sets the HTTP status that is returned to the client when there is a network error to the authorization service. // The default status is "403" (HTTP Forbidden). StatusOnError string `json:"statusOnError,omitempty"` - // DEPRECATED. Use include_request_headers_in_check instead. + // DEPRECATED. Use includeRequestHeadersInCheck instead. // // Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. IncludeHeadersInCheck []string `json:"includeHeadersInCheck,omitempty"` @@ -1791,7 +1815,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct { // Note that in addition to the headers specified here following headers are included by default: // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. // 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - // request can include the buffered client request body (controlled by include_request_body_in_check setting), + // request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), // consequently the value of Content-Length of the authorization request reflects the size of its payload size. // // Exact, prefix and suffix matches are supported (similar to the @@ -1803,7 +1827,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct { IncludeRequestHeadersInCheck []string `json:"includeRequestHeadersInCheck,omitempty"` // Set of additional fixed headers that should be included in the authorization request sent to the authorization service. // Key is the header name and value is the header value. - // Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + // Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. IncludeAdditionalHeadersInCheck map[string]string `json:"includeAdditionalHeadersInCheck,omitempty"` // If set, the client request body will be included in the authorization request sent to the authorization service. IncludeRequestBodyInCheck *MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody `json:"includeRequestBodyInCheck,omitempty"` @@ -1862,7 +1886,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationGrpcProvider struct { Port uint32 `json:"port"` // The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). // When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - // In this situation, the response sent back to the client will depend on the configured `fail_open` field. + // In this situation, the response sent back to the client will depend on the configured `failOpen` field. Timeout *metav1.Duration `json:"timeout,omitempty"` // If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, // or if the authorization service has returned a HTTP 5xx error. @@ -1894,6 +1918,9 @@ type MeshConfigExtensionProviderZipkinTracingProvider struct { // Optional. A 128 bit trace id will be used in Istio. // If true, will result in a 64 bit trace id being used. Enable64BitTraceId bool `json:"enable64bitTraceId,omitempty"` + // Optional. Specifies the endpoint of Zipkin API. + // The default value is "/api/v2/spans". + Path string `json:"path,omitempty"` } // Defines configuration for a Lightstep tracer. @@ -2184,6 +2211,47 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct { // // ``` Http *MeshConfigExtensionProviderHttpService `json:"http,omitempty"` + // Optional. Specifies the configuration for exporting OTLP traces via GRPC. + // When empty, traces will check whether HTTP is set. + // If not, traces will use default GRPC configurations. + // + // The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC: + // + // 1. Add/change the OpenTelemetry extension provider in `MeshConfig` + // ```yaml + // - name: opentelemetry + // opentelemetry: + // port: 8090 + // service: tracing.example.com + // grpc: + // timeout: 10s + // initialMetadata: + // - name: "Authentication" + // value: "token-xxxxx" + // + // ``` + // + // 2. Deploy a `ServiceEntry` for the observability back-end + // ```yaml + // apiVersion: networking.istio.io/v1alpha3 + // kind: ServiceEntry + // metadata: + // + // name: tracing-grpc + // + // spec: + // + // hosts: + // - tracing.example.com + // ports: + // - number: 8090 + // name: grpc-port + // protocol: GRPC + // resolution: DNS + // location: MESH_EXTERNAL + // + // ``` + Grpc *MeshConfigExtensionProviderGrpcService `json:"grpc,omitempty"` // Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) // to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged // according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). @@ -2196,7 +2264,7 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct { // opentelemetry: // port: 443 // service: my.olly-backend.com - // resource_detectors: + // resourceDetectors: // environment: {} // // ``` @@ -2217,11 +2285,11 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct { // headers: // - name: "Authorization" // value: "Api-Token dt0c01." - // resource_detectors: + // resourceDetectors: // dynatrace: {} - // dynatrace_sampler: + // dynatraceSampler: // tenant: "{your-environment-id}" - // cluster_id: 1234 + // clusterId: 1234 DynatraceSampler *MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler `json:"dynatraceSampler,omitempty"` } @@ -2253,6 +2321,17 @@ type MeshConfigExtensionProviderResourceDetectors struct { Dynatrace *MeshConfigExtensionProviderResourceDetectorsDynatraceResourceDetector `json:"dynatrace,omitempty"` } +// Defines configuration for an GRPC service that can be used by an Extension Provider. +// that does communication via GRPC. +type MeshConfigExtensionProviderGrpcService struct { + // Optional. Specifies the timeout for the GRPC request. + Timeout *metav1.Duration `json:"timeout,omitempty"` + // Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + // scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + // be injected. + InitialMetadata []*MeshConfigExtensionProviderHttpHeader `json:"initialMetadata,omitempty"` +} + type MeshConfigExtensionProviderStackdriverProviderLogging struct { // Collection of tag names and tag expressions to include in the log // entry. Conflicts are resolved by the tag name by overriding previously @@ -2299,7 +2378,7 @@ type MeshConfigExtensionProviderEnvoyOpenTelemetryLogProviderLogFormat struct { // Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be // used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) // provides more information. - // Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + // Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) // Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` Text string `json:"text,omitempty"` // Optional. Additional attributes that describe the specific event occurrence. @@ -2308,7 +2387,7 @@ type MeshConfigExtensionProviderEnvoyOpenTelemetryLogProviderLogFormat struct { // as strings, numbers, or boolean values, as appropriate // (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is // supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). - // Alias to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + // Alias to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) // // Example: // ``` @@ -2338,8 +2417,8 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler str // // A default value of `1000` is used when: // - // - `root_spans_per_minute` is unset - // - `root_spans_per_minute` is set to 0 + // - `rootSpansPerMinute` is unset + // - `rootSpansPerMinute` is set to 0 RootSpansPerMinute uint32 `json:"rootSpansPerMinute,omitempty"` // Optional. Dynatrace HTTP API to obtain sampling configuration. // @@ -2434,7 +2513,7 @@ type MeshNetworks struct { // 2. Explicitly: // // a. By matching the registry name with one of the "fromRegistry" -// in the mesh config. A "from_registry" can only be assigned to a +// in the mesh config. A "fromRegistry" can only be assigned to a // single network. // // b. By matching the IP against one of the CIDR ranges in a mesh @@ -2493,7 +2572,7 @@ const ( ) // ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC) -// header is handled by the gateway proxy. +// header is handled by a proxy. // See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails) // header handling for more details. // +kubebuilder:validation:Enum=UNDEFINED;SANITIZE;FORWARD_ONLY;APPEND_FORWARD;SANITIZE_SET;ALWAYS_FORWARD_ONLY @@ -2502,16 +2581,16 @@ type ForwardClientCertDetails string const ( // Field is not set ForwardClientCertDetailsUndefined ForwardClientCertDetails = "UNDEFINED" - // Do not send the XFCC header to the next hop. This is the default value. + // Do not send the XFCC header to the next hop. ForwardClientCertDetailsSanitize ForwardClientCertDetails = "SANITIZE" // When the client connection is mTLS (Mutual TLS), forward the XFCC header // in the request. ForwardClientCertDetailsForwardOnly ForwardClientCertDetails = "FORWARD_ONLY" // When the client connection is mTLS, append the client certificate - // information to the request’s XFCC header and forward it. + // information to the request’s XFCC header and forward it. This is the default value for sidecar proxies. ForwardClientCertDetailsAppendForward ForwardClientCertDetails = "APPEND_FORWARD" // When the client connection is mTLS, reset the XFCC header with the client - // certificate information and send it to the next hop. + // certificate information and send it to the next hop. This is the default value for gateway proxies. ForwardClientCertDetailsSanitizeSet ForwardClientCertDetails = "SANITIZE_SET" // Always forward the XFCC header in the request, regardless of whether the // client connection is mTLS. @@ -2545,7 +2624,7 @@ const ( ) // Allows specification of various Istio-supported naming schemes for the -// Envoy `service_cluster` value. The `servce_cluster` value is primarily used +// Envoy `service_cluster` value. The `service_cluster` value is primarily used // by Envoys to provide service names for tracing spans. // +kubebuilder:validation:Enum=APP_LABEL_AND_NAMESPACE;CANONICAL_NAME_ONLY;CANONICAL_NAME_AND_NAMESPACE type ProxyConfigTracingServiceName string @@ -2632,7 +2711,7 @@ type Tracing struct { // The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, // if not requested by the client or not forced. Default is 1.0. Sampling float64 `json:"sampling,omitempty"` - // Use the tls_settings to specify the tls mode to use. If the remote tracing service + // Use the tlsSettings to specify the tls mode to use. If the remote tracing service // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS // mode as `ISTIO_MUTUAL`. TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"` @@ -2665,7 +2744,7 @@ type Topology struct { // address to the X-Forwarded-For (XFF) address and set the // X-Envoy-External-Address header to the trusted client address before // forwarding it to the upstream services in the cluster. - // The default value of num_trusted_proxies is 0. + // The default value of numTrustedProxies is 0. // See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) // header handling for more details. NumTrustedProxies uint32 `json:"numTrustedProxies,omitempty"` @@ -2831,7 +2910,7 @@ type MeshConfigProxyConfig struct { // The amount of time allowed for connections to complete on proxy shutdown. // On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, // discouraging any new connections and allowing existing connections to complete. It then - // sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + // sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. // If not set, a default of `5s` will be applied. TerminationDrainDuration *metav1.Duration `json:"terminationDrainDuration,omitempty"` // The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) @@ -2926,7 +3005,7 @@ type RemoteService struct { // receiver, metrics receiver, etc.). Can be IP address or a fully // qualified DNS name. Address string `json:"address,omitempty"` - // Use the `tls_settings` to specify the tls mode to use. If the remote service + // Use the `tlsSettings` to specify the tls mode to use. If the remote service // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS // mode as `ISTIO_MUTUAL`. TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"` @@ -3090,6 +3169,11 @@ type ProxyConfigProxyHeaders struct { // To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). // By default, `APPEND_FORWARD` will be used. ForwardedClientCert ForwardClientCertDetails `json:"forwardedClientCert,omitempty"` + // This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + // and the client connection is mTLS. It specifies the fields in + // the client certificate to be forwarded. Note that `Hash` is always set, and + // `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + SetCurrentClientCertDetails *ProxyConfigProxyHeadersSetCurrentClientCertDetails `json:"setCurrentClientCertDetails,omitempty"` // Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. // This applies to all types of traffic (inbound, outbound, and gateways). // If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. @@ -3138,6 +3222,26 @@ type ProxyConfigProxyHeadersMetadataExchangeHeaders struct { Mode ProxyConfigProxyHeadersMetadataExchangeMode `json:"mode,omitempty"` } +type ProxyConfigProxyHeadersSetCurrentClientCertDetails struct { + // Whether to forward the subject of the client cert. Defaults to true. + Subject *bool `json:"subject,omitempty"` + // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + // XFCC header comma separated from other values with the value Cert="PEM". + // Defaults to false. + Cert bool `json:"cert,omitempty"` + // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + // format. This will appear in the XFCC header comma separated from other values with the value + // Chain="PEM". + // Defaults to false. + Chain bool `json:"chain,omitempty"` + // Whether to forward the DNS type Subject Alternative Names of the client cert. + // Defaults to true. + Dns *bool `json:"dns,omitempty"` + // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + // true. + Uri *bool `json:"uri,omitempty"` +} + // The following values are used to construct proxy image url. // format: `${hub}/${image_name}/${tag}-${image_type}`, // example: `docker.io/istio/proxyv2:1.11.1` or `docker.io/istio/proxyv2:1.11.1-distroless`. @@ -3186,8 +3290,8 @@ type WorkloadSelector struct { // the configuration namespace in which the resource is present. // +kubebuilder:validation:XValidation:message="wildcard not allowed in label key match",rule="self.all(key, !key.contains('*'))" // +kubebuilder:validation:XValidation:message="key must not be empty",rule="self.all(key, key.size() != 0)" - // +kubebuilder:map-value-validation:XValidation:message="wildcard not allowed in label value match",rule="!self.contains('*')" - // +kubebuilder:map-value-validation:MaxLength=63 + // +protoc-gen-crd:map-value-validation:XValidation:message="wildcard not allowed in label value match",rule="!self.contains('*')" + // +protoc-gen-crd:map-value-validation:MaxLength=63 // +kubebuilder:validation:MaxProperties=4096 MatchLabels map[string]string `json:"matchLabels,omitempty"` } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 97e2fda45..847e60775 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -45,6 +45,11 @@ func (in *ArchConfig) DeepCopy() *ArchConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BaseConfig) DeepCopyInto(out *BaseConfig) { *out = *in + if in.ExcludedCRDs != nil { + in, out := &in.ExcludedCRDs, &out.ExcludedCRDs + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaseConfig. @@ -1000,6 +1005,11 @@ func (in *IstiodConfig) DeepCopy() *IstiodConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IstiodRemoteConfig) DeepCopyInto(out *IstiodRemoteConfig) { *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstiodRemoteConfig. @@ -1698,6 +1708,37 @@ func (in *MeshConfigExtensionProviderEnvoyTcpGrpcV3LogProvider) DeepCopy() *Mesh return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MeshConfigExtensionProviderGrpcService) DeepCopyInto(out *MeshConfigExtensionProviderGrpcService) { + *out = *in + if in.Timeout != nil { + in, out := &in.Timeout, &out.Timeout + *out = new(metav1.Duration) + **out = **in + } + if in.InitialMetadata != nil { + in, out := &in.InitialMetadata, &out.InitialMetadata + *out = make([]*MeshConfigExtensionProviderHttpHeader, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(MeshConfigExtensionProviderHttpHeader) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigExtensionProviderGrpcService. +func (in *MeshConfigExtensionProviderGrpcService) DeepCopy() *MeshConfigExtensionProviderGrpcService { + if in == nil { + return nil + } + out := new(MeshConfigExtensionProviderGrpcService) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MeshConfigExtensionProviderHttpHeader) DeepCopyInto(out *MeshConfigExtensionProviderHttpHeader) { *out = *in @@ -1787,6 +1828,11 @@ func (in *MeshConfigExtensionProviderOpenTelemetryTracingProvider) DeepCopyInto( *out = new(MeshConfigExtensionProviderHttpService) (*in).DeepCopyInto(*out) } + if in.Grpc != nil { + in, out := &in.Grpc, &out.Grpc + *out = new(MeshConfigExtensionProviderGrpcService) + (*in).DeepCopyInto(*out) + } if in.ResourceDetectors != nil { in, out := &in.ResourceDetectors, &out.ResourceDetectors *out = new(MeshConfigExtensionProviderResourceDetectors) @@ -2528,6 +2574,11 @@ func (in *PilotConfig) DeepCopyInto(out *PilotConfig) { *out = new(PilotTaintControllerConfig) **out = **in } + if in.IstiodRemote != nil { + in, out := &in.IstiodRemote, &out.IstiodRemote + *out = new(IstiodRemoteConfig) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PilotConfig. @@ -2743,6 +2794,11 @@ func (in *ProxyConfig) DeepCopy() *ProxyConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProxyConfigProxyHeaders) DeepCopyInto(out *ProxyConfigProxyHeaders) { *out = *in + if in.SetCurrentClientCertDetails != nil { + in, out := &in.SetCurrentClientCertDetails, &out.SetCurrentClientCertDetails + *out = new(ProxyConfigProxyHeadersSetCurrentClientCertDetails) + (*in).DeepCopyInto(*out) + } if in.RequestId != nil { in, out := &in.RequestId, &out.RequestId *out = new(ProxyConfigProxyHeadersRequestId) @@ -2875,6 +2931,36 @@ func (in *ProxyConfigProxyHeadersServer) DeepCopy() *ProxyConfigProxyHeadersServ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopyInto(out *ProxyConfigProxyHeadersSetCurrentClientCertDetails) { + *out = *in + if in.Subject != nil { + in, out := &in.Subject, &out.Subject + *out = new(bool) + **out = **in + } + if in.Dns != nil { + in, out := &in.Dns, &out.Dns + *out = new(bool) + **out = **in + } + if in.Uri != nil { + in, out := &in.Uri, &out.Uri + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigProxyHeadersSetCurrentClientCertDetails. +func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopy() *ProxyConfigProxyHeadersSetCurrentClientCertDetails { + if in == nil { + return nil + } + out := new(ProxyConfigProxyHeadersSetCurrentClientCertDetails) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProxyConfigProxyStatsMatcher) DeepCopyInto(out *ProxyConfigProxyStatsMatcher) { *out = *in @@ -3803,12 +3889,12 @@ func (in *Values) DeepCopyInto(out *Values) { if in.Base != nil { in, out := &in.Base, &out.Base *out = new(BaseConfig) - **out = **in + (*in).DeepCopyInto(*out) } if in.IstiodRemote != nil { in, out := &in.IstiodRemote, &out.IstiodRemote *out = new(IstiodRemoteConfig) - **out = **in + (*in).DeepCopyInto(*out) } if in.RevisionTags != nil { in, out := &in.RevisionTags, &out.RevisionTags @@ -3840,6 +3926,38 @@ func (in *WaypointConfig) DeepCopyInto(out *WaypointConfig) { *out = new(v1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.Affinity != nil { + in, out := &in.Affinity, &out.Affinity + *out = new(v1.Affinity) + (*in).DeepCopyInto(*out) + } + if in.TopologySpreadConstraints != nil { + in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints + *out = make([]*v1.TopologySpreadConstraint, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(v1.TopologySpreadConstraint) + (*in).DeepCopyInto(*out) + } + } + } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = new(v1.NodeSelector) + (*in).DeepCopyInto(*out) + } + if in.Toleration != nil { + in, out := &in.Toleration, &out.Toleration + *out = make([]*v1.Toleration, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(v1.Toleration) + (*in).DeepCopyInto(*out) + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WaypointConfig. diff --git a/bundle.Dockerfile b/bundle.Dockerfile index 5bc812405..a31d40816 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=sailoperator LABEL operators.operatorframework.io.bundle.channels.v1="dev-0.2" -LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.36.1 +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.37.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4 diff --git a/bundle/manifests/extensions.istio.io_wasmplugins.yaml b/bundle/manifests/extensions.istio.io_wasmplugins.yaml index 88e2c95aa..22803cb14 100644 --- a/bundle/manifests/extensions.istio.io_wasmplugins.yaml +++ b/bundle/manifests/extensions.istio.io_wasmplugins.yaml @@ -217,6 +217,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: description: |- @@ -282,6 +283,9 @@ spec: required: - url type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/bundle/manifests/networking.istio.io_envoyfilters.yaml b/bundle/manifests/networking.istio.io_envoyfilters.yaml index 334adad40..f2181cfc6 100644 --- a/bundle/manifests/networking.istio.io_envoyfilters.yaml +++ b/bundle/manifests/networking.istio.io_envoyfilters.yaml @@ -304,6 +304,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -311,12 +312,20 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/bundle/manifests/networking.istio.io_serviceentries.yaml b/bundle/manifests/networking.istio.io_serviceentries.yaml index c9bd00434..6fe1824c4 100644 --- a/bundle/manifests/networking.istio.io_serviceentries.yaml +++ b/bundle/manifests/networking.istio.io_serviceentries.yaml @@ -57,7 +57,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -132,6 +134,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -148,14 +155,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -163,11 +175,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -190,14 +212,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -269,6 +309,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -307,7 +349,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -382,6 +426,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -398,14 +447,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -413,11 +467,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -440,14 +504,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -519,6 +601,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -557,7 +641,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -632,6 +718,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -648,14 +739,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -663,11 +759,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -690,14 +796,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -769,6 +893,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/bundle/manifests/networking.istio.io_sidecars.yaml b/bundle/manifests/networking.istio.io_sidecars.yaml index 690339869..dd6b32b37 100644 --- a/bundle/manifests/networking.istio.io_sidecars.yaml +++ b/bundle/manifests/networking.istio.io_sidecars.yaml @@ -473,9 +473,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -1006,9 +1011,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -1539,9 +1549,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object diff --git a/bundle/manifests/networking.istio.io_workloadentries.yaml b/bundle/manifests/networking.istio.io_workloadentries.yaml index e61d58ac9..8ff93a410 100644 --- a/bundle/manifests/networking.istio.io_workloadentries.yaml +++ b/bundle/manifests/networking.istio.io_workloadentries.yaml @@ -175,8 +175,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -333,8 +331,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -491,8 +487,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: true diff --git a/bundle/manifests/networking.istio.io_workloadgroups.yaml b/bundle/manifests/networking.istio.io_workloadgroups.yaml index 65e0a1b3f..486c0e689 100644 --- a/bundle/manifests/networking.istio.io_workloadgroups.yaml +++ b/bundle/manifests/networking.istio.io_workloadgroups.yaml @@ -45,10 +45,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -77,13 +79,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -98,6 +104,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -111,8 +118,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -120,15 +133,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -139,12 +155,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -204,8 +224,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -283,6 +301,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -311,10 +331,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -343,13 +365,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -364,6 +390,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -377,8 +404,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -386,15 +419,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -405,12 +441,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -470,8 +510,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -549,6 +587,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -577,10 +617,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -609,13 +651,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -630,6 +676,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -643,8 +690,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -652,15 +705,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -671,12 +727,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -736,8 +796,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -815,6 +873,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 69e8b3d42..0d1dc579e 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -16,7 +16,7 @@ metadata: "inactiveRevisionDeletionGracePeriodSeconds": 30, "type": "InPlace" }, - "version": "v1.23.0" + "version": "v1.23.2" } }, { @@ -27,14 +27,14 @@ metadata: }, "spec": { "namespace": "istio-cni", - "version": "v1.23.0" + "version": "v1.23.2" } } ] capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-09-22T10:00:56Z" + createdAt: "2024-10-07T12:34:17Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -46,7 +46,7 @@ metadata: features.operators.openshift.io/token-auth-aws: "false" features.operators.openshift.io/token-auth-azure: "false" features.operators.openshift.io/token-auth-gcp: "false" - operators.operatorframework.io/builder: operator-sdk-v1.36.1 + operators.operatorframework.io/builder: operator-sdk-v1.37.0 operators.operatorframework.io/internal-objects: '["wasmplugins.extensions.istio.io","destinationrules.networking.istio.io","envoyfilters.networking.istio.io","gateways.networking.istio.io","proxyconfigs.networking.istio.io","serviceentries.networking.istio.io","sidecars.networking.istio.io","virtualservices.networking.istio.io","workloadentries.networking.istio.io","workloadgroups.networking.istio.io","authorizationpolicies.security.istio.io","peerauthentications.security.istio.io","requestauthentications.security.istio.io","telemetries.telemetry.istio.io"]' operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/istio-ecosystem/sail-operator @@ -160,14 +160,14 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest - description: Namespace to which the Istio CNI component should be installed. displayName: Namespace @@ -177,7 +177,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. displayName: Profile path: profile x-descriptors: @@ -198,14 +198,14 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest - description: Namespace to which the Istio components should be installed. displayName: Namespace @@ -244,14 +244,14 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest - description: |- Defines how many seconds the operator should wait before removing a non-active revision after all @@ -280,7 +280,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. displayName: Profile path: profile x-descriptors: @@ -316,14 +316,14 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest - description: |- Defines how many seconds the operator should wait before removing a non-active revision after all @@ -352,7 +352,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. displayName: Profile path: profile x-descriptors: @@ -371,10 +371,10 @@ spec: This version of the operator supports the following Istio versions: - - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest (fe2a0468) + - v1.23.2 + - v1.22.5 + - v1.21.6 + - latest (6f95f8c9) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,22 +598,22 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe - images.v1_21_5.cni: docker.io/istio/install-cni:1.21.5 - images.v1_21_5.istiod: docker.io/istio/pilot:1.21.5 - images.v1_21_5.proxy: docker.io/istio/proxyv2:1.21.5 - images.v1_21_5.ztunnel: docker.io/istio/ztunnel:1.21.5 - images.v1_22_3.cni: docker.io/istio/install-cni:1.22.3 - images.v1_22_3.istiod: docker.io/istio/pilot:1.22.3 - images.v1_22_3.proxy: docker.io/istio/proxyv2:1.22.3 - images.v1_22_3.ztunnel: docker.io/istio/ztunnel:1.22.3 - images.v1_23_0.cni: docker.io/istio/install-cni:1.23.0 - images.v1_23_0.istiod: docker.io/istio/pilot:1.23.0 - images.v1_23_0.proxy: docker.io/istio/proxyv2:1.23.0 - images.v1_23_0.ztunnel: docker.io/istio/ztunnel:1.23.0 + images.latest.cni: null/null:null + images.latest.istiod: null/null:null + images.latest.proxy: null/null:null + images.latest.ztunnel: null/null:null + images.v1_21_6.cni: '/:' + images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 + images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 + images.v1_21_6.ztunnel: '/:' + images.v1_22_5.cni: '/:' + images.v1_22_5.istiod: docker.io/istio/pilot:1.22.5 + images.v1_22_5.proxy: docker.io/istio/proxyv2:1.22.5 + images.v1_22_5.ztunnel: '/:' + images.v1_23_2.cni: docker.io/istio/install-cni:1.23.2 + images.v1_23_2.istiod: docker.io/istio/pilot:1.23.2 + images.v1_23_2.proxy: docker.io/istio/proxyv2:1.23.2 + images.v1_23_2.ztunnel: docker.io/istio/ztunnel:1.23.2 kubectl.kubernetes.io/default-container: manager labels: app.kubernetes.io/created-by: sailoperator @@ -766,36 +766,36 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + - image: null/null:null name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + - image: null/null:null name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + - image: null/null:null name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + - image: null/null:null name: latest.ztunnel - - image: docker.io/istio/install-cni:1.21.5 - name: v1_21_5.cni - - image: docker.io/istio/pilot:1.21.5 - name: v1_21_5.istiod - - image: docker.io/istio/proxyv2:1.21.5 - name: v1_21_5.proxy - - image: docker.io/istio/ztunnel:1.21.5 - name: v1_21_5.ztunnel - - image: docker.io/istio/install-cni:1.22.3 - name: v1_22_3.cni - - image: docker.io/istio/pilot:1.22.3 - name: v1_22_3.istiod - - image: docker.io/istio/proxyv2:1.22.3 - name: v1_22_3.proxy - - image: docker.io/istio/ztunnel:1.22.3 - name: v1_22_3.ztunnel - - image: docker.io/istio/install-cni:1.23.0 - name: v1_23_0.cni - - image: docker.io/istio/pilot:1.23.0 - name: v1_23_0.istiod - - image: docker.io/istio/proxyv2:1.23.0 - name: v1_23_0.proxy - - image: docker.io/istio/ztunnel:1.23.0 - name: v1_23_0.ztunnel + - image: '/:' + name: v1_21_6.cni + - image: docker.io/istio/pilot:1.21.6 + name: v1_21_6.istiod + - image: docker.io/istio/proxyv2:1.21.6 + name: v1_21_6.proxy + - image: '/:' + name: v1_21_6.ztunnel + - image: '/:' + name: v1_22_5.cni + - image: docker.io/istio/pilot:1.22.5 + name: v1_22_5.istiod + - image: docker.io/istio/proxyv2:1.22.5 + name: v1_22_5.proxy + - image: '/:' + name: v1_22_5.ztunnel + - image: docker.io/istio/install-cni:1.23.2 + name: v1_23_2.cni + - image: docker.io/istio/pilot:1.23.2 + name: v1_23_2.istiod + - image: docker.io/istio/proxyv2:1.23.2 + name: v1_23_2.proxy + - image: docker.io/istio/ztunnel:1.23.2 + name: v1_23_2.ztunnel version: 0.2.0 diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml index b5d619dee..aa509468b 100644 --- a/bundle/manifests/sailoperator.io_istiocnis.yaml +++ b/bundle/manifests/sailoperator.io_istiocnis.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 creationTimestamp: null name: istiocnis.sailoperator.io spec: @@ -58,7 +58,7 @@ spec: spec: default: namespace: istio-cni - version: v1.23.0 + version: v1.23.2 description: IstioCNISpec defines the desired state of IstioCNI properties: namespace: @@ -70,13 +70,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -379,7 +378,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -394,7 +393,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -562,7 +561,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -577,7 +576,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -743,7 +742,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -758,7 +757,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -926,7 +925,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -941,7 +940,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1205,6 +1204,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1311,6 +1316,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1392,14 +1403,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index 0db2183a7..f94de37ce 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 creationTimestamp: null name: istiorevisions.sailoperator.io spec: @@ -90,6 +90,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -173,10 +178,7 @@ spec: Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -210,6 +212,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -411,7 +419,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -922,6 +930,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1029,6 +1043,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1138,26 +1158,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1183,6 +2233,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1215,11 +2271,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1267,7 +2554,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1277,8 +2564,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1404,12 +2691,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1481,7 +2768,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1679,7 +2966,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1807,7 +3094,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1943,7 +3230,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2129,6 +3416,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2391,7 +3713,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2544,7 +3866,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2672,8 +3994,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2749,7 +4071,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2778,8 +4100,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -2962,7 +4284,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -2970,10 +4292,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -2981,7 +4303,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3007,7 +4329,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3081,11 +4403,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3098,7 +4420,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3106,10 +4428,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3117,7 +4439,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3126,7 +4448,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3167,7 +4489,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3292,7 +4614,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3300,7 +4622,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3470,11 +4792,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3551,8 +4873,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3565,6 +4887,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3643,7 +5009,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3779,6 +5145,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3880,7 +5251,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4188,7 +5559,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4257,7 +5628,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4304,7 +5675,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4632,7 +6003,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4647,7 +6018,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4815,7 +6186,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4830,7 +6201,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4996,7 +6367,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5011,7 +6382,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5179,7 +6550,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5194,7 +6565,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5488,6 +6859,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5578,6 +6969,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -6047,6 +7444,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6060,6 +7458,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6669,7 +8068,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6892,6 +8291,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6923,6 +8357,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7074,10 +8509,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7462,6 +8900,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7476,6 +8915,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7506,6 +8946,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7520,6 +8961,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7560,6 +9002,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7927,11 +9370,11 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 16fcbaf81..e4f2de090 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 creationTimestamp: null name: istios.sailoperator.io spec: @@ -80,7 +80,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.0 + version: v1.23.2 description: IstioSpec defines the desired state of Istio properties: namespace: @@ -91,13 +91,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -149,6 +148,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -232,10 +236,7 @@ spec: Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -269,6 +270,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -470,7 +477,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -981,6 +988,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1088,6 +1101,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1197,26 +1216,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1242,6 +2291,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1274,11 +2329,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1326,7 +2612,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1336,8 +2622,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1463,12 +2749,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1540,7 +2826,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1738,7 +3024,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1866,7 +3152,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2002,7 +3288,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2188,6 +3474,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2450,7 +3771,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2603,7 +3924,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2731,8 +4052,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2808,7 +4129,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2837,8 +4158,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -3021,7 +4342,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3029,10 +4350,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3040,7 +4361,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3066,7 +4387,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3140,11 +4461,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3157,7 +4478,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3165,10 +4486,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3176,7 +4497,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3185,7 +4506,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3226,7 +4547,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3351,7 +4672,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3359,7 +4680,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3529,11 +4850,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3610,8 +4931,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3624,6 +4945,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3702,7 +5067,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3838,6 +5203,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3939,7 +5309,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4247,7 +5617,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4316,7 +5686,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4363,7 +5733,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4691,7 +6061,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4706,7 +6076,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4874,7 +6244,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4889,7 +6259,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5055,7 +6425,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5070,7 +6440,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5238,7 +6608,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5253,7 +6623,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5547,6 +6917,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5637,6 +7027,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -6106,6 +7502,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6119,6 +7516,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6728,7 +8126,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6951,6 +8349,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6982,6 +8415,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7133,10 +8567,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7521,6 +8958,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7535,6 +8973,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7565,6 +9004,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7579,6 +9019,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7619,6 +9060,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7984,14 +9426,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml index a094c3731..660aa66a3 100644 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ b/bundle/manifests/sailoperator.io_remoteistios.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 creationTimestamp: null name: remoteistios.sailoperator.io spec: @@ -75,7 +75,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.0 + version: v1.23.2 description: RemoteIstioSpec defines the desired state of RemoteIstio properties: namespace: @@ -86,13 +86,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -144,6 +143,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -227,10 +231,7 @@ spec: Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -264,6 +265,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -465,7 +472,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -976,6 +983,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1083,6 +1096,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1192,26 +1211,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1237,6 +2286,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1269,11 +2324,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1321,7 +2607,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1331,8 +2617,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1458,12 +2744,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1535,7 +2821,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1733,7 +3019,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1861,7 +3147,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1997,7 +3283,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2183,6 +3469,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2445,7 +3766,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2598,7 +3919,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2726,8 +4047,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2803,7 +4124,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2832,8 +4153,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -3016,7 +4337,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3024,10 +4345,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3035,7 +4356,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3061,7 +4382,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3135,11 +4456,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3152,7 +4473,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3160,10 +4481,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3171,7 +4492,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3180,7 +4501,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3221,7 +4542,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3346,7 +4667,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3354,7 +4675,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3524,11 +4845,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3605,8 +4926,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3619,6 +4940,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3697,7 +5062,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3833,6 +5198,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3934,7 +5304,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4242,7 +5612,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4311,7 +5681,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4358,7 +5728,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4686,7 +6056,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4701,7 +6071,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4869,7 +6239,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4884,7 +6254,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5050,7 +6420,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5065,7 +6435,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5233,7 +6603,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5248,7 +6618,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5542,6 +6912,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5632,6 +7022,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -6101,6 +7497,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6114,6 +7511,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6723,7 +8121,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6946,6 +8344,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6977,6 +8410,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7128,10 +8562,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7516,6 +8953,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7530,6 +8968,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7560,6 +8999,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7574,6 +9014,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7614,6 +9055,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7979,14 +9421,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/bundle/manifests/security.istio.io_authorizationpolicies.yaml b/bundle/manifests/security.istio.io_authorizationpolicies.yaml index c7aef487f..bebc1b2c6 100644 --- a/bundle/manifests/security.istio.io_authorizationpolicies.yaml +++ b/bundle/manifests/security.istio.io_authorizationpolicies.yaml @@ -296,8 +296,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -645,8 +649,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/bundle/manifests/security.istio.io_requestauthentications.yaml b/bundle/manifests/security.istio.io_requestauthentications.yaml index 94dad1c0e..2d1b0ba00 100644 --- a/bundle/manifests/security.istio.io_requestauthentications.yaml +++ b/bundle/manifests/security.istio.io_requestauthentications.yaml @@ -230,10 +230,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: @@ -516,10 +517,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: diff --git a/bundle/manifests/telemetry.istio.io_telemetries.yaml b/bundle/manifests/telemetry.istio.io_telemetries.yaml index 2839a1467..ec3cf100a 100644 --- a/bundle/manifests/telemetry.istio.io_telemetries.yaml +++ b/bundle/manifests/telemetry.istio.io_telemetries.yaml @@ -282,6 +282,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -393,6 +394,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -726,6 +730,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -837,6 +842,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index e520fa1cb..b90d1a6be 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -5,7 +5,7 @@ annotations: operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: sailoperator operators.operatorframework.io.bundle.channels.v1: "dev-0.2" - operators.operatorframework.io.metrics.builder: operator-sdk-v1.36.1 + operators.operatorframework.io.metrics.builder: operator-sdk-v1.37.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4 diff --git a/bundle/tests/scorecard/config.yaml b/bundle/tests/scorecard/config.yaml index 798809dc7..bd9bf1e03 100644 --- a/bundle/tests/scorecard/config.yaml +++ b/bundle/tests/scorecard/config.yaml @@ -8,7 +8,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: basic test: basic-check-spec-test @@ -18,7 +18,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-bundle-validation-test @@ -28,7 +28,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-crds-have-validation-test @@ -38,7 +38,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-spec-descriptors-test @@ -48,7 +48,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/chart/crds/extensions.istio.io_wasmplugins.yaml b/chart/crds/extensions.istio.io_wasmplugins.yaml index 334b5af14..1acec4b67 100644 --- a/chart/crds/extensions.istio.io_wasmplugins.yaml +++ b/chart/crds/extensions.istio.io_wasmplugins.yaml @@ -217,6 +217,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: description: |- @@ -282,6 +283,9 @@ spec: required: - url type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/chart/crds/networking.istio.io_envoyfilters.yaml b/chart/crds/networking.istio.io_envoyfilters.yaml index 678f9e714..e2be5b942 100644 --- a/chart/crds/networking.istio.io_envoyfilters.yaml +++ b/chart/crds/networking.istio.io_envoyfilters.yaml @@ -303,6 +303,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -310,12 +311,20 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/chart/crds/networking.istio.io_serviceentries.yaml b/chart/crds/networking.istio.io_serviceentries.yaml index f5dd5c258..bc244d50b 100644 --- a/chart/crds/networking.istio.io_serviceentries.yaml +++ b/chart/crds/networking.istio.io_serviceentries.yaml @@ -56,7 +56,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -131,6 +133,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -147,14 +154,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -162,11 +174,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -189,14 +211,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -268,6 +308,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -306,7 +348,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -381,6 +425,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -397,14 +446,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -412,11 +466,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -439,14 +503,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -518,6 +600,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -556,7 +640,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -631,6 +717,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -647,14 +738,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -662,11 +758,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -689,14 +795,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -768,6 +892,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/chart/crds/networking.istio.io_sidecars.yaml b/chart/crds/networking.istio.io_sidecars.yaml index 7ff9a81c4..560e8fbb1 100644 --- a/chart/crds/networking.istio.io_sidecars.yaml +++ b/chart/crds/networking.istio.io_sidecars.yaml @@ -472,9 +472,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -1005,9 +1010,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -1538,9 +1548,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object diff --git a/chart/crds/networking.istio.io_workloadentries.yaml b/chart/crds/networking.istio.io_workloadentries.yaml index ec4ed86ed..cf682cd2d 100644 --- a/chart/crds/networking.istio.io_workloadentries.yaml +++ b/chart/crds/networking.istio.io_workloadentries.yaml @@ -174,8 +174,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -332,8 +330,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -490,8 +486,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: true diff --git a/chart/crds/networking.istio.io_workloadgroups.yaml b/chart/crds/networking.istio.io_workloadgroups.yaml index 6659317d5..9f06ab833 100644 --- a/chart/crds/networking.istio.io_workloadgroups.yaml +++ b/chart/crds/networking.istio.io_workloadgroups.yaml @@ -44,10 +44,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -76,13 +78,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -97,6 +103,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -110,8 +117,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -119,15 +132,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -138,12 +154,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -203,8 +223,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -282,6 +300,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -310,10 +330,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -342,13 +364,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -363,6 +389,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -376,8 +403,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -385,15 +418,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -404,12 +440,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -469,8 +509,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -548,6 +586,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -576,10 +616,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -608,13 +650,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -629,6 +675,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -642,8 +689,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -651,15 +704,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -670,12 +726,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -735,8 +795,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -814,6 +872,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml index d92a14591..10ec8a6fb 100644 --- a/chart/crds/sailoperator.io_istiocnis.yaml +++ b/chart/crds/sailoperator.io_istiocnis.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: istiocnis.sailoperator.io spec: group: sailoperator.io @@ -58,7 +58,7 @@ spec: spec: default: namespace: istio-cni - version: v1.23.0 + version: v1.23.2 description: IstioCNISpec defines the desired state of IstioCNI properties: namespace: @@ -70,13 +70,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -379,7 +378,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -394,7 +393,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -562,7 +561,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -577,7 +576,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -743,7 +742,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -758,7 +757,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -926,7 +925,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -941,7 +940,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1205,6 +1204,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1311,6 +1316,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1392,14 +1403,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index a14357901..4cad3c0c0 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: istiorevisions.sailoperator.io spec: group: sailoperator.io @@ -90,6 +90,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -173,10 +178,7 @@ spec: Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -210,6 +212,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -411,7 +419,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -922,6 +930,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1029,6 +1043,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1138,26 +1158,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1183,6 +2233,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1215,11 +2271,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1267,7 +2554,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1277,8 +2564,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1404,12 +2691,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1481,7 +2768,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1679,7 +2966,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1807,7 +3094,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1943,7 +3230,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2129,6 +3416,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2391,7 +3713,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2544,7 +3866,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2672,8 +3994,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2749,7 +4071,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2778,8 +4100,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -2962,7 +4284,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -2970,10 +4292,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -2981,7 +4303,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3007,7 +4329,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3081,11 +4403,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3098,7 +4420,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3106,10 +4428,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3117,7 +4439,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3126,7 +4448,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3167,7 +4489,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3292,7 +4614,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3300,7 +4622,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3470,11 +4792,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3551,8 +4873,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3565,6 +4887,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3643,7 +5009,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3779,6 +5145,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3880,7 +5251,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4188,7 +5559,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4257,7 +5628,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4304,7 +5675,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4632,7 +6003,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4647,7 +6018,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4815,7 +6186,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4830,7 +6201,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4996,7 +6367,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5011,7 +6382,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5179,7 +6550,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5194,7 +6565,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5488,6 +6859,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5578,6 +6969,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -6047,6 +7444,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6060,6 +7458,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6669,7 +8068,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6892,6 +8291,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6923,6 +8357,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7074,10 +8509,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7462,6 +8900,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7476,6 +8915,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7506,6 +8946,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7520,6 +8961,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7560,6 +9002,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7927,11 +9370,11 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index e161d7172..8dd60f5af 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: istios.sailoperator.io spec: group: sailoperator.io @@ -80,7 +80,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.0 + version: v1.23.2 description: IstioSpec defines the desired state of Istio properties: namespace: @@ -91,13 +91,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -149,6 +148,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -232,10 +236,7 @@ spec: Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -269,6 +270,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -470,7 +477,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -981,6 +988,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1088,6 +1101,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1197,26 +1216,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1242,6 +2291,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1274,11 +2329,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1326,7 +2612,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1336,8 +2622,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1463,12 +2749,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1540,7 +2826,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1738,7 +3024,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1866,7 +3152,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2002,7 +3288,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2188,6 +3474,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2450,7 +3771,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2603,7 +3924,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2731,8 +4052,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2808,7 +4129,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2837,8 +4158,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -3021,7 +4342,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3029,10 +4350,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3040,7 +4361,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3066,7 +4387,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3140,11 +4461,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3157,7 +4478,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3165,10 +4486,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3176,7 +4497,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3185,7 +4506,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3226,7 +4547,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3351,7 +4672,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3359,7 +4680,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3529,11 +4850,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3610,8 +4931,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3624,6 +4945,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3702,7 +5067,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3838,6 +5203,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3939,7 +5309,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4247,7 +5617,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4316,7 +5686,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4363,7 +5733,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4691,7 +6061,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4706,7 +6076,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4874,7 +6244,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4889,7 +6259,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5055,7 +6425,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5070,7 +6440,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5238,7 +6608,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5253,7 +6623,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5547,6 +6917,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5637,6 +7027,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -6106,6 +7502,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6119,6 +7516,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6728,7 +8126,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6951,6 +8349,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6982,6 +8415,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7133,10 +8567,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7521,6 +8958,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7535,6 +8973,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7565,6 +9004,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7579,6 +9019,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7619,6 +9060,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7984,14 +9426,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml index 4fd75d9ea..ab1d1f3dc 100644 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ b/chart/crds/sailoperator.io_remoteistios.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: remoteistios.sailoperator.io spec: group: sailoperator.io @@ -75,7 +75,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.0 + version: v1.23.2 description: RemoteIstioSpec defines the desired state of RemoteIstio properties: namespace: @@ -86,13 +86,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -144,6 +143,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -227,10 +231,7 @@ spec: Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -264,6 +265,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -465,7 +472,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -976,6 +983,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1083,6 +1096,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1192,26 +1211,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1237,6 +2286,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1269,11 +2324,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1321,7 +2607,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1331,8 +2617,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1458,12 +2744,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1535,7 +2821,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1733,7 +3019,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1861,7 +3147,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1997,7 +3283,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2183,6 +3469,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2445,7 +3766,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2598,7 +3919,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2726,8 +4047,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2803,7 +4124,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2832,8 +4153,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -3016,7 +4337,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3024,10 +4345,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3035,7 +4356,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3061,7 +4382,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3135,11 +4456,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3152,7 +4473,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3160,10 +4481,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3171,7 +4492,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3180,7 +4501,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3221,7 +4542,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3346,7 +4667,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3354,7 +4675,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3524,11 +4845,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3605,8 +4926,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3619,6 +4940,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3697,7 +5062,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3833,6 +5198,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3934,7 +5304,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4242,7 +5612,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4311,7 +5681,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4358,7 +5728,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4686,7 +6056,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4701,7 +6071,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4869,7 +6239,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4884,7 +6254,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5050,7 +6420,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5065,7 +6435,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5233,7 +6603,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5248,7 +6618,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5542,6 +6912,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5632,6 +7022,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -6101,6 +7497,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6114,6 +7511,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6723,7 +8121,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6946,6 +8344,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6977,6 +8410,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7128,10 +8562,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7516,6 +8953,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7530,6 +8968,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7560,6 +8999,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7574,6 +9014,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7614,6 +9055,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7979,14 +9421,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/chart/crds/security.istio.io_authorizationpolicies.yaml b/chart/crds/security.istio.io_authorizationpolicies.yaml index 409adc3c4..0f72f71e1 100644 --- a/chart/crds/security.istio.io_authorizationpolicies.yaml +++ b/chart/crds/security.istio.io_authorizationpolicies.yaml @@ -295,8 +295,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -644,8 +648,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/chart/crds/security.istio.io_requestauthentications.yaml b/chart/crds/security.istio.io_requestauthentications.yaml index 17f28394c..53fe59d32 100644 --- a/chart/crds/security.istio.io_requestauthentications.yaml +++ b/chart/crds/security.istio.io_requestauthentications.yaml @@ -229,10 +229,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: @@ -515,10 +516,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: diff --git a/chart/crds/telemetry.istio.io_telemetries.yaml b/chart/crds/telemetry.istio.io_telemetries.yaml index 7b6e42a1e..c858b2995 100644 --- a/chart/crds/telemetry.istio.io_telemetries.yaml +++ b/chart/crds/telemetry.istio.io_telemetries.yaml @@ -281,6 +281,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -392,6 +393,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -725,6 +729,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -836,6 +841,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/chart/samples/istio-sample-kubernetes.yaml b/chart/samples/istio-sample-kubernetes.yaml index 8178db180..19cbe8862 100644 --- a/chart/samples/istio-sample-kubernetes.yaml +++ b/chart/samples/istio-sample-kubernetes.yaml @@ -3,7 +3,7 @@ kind: Istio metadata: name: default spec: - version: v1.23.0 + version: v1.23.2 namespace: istio-system updateStrategy: type: InPlace diff --git a/chart/samples/istio-sample-openshift.yaml b/chart/samples/istio-sample-openshift.yaml index 8119705fd..69044c36d 100644 --- a/chart/samples/istio-sample-openshift.yaml +++ b/chart/samples/istio-sample-openshift.yaml @@ -3,7 +3,7 @@ kind: Istio metadata: name: default spec: - version: v1.23.0 + version: v1.23.2 namespace: istio-system updateStrategy: type: InPlace diff --git a/chart/samples/istiocni-sample.yaml b/chart/samples/istiocni-sample.yaml index 32a57317c..61ace75cc 100644 --- a/chart/samples/istiocni-sample.yaml +++ b/chart/samples/istiocni-sample.yaml @@ -3,5 +3,5 @@ kind: IstioCNI metadata: name: default spec: - version: v1.23.0 + version: v1.23.2 namespace: istio-cni diff --git a/chart/templates/olm/scorecard.yaml b/chart/templates/olm/scorecard.yaml index 4bd164b92..feebc2ada 100644 --- a/chart/templates/olm/scorecard.yaml +++ b/chart/templates/olm/scorecard.yaml @@ -9,7 +9,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: basic test: basic-check-spec-test @@ -19,7 +19,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-bundle-validation-test @@ -29,7 +29,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-crds-have-validation-test @@ -39,7 +39,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-spec-descriptors-test @@ -49,7 +49,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/chart/values.yaml b/chart/values.yaml index 54acfceb6..ad6afeb70 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -16,10 +16,10 @@ csv: This version of the operator supports the following Istio versions: - - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest (fe2a0468) + - v1.23.2 + - v1.22.5 + - v1.21.6 + - latest (6f95f8c9) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index a874dc931..902101baf 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -cdaae915bb35ae5d50de458066ea6d86c1ab3b1c +430db67c8ca3604651633bcf49bb096193933ef8 diff --git a/common/scripts/kind_provisioner.sh b/common/scripts/kind_provisioner.sh index a2a5691f5..9e9ea59cf 100644 --- a/common/scripts/kind_provisioner.sh +++ b/common/scripts/kind_provisioner.sh @@ -477,4 +477,4 @@ function ips_to_cidrs() { from ipaddress import summarize_address_range, IPv4Address [ print(n.compressed) for n in summarize_address_range(IPv4Address(u'$IP_RANGE_START'), IPv4Address(u'$IP_RANGE_END')) ] EOF -} \ No newline at end of file +} diff --git a/common/scripts/run.sh b/common/scripts/run.sh index e9629a39c..9efe2ce03 100755 --- a/common/scripts/run.sh +++ b/common/scripts/run.sh @@ -36,7 +36,7 @@ MOUNT_DEST="${MOUNT_DEST:-/work}" read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}" -[[ -t 1 ]] && DOCKER_RUN_OPTIONS+=("-it") +[[ -t 0 ]] && DOCKER_RUN_OPTIONS+=("-it") [[ ${UID} -ne 0 ]] && DOCKER_RUN_OPTIONS+=(-u "${UID}:${DOCKER_GID}") # $CONTAINER_OPTIONS becomes an empty arg when quoted, so SC2086 is disabled for the diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index e2c5b9211..9418434d8 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=master-8584ca511549c1cd96d9cb8b900297de83f4cb64 + IMAGE_VERSION=master-8463430ba963638b35745d773045701f6d02014d fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index 7268a9bcc..08025c5d4 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -74,6 +74,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | +| `excludedCRDs` _string array_ | CRDs to exclude. Requires `enableCRDTemplates` | | | | `validationURL` _string_ | URL to use for validating webhook. | | | | `validationCABundle` _string_ | validation webhook CA bundle | | | @@ -292,7 +293,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `address` _string_ | Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or fs:/// to specify a file-based backend with absolute path to the directory. | | | -| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tls_settings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | +| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | | `subscribedResources` _[Resource](#resource) array_ | Describes the source of configuration, if nothing is specified default is MCP | | Enum: [SERVICE_REGISTRY] | @@ -341,7 +342,7 @@ _Appears in:_ _Underlying type:_ _string_ ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC) -header is handled by the gateway proxy. +header is handled by a proxy. See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails) header handling for more details. @@ -355,10 +356,10 @@ _Appears in:_ | Field | Description | | --- | --- | | `UNDEFINED` | Field is not set | -| `SANITIZE` | Do not send the XFCC header to the next hop. This is the default value. | +| `SANITIZE` | Do not send the XFCC header to the next hop. | | `FORWARD_ONLY` | When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request. | -| `APPEND_FORWARD` | When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. | -| `SANITIZE_SET` | When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. | +| `APPEND_FORWARD` | When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. This is the default value for sidecar proxies. | +| `SANITIZE_SET` | When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. This is the default value for gateway proxies. | | `ALWAYS_FORWARD_ONLY` | Always forward the XFCC header in the request, regardless of whether the client connection is mTLS. | @@ -379,7 +380,7 @@ _Appears in:_ | `certSigners` _string array_ | List of certSigners to allow "approve" action in the ClusterRole | | | | `configValidation` _boolean_ | Controls whether the server-side validation is enabled. | | | | `defaultNodeSelector` _object (keys:string, values:string)_ | Default k8s node selector for all the Istio control plane components See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | -| `defaultPodDisruptionBudget` _[DefaultPodDisruptionBudgetConfig](#defaultpoddisruptionbudgetconfig)_ | Specifies the default pod disruption budget configuration. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `defaultPodDisruptionBudget` _[DefaultPodDisruptionBudgetConfig](#defaultpoddisruptionbudgetconfig)_ | Specifies the default pod disruption budget configuration. | | | | `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | Default k8s resources settings for all Istio control plane components. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `defaultTolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | Default node tolerations to be applied to all deployments so that all pods can be scheduled to nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `hub` _string_ | Specifies the docker hub for Istio images. | | | @@ -506,7 +507,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[IstioSpec](#istiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.0 \} | | +| `spec` _[IstioSpec](#istiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.2 \} | | | `status` _[IstioStatus](#istiostatus)_ | | | | @@ -528,7 +529,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[IstioCNISpec](#istiocnispec)_ | | \{ namespace:istio-cni version:v1.23.0 \} | | +| `spec` _[IstioCNISpec](#istiocnispec)_ | | \{ namespace:istio-cni version:v1.23.2 \} | | | `status` _[IstioCNIStatus](#istiocnistatus)_ | | | | @@ -624,8 +625,8 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | v1.23.0 | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | -| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | +| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio CNI component should be installed. | istio-cni | | | `values` _[CNIValues](#cnivalues)_ | Defines the values to be passed to the Helm charts when installing Istio CNI. | | | @@ -852,7 +853,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `type` _[IstioRevisionType](#istiorevisiontype)_ | Type indicates whether this revision represents a local or a remote control plane installation. | Local | | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | @@ -905,9 +906,9 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | v1.23.0 | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the Istio CR is updated. | \{ type:InPlace \} | | -| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | +| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | @@ -977,6 +978,7 @@ _Appears in:_ _Appears in:_ +- [PilotConfig](#pilotconfig) - [Values](#values) | Field | Description | Default | Validation | @@ -984,6 +986,7 @@ _Appears in:_ | `injectionURL` _string_ | URL to use for sidecar injector webhook. | | | | `injectionPath` _string_ | Path to use for the sidecar injector webhook service. | | | | `injectionCABundle` _string_ | injector ca bundle | | | +| `enabled` _boolean_ | Indicates if this cluster/install should consume a "remote" istiod instance, | | | #### LocalityLoadBalancerSetting @@ -1129,7 +1132,7 @@ _Appears in:_ | `ingressClass` _string_ | Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of `kubernetes.io/ingress.class` annotation. | | | | `ingressService` _string_ | Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value `istio-ingressgateway` is used. | | | | `ingressControllerMode` _[MeshConfigIngressControllerMode](#meshconfigingresscontrollermode)_ | Defines whether to use Istio ingress controller for annotated or all ingress resources. Default mode is `STRICT`. | | Enum: [UNSPECIFIED OFF DEFAULT STRICT] | -| `ingressSelector` _string_ | Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. It is recommended that this is the same value as ingress_service. | | | +| `ingressSelector` _string_ | Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. It is recommended that this is the same value as ingressService. | | | | `enableTracing` _boolean_ | Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration. | | | | `accessLogFile` _string_ | File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging. | | | | `accessLogFormat` _string_ | Format for the proxy access log Empty value results in proxy's default access log format | | | @@ -1142,11 +1145,11 @@ _Appears in:_ | `configSources` _[ConfigSource](#configsource) array_ | ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane. | | | | `enableAutoMtls` _boolean_ | This flag is used to enable mutual `TLS` automatically for service to service communication within the mesh, default true. If set to true, and a given service does not have a corresponding `DestinationRule` configured, or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side TLS configuration appropriately. More specifically, If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate for mutual `TLS` to connect to upstream. If upstream service is in plain text mode, use plain text. If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead. | | | | `trustDomain` _string_ | The trust domain corresponds to the trust root of a system. Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) | | | -| `trustDomainAliases` _string array_ | The trust domain aliases represent the aliases of `trust_domain`. For example, if we have ```yaml trustDomain: td1 trustDomainAliases: ["td2", "td3"] ``` Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. | | | +| `trustDomainAliases` _string array_ | The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 trustDomainAliases: ["td2", "td3"] ``` Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. | | | | `caCertificates` _[MeshConfigCertificateData](#meshconfigcertificatedata) array_ | The extra root certificates for workload-to-workload communication. The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent. | | | -| `defaultServiceExportTo` _string array_ | The default value for the ServiceEntry.export_to field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use "*" as the default value which implies that services are exported to all namespaces. `All namespaces` is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default `Current namespace` so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of `No Namespace` is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace. For further discussion see the reference documentation for `ServiceEntry`, `Sidecar`, and `Gateway`. | | | -| `defaultVirtualServiceExportTo` _string array_ | The default value for the VirtualService.export_to field. Has the same syntax as `default_service_export_to`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces | | | -| `defaultDestinationRuleExportTo` _string array_ | The default value for the `DestinationRule.export_to` field. Has the same syntax as `default_service_export_to`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces | | | +| `defaultServiceExportTo` _string array_ | The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use "*" as the default value which implies that services are exported to all namespaces. `All namespaces` is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default `Current namespace` so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of `No Namespace` is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace. For further discussion see the reference documentation for `ServiceEntry`, `Sidecar`, and `Gateway`. | | | +| `defaultVirtualServiceExportTo` _string array_ | The default value for the VirtualService.exportTo field. Has the same syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces | | | +| `defaultDestinationRuleExportTo` _string array_ | The default value for the `DestinationRule.exportTo` field. Has the same syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces | | | | `rootNamespace` _string_ | The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace. The precise semantics of this processing are documented on each resource type. | | | | `localityLbSetting` _[LocalityLoadBalancerSetting](#localityloadbalancersetting)_ | Locality based load balancing distribution or failover settings. If unspecified, locality based load balancing will be enabled by default. However, this requires outlierDetection to actually take effect for a particular service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/ | | | | `dnsRefreshRate` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` Default refresh rate is `60s`. | | | @@ -1160,7 +1163,7 @@ _Appears in:_ | `pathNormalization` _[MeshConfigProxyPathNormalization](#meshconfigproxypathnormalization)_ | ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are normalized by the sidecars and gateways. The normalized paths will be used in all aspects through the requests' lifetime on the sidecars and gateways, which includes routing decisions in outbound direction (client proxy), authorization policy match and enforcement in inbound direction (server proxy), and the URL path proxied to the upstream service. If not set, the NormalizationType.DEFAULT configuration will be used. | | | | `defaultHttpRetryPolicy` _[HTTPRetry](#httpretry)_ | Configure the default HTTP retry policy. The default number of retry attempts is set at 2 for these errors: "connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes". Setting the number of attempts to 0 disables retry policy globally. This setting can be overridden on a per-host basis using the Virtual Service API. All settings in the retry policy except `perTryTimeout` can currently be configured globally via this field. | | | | `meshMTLS` _[MeshConfigTLSConfig](#meshconfigtlsconfig)_ | The below configuration parameters can be used to specify TLSConfig for mesh traffic. For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below: ```yaml meshConfig: meshMTLS: minProtocolVersion: TLSV1_3 tlsDefaults: Note: applicable only for non ISTIO_MUTUAL scenarios ecdhCurves: - P-256 - P-512 ``` Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic. Note: Mesh mTLS does not respect ECDH curves. | | | -| `tlsDefaults` _[MeshConfigTLSConfig](#meshconfigtlsconfig)_ | Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdh_curves and cipher_suites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. | | | +| `tlsDefaults` _[MeshConfigTLSConfig](#meshconfigtlsconfig)_ | Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. | | | #### MeshConfigAccessLogEncoding @@ -1197,9 +1200,9 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `address` _string_ | REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 | | Required: \{\} | -| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tls_settings to specify the tls mode to use. Regarding tls_settings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server's certificate) is omitted, Istiod will use the system root certs to verify the CA server's certificate. | | | +| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server's certificate) is omitted, Istiod will use the system root certs to verify the CA server's certificate. | | | | `requestTimeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | timeout for forward CSR requests from Istiod to External CA Default: 10s | | | -| `istiodSide` _boolean_ | Use istiod_side to specify CA Server integrate to Istiod side or Agent side Default: true | | | +| `istiodSide` _boolean_ | Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true | | | #### MeshConfigCertificateData @@ -1218,7 +1221,7 @@ _Appears in:_ | `pem` _string_ | The PEM data of the certificate. | | | | `spiffeBundleUrl` _string_ | The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint. | | | | `certSigners` _string array_ | when Istiod is acting as RA(registration authority) If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. | | | -| `trustDomains` _string array_ | Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trust_domain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. | | | +| `trustDomains` _string array_ | Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. | | | #### MeshConfigDefaultProviders @@ -1229,7 +1232,7 @@ Holds the name references to the providers that will be used by default in other Istio configuration resources if the provider is not specified. -These names must match a provider defined in `extension_providers` that is +These names must match a provider defined in `extensionProviders` that is one of the supported tracing providers. @@ -1305,7 +1308,7 @@ _Appears in:_ | --- | --- | --- | --- | | `service` _string_ | REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. The format is `[/]`. The specification of `` is required only when it is insufficient to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry. Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". | | Required: \{\} | | `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} | -| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `fail_open` field. | | | +| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `failOpen` field. | | | | `failOpen` _boolean_ | If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. | | | | `statusOnError` _string_ | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden). | | | | `includeRequestBodyInCheck` _[MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody](#meshconfigextensionproviderenvoyexternalauthorizationrequestbody)_ | If set, the client request body will be included in the authorization request sent to the authorization service. | | | @@ -1326,13 +1329,13 @@ _Appears in:_ | --- | --- | --- | --- | | `service` _string_ | REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. The format is `[/]`. The specification of `` is required only when it is insufficient to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry. Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". | | Required: \{\} | | `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} | -| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `fail_open` field. | | | +| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `failOpen` field. | | | | `pathPrefix` _string_ | Sets a prefix to the value of authorization request header *Path*. For example, setting this to "/check" for an original user request at path "/admin" will cause the authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". | | | | `failOpen` _boolean_ | If true, the user request will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false and the request will be rejected with "Forbidden" response. | | | | `statusOnError` _string_ | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden). | | | -| `includeHeadersInCheck` _string array_ | DEPRECATED. Use include_request_headers_in_check instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. | | | -| `includeRequestHeadersInCheck` _string array_ | List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | | -| `includeAdditionalHeadersInCheck` _object (keys:string, values:string)_ | Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. | | | +| `includeHeadersInCheck` _string array_ | DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. | | | +| `includeRequestHeadersInCheck` _string array_ | List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | | +| `includeAdditionalHeadersInCheck` _object (keys:string, values:string)_ | Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. | | | | `includeRequestBodyInCheck` _[MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody](#meshconfigextensionproviderenvoyexternalauthorizationrequestbody)_ | If set, the client request body will be included in the authorization request sent to the authorization service. | | | | `headersToUpstreamOnAllow` _string array_ | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). If not specified, the original request will not be modified and forwarded to backend as-is. Note, any existing headers will be overridden. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | | | `headersToDownstreamOnDeny` _string array_ | List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200). If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to the downstream. When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. Note, the body from the authorization service is always included in the response to downstream. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | | @@ -1425,6 +1428,8 @@ _Appears in:_ | `filterStateObjectsToLog` _string array_ | Optional. Additional filter state objects to log. | | | + + #### MeshConfigExtensionProviderHttpHeader @@ -1434,6 +1439,7 @@ _Appears in:_ _Appears in:_ +- [MeshConfigExtensionProviderGrpcService](#meshconfigextensionprovidergrpcservice) - [MeshConfigExtensionProviderHttpService](#meshconfigextensionproviderhttpservice) | Field | Description | Default | Validation | @@ -1514,8 +1520,9 @@ _Appears in:_ | `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} | | `maxTagLength` _integer_ | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | | | | `http` _[MeshConfigExtensionProviderHttpService](#meshconfigextensionproviderhttpservice)_ | Optional. Specifies the configuration for exporting OTLP traces via HTTP. When empty, traces will be exported via gRPC. The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP: 1. Add/change the OpenTelemetry extension provider in `MeshConfig` ```yaml - name: otel-tracing opentelemetry: port: 443 service: my.olly-backend.com http: path: "/api/otlp/traces" timeout: 10s headers: - name: "my-custom-header" value: "some value" ``` 2. Deploy a `ServiceEntry` for the observability back-end ```yaml apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: my-olly-backend spec: hosts: - my.olly-backend.com ports: - number: 443 name: https-port protocol: HTTPS resolution: DNS location: MESH_EXTERNAL --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: my-olly-backend spec: host: my.olly-backend.com trafficPolicy: portLevelSettings: - port: number: 443 tls: mode: SIMPLE ``` | | | -| `resourceDetectors` _[MeshConfigExtensionProviderResourceDetectors](#meshconfigextensionproviderresourcedetectors)_ | Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). The following example shows how to configure the Environment Resource Detector, that will read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: ```yaml - name: otel-tracing opentelemetry: port: 443 service: my.olly-backend.com resource_detectors: environment: \{\} ``` | | | -| `dynatraceSampler` _[MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler](#meshconfigextensionprovideropentelemetrytracingproviderdynatracesampler)_ | The Dynatrace adaptive traffic management (ATM) sampler. Example configuration: ```yaml - name: otel-tracing opentelemetry: port: 443 service: "\{your-environment-id\}.live.dynatrace.com" http: path: "/api/v2/otlp/v1/traces" timeout: 10s headers: - name: "Authorization" value: "Api-Token dt0c01." resource_detectors: dynatrace: \{\} dynatrace_sampler: tenant: "\{your-environment-id\}" cluster_id: 1234 | | | +| `grpc` _[MeshConfigExtensionProviderGrpcService](#meshconfigextensionprovidergrpcservice)_ | Optional. Specifies the configuration for exporting OTLP traces via GRPC. When empty, traces will check whether HTTP is set. If not, traces will use default GRPC configurations. The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC: 1. Add/change the OpenTelemetry extension provider in `MeshConfig` ```yaml - name: opentelemetry opentelemetry: port: 8090 service: tracing.example.com grpc: timeout: 10s initialMetadata: - name: "Authentication" value: "token-xxxxx" ``` 2. Deploy a `ServiceEntry` for the observability back-end ```yaml apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: tracing-grpc spec: hosts: - tracing.example.com ports: - number: 8090 name: grpc-port protocol: GRPC resolution: DNS location: MESH_EXTERNAL ``` | | | +| `resourceDetectors` _[MeshConfigExtensionProviderResourceDetectors](#meshconfigextensionproviderresourcedetectors)_ | Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). The following example shows how to configure the Environment Resource Detector, that will read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: ```yaml - name: otel-tracing opentelemetry: port: 443 service: my.olly-backend.com resourceDetectors: environment: \{\} ``` | | | +| `dynatraceSampler` _[MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler](#meshconfigextensionprovideropentelemetrytracingproviderdynatracesampler)_ | The Dynatrace adaptive traffic management (ATM) sampler. Example configuration: ```yaml - name: otel-tracing opentelemetry: port: 443 service: "\{your-environment-id\}.live.dynatrace.com" http: path: "/api/v2/otlp/v1/traces" timeout: 10s headers: - name: "Authorization" value: "Api-Token dt0c01." resourceDetectors: dynatrace: \{\} dynatraceSampler: tenant: "\{your-environment-id\}" clusterId: 1234 | | | @@ -1648,6 +1655,7 @@ _Appears in:_ | `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} | | `maxTagLength` _integer_ | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | | | | `enable64bitTraceId` _boolean_ | Optional. A 128 bit trace id will be used in Istio. If true, will result in a 64 bit trace id being used. | | | +| `path` _string_ | Optional. Specifies the endpoint of Zipkin API. The default value is "/api/v2/spans". | | | #### MeshConfigH2UpgradePolicy @@ -1718,8 +1726,8 @@ _Appears in:_ | --- | --- | | `UNSPECIFIED` | Unspecified Istio ingress controller. | | `OFF` | Disables Istio ingress controller. | -| `DEFAULT` | Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be the default ingress controller for the entire Kubernetes cluster. | -| `STRICT` | Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be a secondary ingress controller (e.g., in addition to a cloud-provided ingress controller). | +| `DEFAULT` | Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingressClass parameter described earlier. Use this mode if Istio ingress controller will be the default ingress controller for the entire Kubernetes cluster. | +| `STRICT` | Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingressClass parameter described earlier. Use this mode if Istio ingress controller will be a secondary ingress controller (e.g., in addition to a cloud-provided ingress controller). | #### MeshConfigOutboundTrafficPolicy @@ -1821,7 +1829,7 @@ _Appears in:_ | `statusPort` _integer_ | Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port `15020`. | | | | `extraStatTags` _string array_ | An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics. Deprecated: `istio.stats` is a native filter now, this field is no longer needed. | | | | `gatewayTopology` _[Topology](#topology)_ | Topology encapsulates the configuration which describes where the proxy is located i.e. behind a (or N) trusted proxy (proxies) or directly exposed to the internet. This configuration only effects gateways and is applied to all the gateways in the cluster unless overridden via annotations of the gateway workloads. | | | -| `terminationDrainDuration` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. | | | +| `terminationDrainDuration` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. | | | | `meshId` _string_ | The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. | | | | `readinessProbe` _[Probe](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#probe-v1-core)_ | VM Health Checking readiness probe. This health check config exactly mirrors the kubernetes readiness probe configuration both in schema and logic. Only one health check method of 3 can be set at a time. | | | | `proxyStatsMatcher` _[ProxyConfigProxyStatsMatcher](#proxyconfigproxystatsmatcher)_ | Proxy stats matcher defines configuration for reporting custom Envoy stats. To reduce memory and CPU overhead from Envoy stats system, Istio proxies by default create and expose only a subset of Envoy stats. This option is to control creation of additional Envoy stats with prefix, suffix, and regex expressions match on the name of the stats. This replaces the stats inclusion annotations (`sidecar.istio.io/statsInclusionPrefixes`, `sidecar.istio.io/statsInclusionRegexps`, and `sidecar.istio.io/statsInclusionSuffixes`). For example, to enable stats for circuit breakers, request retries, upstream connections, and request timeouts, you can specify stats matcher as follows: ```yaml proxyStatsMatcher: inclusionRegexps: - .*outlier_detection.* - .*upstream_rq_retry.* - .*upstream_cx_.* inclusionSuffixes: - upstream_rq_timeout ``` Note including more Envoy stats might increase number of time series collected by prometheus significantly. Care needs to be taken on Prometheus resource provision and configuration to reduce cardinality. | | | @@ -2007,7 +2015,7 @@ adding the `ISTIO_META_NETWORK` environment variable to the sidecar. a. By matching the registry name with one of the "fromRegistry" - in the mesh config. A "from_registry" can only be assigned to a + in the mesh config. A "fromRegistry" can only be assigned to a single network. @@ -2100,6 +2108,7 @@ _Appears in:_ | `cni` _[CNIUsageConfig](#cniusageconfig)_ | Configures whether to use an existing CNI installation for workloads | | | | `taint` _[PilotTaintControllerConfig](#pilottaintcontrollerconfig)_ | | | | | `trustedZtunnelNamespace` _string_ | If set, `istiod` will allow connections from trusted node proxy ztunnels in the provided namespace. | | | +| `istiodRemote` _[IstiodRemoteConfig](#istiodremoteconfig)_ | Configuration for the istio-discovery chart when istiod is running in a remote cluster (e.g. "remote control plane"). | | | @@ -2244,6 +2253,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `forwardedClientCert` _[ForwardClientCertDetails](#forwardclientcertdetails)_ | Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting. To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). By default, `APPEND_FORWARD` will be used. | | Enum: [UNDEFINED SANITIZE FORWARD_ONLY APPEND_FORWARD SANITIZE_SET ALWAYS_FORWARD_ONLY] | +| `setCurrentClientCertDetails` _[ProxyConfigProxyHeadersSetCurrentClientCertDetails](#proxyconfigproxyheaderssetcurrentclientcertdetails)_ | This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in the client certificate to be forwarded. Note that `Hash` is always set, and `By` is always set when the client certificate presents the URI type Subject Alternative Name value. | | | | `requestId` _[ProxyConfigProxyHeadersRequestId](#proxyconfigproxyheadersrequestid)_ | Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. This applies to all types of traffic (inbound, outbound, and gateways). If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. This header is enabled by default if not configured. | | | | `server` _[ProxyConfigProxyHeadersServer](#proxyconfigproxyheadersserver)_ | Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways). If disabled, the `Server` header is not modified. If it is already present, it will be preserved. | | | | `attemptCount` _[ProxyConfigProxyHeadersAttemptCount](#proxyconfigproxyheadersattemptcount)_ | Controls the `X-Envoy-Attempt-Count` header. If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. If disabled, this header will not be set. If it is already present, it will be preserved. This header is enabled by default if not configured. | | | @@ -2313,6 +2323,19 @@ _Underlying type:_ _[struct{Disabled *bool "json:\"disabled,omitempty\""; Value +_Appears in:_ +- [ProxyConfigProxyHeaders](#proxyconfigproxyheaders) + + + +#### ProxyConfigProxyHeadersSetCurrentClientCertDetails + +_Underlying type:_ _[struct{Subject *bool "json:\"subject,omitempty\""; Cert bool "json:\"cert,omitempty\""; Chain bool "json:\"chain,omitempty\""; Dns *bool "json:\"dns,omitempty\""; Uri *bool "json:\"uri,omitempty\""}](#struct{subject-*bool-"json:\"subject,omitempty\"";-cert-bool-"json:\"cert,omitempty\"";-chain-bool-"json:\"chain,omitempty\"";-dns-*bool-"json:\"dns,omitempty\"";-uri-*bool-"json:\"uri,omitempty\""})_ + + + + + _Appears in:_ - [ProxyConfigProxyHeaders](#proxyconfigproxyheaders) @@ -2342,7 +2365,7 @@ _Appears in:_ _Underlying type:_ _string_ Allows specification of various Istio-supported naming schemes for the -Envoy `service_cluster` value. The `servce_cluster` value is primarily used +Envoy `service_cluster` value. The `service_cluster` value is primarily used by Envoys to provide service names for tracing spans. _Validation:_ @@ -2413,7 +2436,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[RemoteIstioSpec](#remoteistiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.0 \} | | +| `spec` _[RemoteIstioSpec](#remoteistiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.2 \} | | | `status` _[RemoteIstioStatus](#remoteistiostatus)_ | | | | @@ -2511,9 +2534,9 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | v1.23.0 | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the RemoteIstio CR is updated. | \{ type:InPlace \} | | -| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | +| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | @@ -2552,7 +2575,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `address` _string_ | Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name. | | | -| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the `tls_settings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | +| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | | `tcpKeepalive` _[ConnectionPoolSettingsTCPSettingsTcpKeepalive](#connectionpoolsettingstcpsettingstcpkeepalive)_ | If set then set `SO_KEEPALIVE` on the socket to enable TCP Keepalives. | | | @@ -2806,7 +2829,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `numTrustedProxies` _integer_ | Number of trusted proxies deployed in front of the Istio gateway proxy. When this option is set to value N greater than zero, the trusted client address is assumed to be the Nth address from the right end of the X-Forwarded-For (XFF) header from the incoming request. If the X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the gateway proxy falls back to using the immediate downstream connection's source address as the trusted client address. Note that the gateway proxy will append the downstream connection's source address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. The default value of num_trusted_proxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. | | | +| `numTrustedProxies` _integer_ | Number of trusted proxies deployed in front of the Istio gateway proxy. When this option is set to value N greater than zero, the trusted client address is assumed to be the Nth address from the right end of the X-Forwarded-For (XFF) header from the incoming request. If the X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the gateway proxy falls back to using the immediate downstream connection's source address as the trusted client address. Note that the gateway proxy will append the downstream connection's source address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. | | | | `forwardClientCertDetails` _[ForwardClientCertDetails](#forwardclientcertdetails)_ | Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) header in the incoming request. | | Enum: [UNDEFINED SANITIZE FORWARD_ONLY APPEND_FORWARD SANITIZE_SET ALWAYS_FORWARD_ONLY] | | `proxyProtocol` _[TopologyProxyProtocolConfiguration](#topologyproxyprotocolconfiguration)_ | Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for downstream connections on a gateway. | | | @@ -2951,7 +2974,7 @@ _Appears in:_ | `stackdriver` _[TracingStackdriver](#tracingstackdriver)_ | Use a Stackdriver tracer. | | | | `openCensusAgent` _[TracingOpenCensusAgent](#tracingopencensusagent)_ | Use an OpenCensus tracer exporting to an OpenCensus agent. | | | | `sampling` _float_ | The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0. | | | -| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tls_settings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | +| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | @@ -3065,7 +3088,7 @@ _Appears in:_ | `revision` _string_ | Identifies the revision this installation is associated with. | | | | `meshConfig` _[MeshConfig](#meshconfig)_ | Defines runtime configuration of components, including Istiod and istio-agent behavior. See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options. TODO can this import the real mesh config API? | | | | `base` _[BaseConfig](#baseconfig)_ | Configuration for the base component. | | | -| `istiodRemote` _[IstiodRemoteConfig](#istiodremoteconfig)_ | Configuration for istiod-remote. | | | +| `istiodRemote` _[IstiodRemoteConfig](#istiodremoteconfig)_ | Configuration for istiod-remote. DEPRECATED - istiod-remote chart is removed and replaced with `istio-discovery --set values.istiodRemote.enabled=true` Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `revisionTags` _string array_ | Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration is created for each alias. | | | | `defaultRevision` _string_ | The name of the default revision in the cluster. | | | | `profile` _string_ | Specifies which installation configuration profile to apply. | | | @@ -3087,6 +3110,10 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resource settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container | | | +| `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#affinity-v1-core)_ | K8s affinity settings for waypoint pods. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity | | | +| `topologySpreadConstraints` _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#topologyspreadconstraint-v1-core) array_ | K8s topology spread constraints settings. See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | | | +| `nodeSelector` _[NodeSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#nodeselector-v1-core)_ | K8s node labels settings. See https://kubernetes.io/docs/user-guide/node-selection/ | | | +| `toleration` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | K8s tolerations settings. See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | | | diff --git a/go.mod b/go.mod index 907f2213c..fcd7bd26d 100644 --- a/go.mod +++ b/go.mod @@ -7,33 +7,34 @@ go 1.22.0 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5 require ( - github.com/Masterminds/semver/v3 v3.2.1 + github.com/Masterminds/semver/v3 v3.3.0 github.com/elastic/crd-ref-docs v0.1.0 github.com/go-logr/logr v1.4.2 github.com/google/go-cmp v0.6.0 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 github.com/magiconair/properties v1.8.7 - github.com/onsi/ginkgo/v2 v2.17.3 - github.com/onsi/gomega v1.33.1 - github.com/prometheus/common v0.55.0 + github.com/onsi/ginkgo/v2 v2.20.1 + github.com/onsi/gomega v1.34.2 + github.com/prometheus/common v0.60.0 github.com/stretchr/testify v1.9.0 - golang.org/x/mod v0.19.0 - golang.org/x/text v0.16.0 - golang.org/x/tools v0.23.0 + golang.org/x/mod v0.20.0 + golang.org/x/text v0.18.0 + golang.org/x/tools v0.24.0 gomodules.xyz/jsonpatch/v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.15.1 - istio.io/client-go v1.23.0-alpha.0.0.20240815005320-98e06cc71273 - istio.io/istio v0.0.0-20240815163146-1ad41e17ee31 - k8s.io/api v0.30.3 - k8s.io/apiextensions-apiserver v0.30.3 - k8s.io/apimachinery v0.30.3 - k8s.io/cli-runtime v0.30.3 - k8s.io/client-go v0.30.3 - sigs.k8s.io/controller-runtime v0.18.3 + helm.sh/helm/v3 v3.16.1 + istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d + istio.io/istio v0.0.0-20241006152922-6f95f8c912c4 + k8s.io/api v0.31.1 + k8s.io/apiextensions-apiserver v0.31.1 + k8s.io/apimachinery v0.31.1 + k8s.io/cli-runtime v0.31.1 + k8s.io/client-go v0.31.1 + sigs.k8s.io/controller-runtime v0.19.0 ) require ( + dario.cat/mergo v1.0.1 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/BurntSushi/toml v1.3.2 // indirect @@ -41,22 +42,23 @@ require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver v1.5.0 // indirect github.com/Masterminds/sprig v2.22.0+incompatible // indirect - github.com/Masterminds/sprig/v3 v3.2.3 // indirect + github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/hcsshim v0.11.4 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect github.com/containerd/containerd v1.7.12 // indirect github.com/containerd/log v0.1.0 // indirect - github.com/cyphar/filepath-securejoin v0.2.4 // indirect + github.com/cyphar/filepath-securejoin v0.3.1 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/reference v0.5.0 // indirect - github.com/docker/cli v27.1.1+incompatible // indirect + github.com/docker/cli v27.3.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker v26.0.2+incompatible // indirect - github.com/docker/docker-credential-helpers v0.8.1 // indirect + github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/emicklei/go-restful/v3 v3.12.0 // indirect @@ -66,6 +68,7 @@ require ( github.com/fatih/color v1.17.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-gorp/gorp/v3 v3.1.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -83,11 +86,11 @@ require ( github.com/google/btree v1.1.2 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect + github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gorilla/mux v1.8.1 // indirect - github.com/gorilla/websocket v1.5.1 // indirect + github.com/gorilla/websocket v1.5.3 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect @@ -95,10 +98,10 @@ require ( github.com/huandu/xstrings v1.5.0 // indirect github.com/imdario/mergo v1.0.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/jmoiron/sqlx v1.3.5 // indirect + github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.8 // indirect + github.com/klauspost/compress v1.17.9 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -111,7 +114,7 @@ require ( github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/locker v1.0.1 // indirect - github.com/moby/spdystream v0.2.0 // indirect + github.com/moby/spdystream v0.4.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect @@ -119,60 +122,62 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc6 // indirect + github.com/opencontainers/image-spec v1.1.0 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_golang v1.20.4 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/procfs v0.15.1 // indirect github.com/rivo/uniseg v0.4.6 // indirect - github.com/rubenv/sql-migrate v1.5.2 // indirect + github.com/rubenv/sql-migrate v1.7.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/shopspring/decimal v1.3.1 // indirect + github.com/shopspring/decimal v1.4.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect - github.com/spf13/cast v1.6.0 // indirect + github.com/spf13/cast v1.7.0 // indirect github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect - go.opentelemetry.io/otel v1.28.0 // indirect - go.opentelemetry.io/otel/metric v1.28.0 // indirect - go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.starlark.net v0.0.0-20231121155337-90ade8b19d09 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.25.0 // indirect - golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7 // indirect - golang.org/x/net v0.27.0 // indirect - golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.22.0 // indirect - golang.org/x/term v0.22.0 // indirect - golang.org/x/time v0.5.0 // indirect + golang.org/x/crypto v0.27.0 // indirect + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect + golang.org/x/net v0.29.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/time v0.6.0 // indirect golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d // indirect - google.golang.org/grpc v1.65.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect + google.golang.org/grpc v1.67.1 // indirect google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gotest.tools/v3 v3.5.1 // indirect - istio.io/api v1.23.0-alpha.0.0.20240815004820-dd780031d531 // indirect - k8s.io/apiserver v0.30.3 // indirect - k8s.io/component-base v0.30.3 // indirect + istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22 // indirect + k8s.io/apiserver v0.31.1 // indirect + k8s.io/component-base v0.31.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect - k8s.io/kubectl v0.30.3 // indirect - k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + k8s.io/kubectl v0.31.1 // indirect + k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 // indirect oras.land/oras-go v1.2.5 // indirect sigs.k8s.io/controller-tools v0.15.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect - sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect + sigs.k8s.io/kustomize/api v0.17.2 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index 81a3e2c53..0cdb5dc87 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,7 @@ +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= @@ -12,13 +16,12 @@ github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJ github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= -github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= -github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= -github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= -github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= -github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= @@ -37,6 +40,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70= github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng= @@ -60,8 +65,8 @@ github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= -github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE= +github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -70,14 +75,14 @@ github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aB github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= -github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= +github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v26.0.2+incompatible h1:yGVmKUFGgcxA6PXWAokO0sQL22BrQ67cgVjko8tGdXE= github.com/docker/docker v26.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo= -github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= +github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= +github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= @@ -100,12 +105,14 @@ github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= -github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= +github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= @@ -132,19 +139,13 @@ github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD87 github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= github.com/go-playground/validator/v10 v10.4.1 h1:pH2c5ADXtd66mxoE0Zm9SUhxE20r7aM3F26W0hOn+GE= github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4= -github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= -github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA= github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= -github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU= -github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs= -github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0= -github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY= -github.com/gobuffalo/packr/v2 v2.8.3 h1:xE1yzvnO56cUC0sTpKR3DIbxZgB54AftTFMhB2XEWlY= -github.com/gobuffalo/packr/v2 v2.8.3/go.mod h1:0SahksCVcx4IMnigTjiFuyldmTrdTctXsOdiU5KwbKc= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM= @@ -172,20 +173,18 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= -github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY= -github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= +github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= +github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= @@ -197,15 +196,14 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= -github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g= -github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ= +github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= +github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= @@ -215,25 +213,24 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 h1:VzM3TYHDgqPkettiP6I6q2jOeQFL4nrJM+UcAc4f6Fs= github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0/go.mod h1:nqCI7aelBJU61wiBeeZWJ6oi4bJy5nrjkM6lWIMA4j0= -github.com/karrick/godirwalk v1.16.1 h1:DynhcF+bztK8gooS0+NDJFrdNZjJ3gzVzC545UNA9iw= -github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU= -github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y= github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= -github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= @@ -242,12 +239,6 @@ github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0V github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI= -github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc= -github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY= -github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI= -github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI= -github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= @@ -255,24 +246,21 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= -github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= -github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= +github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= +github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs= -github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk= -github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= +github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= -github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= -github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= -github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8= +github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78= github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= @@ -295,14 +283,14 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU= -github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo= +github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= +github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= +github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= -github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= @@ -318,16 +306,16 @@ github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjz github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= -github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= +github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= -github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= +github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= @@ -336,23 +324,21 @@ github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoG github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.6 h1:Sovz9sDSwbOz9tgUy8JpT+KgCkPYJEN/oYzlJiYTNLg= github.com/rivo/uniseg v0.4.6/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= -github.com/rubenv/sql-migrate v1.5.2 h1:bMDqOnrJVV/6JQgQ/MxOpU+AdO8uzYYA/TxFUBzFtS0= -github.com/rubenv/sql-migrate v1.5.2/go.mod h1:H38GW8Vqf8F0Su5XignRyaRcbXbJunSWxs+kmzlg0Is= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rubenv/sql-migrate v1.7.0 h1:HtQq1xyTN2ISmQDggnh0c9U3JlP8apWh8YO2jzlXpTI= +github.com/rubenv/sql-migrate v1.7.0/go.mod h1:S4wtDEG1CKn+0ShpTtzWhFpHHI5PvCUtiGI+C+Z2THE= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= -github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= -github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -365,7 +351,6 @@ github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -373,6 +358,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -384,7 +371,6 @@ github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE= @@ -393,14 +379,14 @@ github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 h1:cEPbyTSEHlQR89XVlyo78gqluF8Y3oMeBkXGWzQsfXY= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0/go.mod h1:DKdbWcT4GH1D0Y3Sqt/PFXt2naRKDWtU+eE6oLdFNA8= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.starlark.net v0.0.0-20231121155337-90ade8b19d09 h1:hzy3LFnSN8kuQK8h9tHl4ndF6UruMj47OqwqsS+/Ai4= go.starlark.net v0.0.0-20231121155337-90ade8b19d09/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= @@ -415,75 +401,57 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= -golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= -golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7 h1:wDLEX9a7YQoKdKNQt88rtydkqDxeGaBUTnIYc3iG/mA= -golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= -golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= -golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= -golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= -golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= -golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= -golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= +golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= -golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -492,24 +460,25 @@ golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 h1:LLhsEBxRTBLuKlQxFBYUO golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d h1:kHjw/5UfflP/L5EbledDrcG4C2597RtymmGRZvHiCuY= -google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d/go.mod h1:mw8MG/Qz5wfgYr6VqVCiZcHe/GJEfI+oGGDCohaVgB0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d h1:JU0iKnSg02Gmb5ZdV8nYsKEKsP6o/FGVWTrw4i1DA9A= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f h1:jTm13A2itBi3La6yTGqn8bVSrc3ZZ1r8ENHlIXBfnRA= +google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f h1:cUMEy+8oS78BWIH9OWazBkzbr090Od9tWBNtZHkOhf0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= @@ -518,48 +487,48 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.15.1 h1:22ztacHz4gMqhXNqCQ9NAg6BFWoRUryNLvnkz6OVyw0= -helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg= -istio.io/api v1.23.0-alpha.0.0.20240815004820-dd780031d531 h1:SzRpQFb33yZ5/RWNEMkEzwSKihIoaqS6l6bz/Pixq18= -istio.io/api v1.23.0-alpha.0.0.20240815004820-dd780031d531/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= -istio.io/client-go v1.23.0-alpha.0.0.20240815005320-98e06cc71273 h1:vVlZ6fCq+e+SkKNsg06LVF4842k9ycOQSoamLlPPFeU= -istio.io/client-go v1.23.0-alpha.0.0.20240815005320-98e06cc71273/go.mod h1:Y4vkrP/cgEbtlOi4E++YhCvLkMotuWFtoQTvv+nWBLY= -istio.io/istio v0.0.0-20240815163146-1ad41e17ee31 h1:aL+yEfXFRWZgxall6phMbGP/CId65TVyR94sdm6pwo0= -istio.io/istio v0.0.0-20240815163146-1ad41e17ee31/go.mod h1:vg5Yp9IKYRlIsFRd5MOQh0/3zjk0WCWe0NVu1Q9DpZQ= -k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= -k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= -k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U= -k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4= -k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= -k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g= -k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg= -k8s.io/cli-runtime v0.30.3 h1:aG69oRzJuP2Q4o8dm+f5WJIX4ZBEwrvdID0+MXyUY6k= -k8s.io/cli-runtime v0.30.3/go.mod h1:hwrrRdd9P84CXSKzhHxrOivAR9BRnkMt0OeP5mj7X30= -k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= -k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= -k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s= -k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA= +helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= +helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= +istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22 h1:zJhF3wFCBR6aYymRVqO9/lSX2D/sk/qklQrRF7lbIj8= +istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= +istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d h1:rlMkdB4mK+b8TKSuxVOOZYh4mpDkDgYvVQj75wwLYKA= +istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d/go.mod h1:K/KtGTGAA72MC0oPUIFE1ux9aQUqepNP2e4YCz2YleE= +istio.io/istio v0.0.0-20241006152922-6f95f8c912c4 h1:njSM52+zyIPtmLYNr4jEFb7n4NBnudB95llLRzicBNs= +istio.io/istio v0.0.0-20241006152922-6f95f8c912c4/go.mod h1:///kOEmTI1EXlYBf1zS1l63r/Otcx0S1EG/95ZJ0LOo= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= +k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= +k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= +k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= +k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= +k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 h1:Q8Z7VlGhcJgBHJHYugJ/K/7iB8a2eSxCyxdVjJp+lLY= k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= -k8s.io/kubectl v0.30.3 h1:YIBBvMdTW0xcDpmrOBzcpUVsn+zOgjMYIu7kAq+yqiI= -k8s.io/kubectl v0.30.3/go.mod h1:IcR0I9RN2+zzTRUa1BzZCm4oM0NLOawE6RzlDvd1Fpo= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= +k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= +k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI= +k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= -sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4= -sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= +sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.15.0 h1:4dxdABXGDhIa68Fiwaif0vcu32xfwmgQ+w8p+5CxoAI= sigs.k8s.io/controller-tools v0.15.0/go.mod h1:8zUSS2T8Hx0APCNRhJWbS3CAQEbIxLa07khzh7pZmXM= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0= -sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY= -sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0= -sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4= +sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= +sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= +sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= +sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 7ad77f51a..90d7c8743 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/base/crds/crd-all.gen.yaml b/resources/latest/charts/base/files/crd-all.gen.yaml similarity index 98% rename from resources/latest/charts/base/crds/crd-all.gen.yaml rename to resources/latest/charts/base/files/crd-all.gen.yaml index 45c7e2b61..bb6080eff 100644 --- a/resources/latest/charts/base/crds/crd-all.gen.yaml +++ b/resources/latest/charts/base/files/crd-all.gen.yaml @@ -217,6 +217,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: description: |- @@ -282,6 +283,9 @@ spec: required: - url type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -6140,6 +6144,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -6147,12 +6152,20 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -7149,7 +7162,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7224,6 +7239,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7240,14 +7260,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7255,11 +7280,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7282,14 +7317,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -7361,6 +7414,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7399,7 +7454,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7474,6 +7531,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7490,14 +7552,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7505,11 +7572,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7532,14 +7609,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -7611,6 +7706,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7649,7 +7746,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7724,6 +7823,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7740,14 +7844,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7755,11 +7864,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7782,14 +7901,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -7861,6 +7998,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true @@ -8341,9 +8480,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -8874,9 +9018,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -9407,9 +9556,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -12800,8 +12954,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -12958,8 +13110,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -13116,8 +13266,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: true @@ -13170,10 +13318,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -13202,13 +13352,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -13223,6 +13377,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -13236,8 +13391,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -13245,15 +13406,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -13264,12 +13428,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -13406,6 +13574,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -13434,10 +13604,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -13466,13 +13638,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -13487,6 +13663,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -13500,8 +13677,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -13509,15 +13692,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -13528,12 +13714,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -13670,6 +13860,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -13698,10 +13890,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -13730,13 +13924,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -13751,6 +13949,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -13764,8 +13963,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -13773,15 +13978,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -13792,12 +14000,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -13934,6 +14146,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true @@ -14237,8 +14451,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -14586,8 +14804,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -15241,10 +15463,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: @@ -15527,10 +15750,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: @@ -15892,6 +16116,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -16003,6 +16228,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -16336,6 +16564,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -16447,6 +16676,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/resources/latest/charts/base/files/profile-remote.yaml b/resources/latest/charts/base/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/base/templates/crds.yaml b/resources/latest/charts/base/templates/crds.yaml index 7714ad8c1..f7756d132 100644 --- a/resources/latest/charts/base/templates/crds.yaml +++ b/resources/latest/charts/base/templates/crds.yaml @@ -1,13 +1,21 @@ +# TODO enableCRDTemplates is now defaulted to true as we +# want to always self-manage CRD upgrades via plain templates, +# so we should remove this flag after a few releases {{- if .Values.base.enableCRDTemplates }} -{{- if .Values.base.excludedCRDs }} -{{- range $crd := .Files.Get "crds/crd-all.gen.yaml"|splitList "\n---\n"}} +{{- $replacement := include "istio.labels" . | fromYaml}} +{{- range $crd := .Files.Get "files/crd-all.gen.yaml"|splitList "\n---\n"}} {{- $name := (index ($crd |fromYaml) "metadata" "name") }} {{- if not (has $name $.Values.base.excludedCRDs)}} -{{$crd}} +{{- $asDict := ($crd | fromYaml) }} +# If we are templating these CRDs, we want to wipe out the "static"/legacy +# labels and replace them with the standard templated istio ones. +# This allows the continued use of `kubectl apply -f crd-all.gen.yaml` +# without any templating+the old labels, if desired. +{{- $_ := set $asDict.metadata "labels" $replacement }} +{{$asDict | toYaml }} --- {{- end }} {{- end }} {{- else }} -{{ .Files.Get "crds/crd-all.gen.yaml" }} -{{- end }} +{{ .Files.Get "files/crd-all.gen.yaml" }} {{- end }} diff --git a/resources/latest/charts/base/templates/validatingadmissionpolicy.yaml b/resources/latest/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml similarity index 100% rename from resources/latest/charts/base/templates/validatingadmissionpolicy.yaml rename to resources/latest/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml diff --git a/resources/latest/charts/base/templates/default.yaml b/resources/latest/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml similarity index 100% rename from resources/latest/charts/base/templates/default.yaml rename to resources/latest/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml diff --git a/resources/latest/charts/base/templates/endpoints.yaml b/resources/latest/charts/base/templates/endpoints.yaml deleted file mode 100644 index 1190dfa9b..000000000 --- a/resources/latest/charts/base/templates/endpoints.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.enabled }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/resources/latest/charts/base/templates/reader-serviceaccount.yaml b/resources/latest/charts/base/templates/reader-serviceaccount.yaml index 342eea41f..ba829a6bf 100644 --- a/resources/latest/charts/base/templates/reader-serviceaccount.yaml +++ b/resources/latest/charts/base/templates/reader-serviceaccount.yaml @@ -1,4 +1,6 @@ -# This service account aggregates reader permissions for the revisions in a given cluster +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. # Should be used for remote secret creation. apiVersion: v1 kind: ServiceAccount diff --git a/resources/latest/charts/base/templates/services.yaml b/resources/latest/charts/base/templates/services.yaml deleted file mode 100644 index fe9b701aa..000000000 --- a/resources/latest/charts/base/templates/services.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/base/templates/zzy_descope_legacy.yaml b/resources/latest/charts/base/templates/zzy_descope_legacy.yaml deleted file mode 100644 index ae8fced29..000000000 --- a/resources/latest/charts/base/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/resources/latest/charts/base/templates/zzz_profile.yaml b/resources/latest/charts/base/templates/zzz_profile.yaml index 4eea73812..35623047c 100644 --- a/resources/latest/charts/base/templates/zzz_profile.yaml +++ b/resources/latest/charts/base/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,11 +38,11 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} -{{- if $globals.platform }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} {{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} {{- else }} -{{ fail (cat "unknown platform" $globals.platform) }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} {{- end }} {{- end }} {{- if $profile }} @@ -45,7 +50,7 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- end }} # Flatten globals, if defined on a per-chart basis {{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/base/values.yaml b/resources/latest/charts/base/values.yaml index ef078c11d..98c9c3645 100644 --- a/resources/latest/charts/base/values.yaml +++ b/resources/latest/charts/base/values.yaml @@ -1,6 +1,6 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: global: # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace @@ -11,26 +11,22 @@ defaults: # Used to locate istiod. istioNamespace: istio-system - externalIstiod: false - remotePilotAddress: "" - # Platform where Istio is deployed. Possible values are: "openshift", "gcp". # An empty value means it is a vanilla Kubernetes distribution, therefore no special # treatment will be considered. platform: "" - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - # This is intended only for use with external istiod. - ipFamilyPolicy: "" - ipFamilies: [] - base: # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. excludedCRDs: [] - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true # Validation webhook configuration url # For example: https://$remotePilotAddress:15017/validate diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 41e66e2c6..07bc06d3c 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/cni/files/profile-remote.yaml b/resources/latest/charts/cni/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/cni/templates/zzz_profile.yaml b/resources/latest/charts/cni/templates/zzz_profile.yaml index 4eea73812..35623047c 100644 --- a/resources/latest/charts/cni/templates/zzz_profile.yaml +++ b/resources/latest/charts/cni/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,11 +38,11 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} -{{- if $globals.platform }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} {{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} {{- else }} -{{ fail (cat "unknown platform" $globals.platform) }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} {{- end }} {{- end }} {{- if $profile }} @@ -45,7 +50,7 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- end }} # Flatten globals, if defined on a per-chart basis {{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index 3fdef82fe..491f58253 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -1,6 +1,6 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: hub: "" tag: "" variant: "" @@ -112,7 +112,7 @@ defaults: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index aad800d17..49bde88c7 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/gateway/files/profile-remote.yaml b/resources/latest/charts/gateway/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/gateway/templates/zzz_profile.yaml b/resources/latest/charts/gateway/templates/zzz_profile.yaml index 4eea73812..35623047c 100644 --- a/resources/latest/charts/gateway/templates/zzz_profile.yaml +++ b/resources/latest/charts/gateway/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,11 +38,11 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} -{{- if $globals.platform }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} {{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} {{- else }} -{{ fail (cat "unknown platform" $globals.platform) }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} {{- end }} {{- end }} {{- if $profile }} @@ -45,7 +50,7 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- end }} # Flatten globals, if defined on a per-chart basis {{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/gateway/values.yaml b/resources/latest/charts/gateway/values.yaml index 466b9d21c..b02240df1 100644 --- a/resources/latest/charts/gateway/values.yaml +++ b/resources/latest/charts/gateway/values.yaml @@ -1,6 +1,6 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: # Name allows overriding the release name. Generally this should not be set name: "" # revision declares which revision this gateway is a part of diff --git a/resources/latest/charts/istiod-remote/Chart.yaml b/resources/latest/charts/istiod-remote/Chart.yaml deleted file mode 100644 index 6957bd426..000000000 --- a/resources/latest/charts/istiod-remote/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe -description: Helm chart for a remote cluster using an external istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- external-istiod -name: istiod-remote -sources: -- https://github.com/istio/istio -version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe diff --git a/resources/latest/charts/istiod-remote/files/injection-template.yaml b/resources/latest/charts/istiod-remote/files/injection-template.yaml deleted file mode 100644 index f41122f9b..000000000 --- a/resources/latest/charts/istiod-remote/files/injection-template.yaml +++ /dev/null @@ -1,538 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ .ProxyUID | default "1337" | quote }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsUser: {{ .ProxyUID | default "1337" }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/latest/charts/istiod-remote/files/profile-ambient.yaml b/resources/latest/charts/istiod-remote/files/profile-ambient.yaml deleted file mode 100644 index 2805fe46b..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-ambient.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index c8da4d2e1..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" - PILOT_UNIFIED_SIDECAR_SCOPE: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - # 1.24 behaviour changes - ENABLE_DEFERRED_STATS_CREATION: "false" - BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 70d8eb40c..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" - PILOT_UNIFIED_SIDECAR_SCOPE: "false" - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - # 1.24 behaviour changes - ENABLE_DEFERRED_STATS_CREATION: "false" - BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml deleted file mode 100644 index 636bb6f15..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" - PILOT_UNIFIED_SIDECAR_SCOPE: "false" - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.24 behaviour changes - ENABLE_DEFERRED_STATS_CREATION: "false" - BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/istiod-remote/files/profile-demo.yaml b/resources/latest/charts/istiod-remote/files/profile-demo.yaml deleted file mode 100644 index eadbde17c..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-demo.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/files/profile-platform-k3d.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec5..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/resources/latest/charts/istiod-remote/files/profile-platform-k3s.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-k3s.yaml deleted file mode 100644 index f3f2884aa..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/istiod-remote/files/profile-platform-microk8s.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3c..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/istiod-remote/files/profile-platform-minikube.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e20..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/istiod-remote/files/profile-platform-openshift.yaml b/resources/latest/charts/istiod-remote/files/profile-platform-openshift.yaml deleted file mode 100644 index 69eda2b1d..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t diff --git a/resources/latest/charts/istiod-remote/templates/_helpers.tpl b/resources/latest/charts/istiod-remote/templates/_helpers.tpl deleted file mode 100644 index 042c92538..000000000 --- a/resources/latest/charts/istiod-remote/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/clusterrole.yaml b/resources/latest/charts/istiod-remote/templates/clusterrole.yaml deleted file mode 100644 index 8c25cbf72..000000000 --- a/resources/latest/charts/istiod-remote/templates/clusterrole.yaml +++ /dev/null @@ -1,186 +0,0 @@ -{{- if .Values.global.configCluster }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml b/resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml deleted file mode 100644 index ced064bdc..000000000 --- a/resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/configmap.yaml b/resources/latest/charts/istiod-remote/templates/configmap.yaml deleted file mode 100644 index 109e2bb82..000000000 --- a/resources/latest/charts/istiod-remote/templates/configmap.yaml +++ /dev/null @@ -1,114 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/default.yaml b/resources/latest/charts/istiod-remote/templates/default.yaml deleted file mode 100644 index bfc464439..000000000 --- a/resources/latest/charts/istiod-remote/templates/default.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml b/resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml deleted file mode 100644 index 857f04eb3..000000000 --- a/resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml deleted file mode 100644 index b87691742..000000000 --- a/resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values "cni" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml b/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml deleted file mode 100644 index fae4ed87a..000000000 --- a/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,160 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml b/resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml deleted file mode 100644 index 85707cb87..000000000 --- a/resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index aea9f01f7..000000000 --- a/resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml b/resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml deleted file mode 100644 index 342eea41f..000000000 --- a/resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} diff --git a/resources/latest/charts/istiod-remote/templates/role.yaml b/resources/latest/charts/istiod-remote/templates/role.yaml deleted file mode 100644 index c9c4e47c1..000000000 --- a/resources/latest/charts/istiod-remote/templates/role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/rolebinding.yaml b/resources/latest/charts/istiod-remote/templates/rolebinding.yaml deleted file mode 100644 index 717eeabee..000000000 --- a/resources/latest/charts/istiod-remote/templates/rolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/serviceaccount.yaml b/resources/latest/charts/istiod-remote/templates/serviceaccount.yaml deleted file mode 100644 index c2dad3b70..000000000 --- a/resources/latest/charts/istiod-remote/templates/serviceaccount.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | indent 4 }} - {{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml b/resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 71ea407ad..000000000 --- a/resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index c9e9eb22e..000000000 --- a/resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml b/resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml deleted file mode 100644 index ae8fced29..000000000 --- a/resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml b/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml deleted file mode 100644 index 4eea73812..000000000 --- a/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml +++ /dev/null @@ -1,69 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $globals.platform }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" $globals.platform) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/resources/latest/charts/istiod-remote/values.yaml b/resources/latest/charts/istiod-remote/values.yaml deleted file mode 100644 index 54c4ee7a8..000000000 --- a/resources/latest/charts/istiod-remote/values.yaml +++ /dev/null @@ -1,454 +0,0 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - hub: "" - tag: "" - variant: "" - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - # Additional container arguments - extraContainerArgs: [] - env: {} - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - affinity: {} - tolerations: [] - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - # Additional volumes to the istiod pod - volumes: [] - # Inject initContainers into the istiod pod - initContainers: [] - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - topologySpreadConstraints: [] - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - # Additional labels to apply to the deployment. - deploymentLabels: {} - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: false - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - rewriteAppHTTPProbe: true - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - injectionCABundle: "" - telemetry: - enabled: false - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - # For Helm compatibility. - ownerName: "" - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - experimental: - stableValidationPolicy: false - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing - # Default tag for Istio images. - tag: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - omitSidecarInjectorConfigMap: true - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - proxy: - image: proxyv2 - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - # The period between readiness probes. - readinessPeriodSeconds: 15 - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: true - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - # Node labels for the waypoint proxy. - nodeSelector: {} - # Tolerations for the waypoint proxy. - tolerations: [] - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index e4e4b0de8..c064a3baa 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/istiod/files/kube-gateway.yaml b/resources/latest/charts/istiod/files/kube-gateway.yaml index a2b1c904a..dbe158de1 100644 --- a/resources/latest/charts/istiod/files/kube-gateway.yaml +++ b/resources/latest/charts/istiod/files/kube-gateway.yaml @@ -103,6 +103,9 @@ spec: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -325,6 +328,7 @@ metadata: name: {{.Name}} uid: {{.UID}} spec: + ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} diff --git a/resources/latest/charts/istiod/files/profile-remote.yaml b/resources/latest/charts/istiod/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/istiod/files/waypoint.yaml b/resources/latest/charts/istiod/files/waypoint.yaml index ed3d59397..f12a128f4 100644 --- a/resources/latest/charts/istiod/files/waypoint.yaml +++ b/resources/latest/charts/istiod/files/waypoint.yaml @@ -89,6 +89,9 @@ spec: containers: - name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -234,8 +237,8 @@ spec: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data diff --git a/resources/latest/charts/istiod/templates/autoscale.yaml b/resources/latest/charts/istiod/templates/autoscale.yaml index 5283a5090..363a834f2 100644 --- a/resources/latest/charts/istiod/templates/autoscale.yaml +++ b/resources/latest/charts/istiod/templates/autoscale.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} {{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler @@ -39,3 +41,4 @@ spec: {{- end }} --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/clusterrole.yaml b/resources/latest/charts/istiod/templates/clusterrole.yaml index fb5dd398a..0c340b5b3 100644 --- a/resources/latest/charts/istiod/templates/clusterrole.yaml +++ b/resources/latest/charts/istiod/templates/clusterrole.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} {{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -182,3 +184,4 @@ rules: verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "serviceaccounts"] {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/clusterrolebinding.yaml b/resources/latest/charts/istiod/templates/clusterrolebinding.yaml index 8a1a70f86..10781b407 100644 --- a/resources/latest/charts/istiod/templates/clusterrolebinding.yaml +++ b/resources/latest/charts/istiod/templates/clusterrolebinding.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -35,3 +37,4 @@ subjects: name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} namespace: {{ .Values.global.istioNamespace }} {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/configmap-jwks.yaml b/resources/latest/charts/istiod/templates/configmap-jwks.yaml index df60db12a..6d4ce6c73 100644 --- a/resources/latest/charts/istiod/templates/configmap-jwks.yaml +++ b/resources/latest/charts/istiod/templates/configmap-jwks.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} {{- if .Values.jwksResolverExtraRootCA }} apiVersion: v1 kind: ConfigMap @@ -14,3 +16,4 @@ metadata: data: extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/deployment.yaml b/resources/latest/charts/istiod/templates/deployment.yaml index 987db2a71..2e07d1233 100644 --- a/resources/latest/charts/istiod/templates/deployment.yaml +++ b/resources/latest/charts/istiod/templates/deployment.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -287,3 +289,4 @@ spec: {{- end }} --- +{{- end }} diff --git a/resources/latest/charts/istiod/templates/mutatingwebhook.yaml b/resources/latest/charts/istiod/templates/mutatingwebhook.yaml index fae4ed87a..c1428bf60 100644 --- a/resources/latest/charts/istiod/templates/mutatingwebhook.yaml +++ b/resources/latest/charts/istiod/templates/mutatingwebhook.yaml @@ -1,3 +1,4 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. {{- /* Core defines the common configuration used by all webhook segments */}} {{/* Copy just what we need to avoid expensive deepCopy */}} {{- $whv := dict @@ -52,6 +53,10 @@ metadata: release: {{ .Release.Name }} app.kubernetes.io/name: "istiod" {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} webhooks: {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} diff --git a/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml b/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml index ed8931727..8ba27dc0b 100644 --- a/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml +++ b/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} {{- if .Values.global.defaultPodDisruptionBudget.enabled }} apiVersion: policy/v1 kind: PodDisruptionBudget @@ -25,3 +27,4 @@ spec: {{- end }} --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/endpoints.yaml b/resources/latest/charts/istiod/templates/remote-istiod-endpoints.yaml similarity index 82% rename from resources/latest/charts/istiod-remote/templates/endpoints.yaml rename to resources/latest/charts/istiod/templates/remote-istiod-endpoints.yaml index 1190dfa9b..da0fe7bfe 100644 --- a/resources/latest/charts/istiod-remote/templates/endpoints.yaml +++ b/resources/latest/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -1,12 +1,14 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} # if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} apiVersion: v1 kind: Endpoints metadata: - {{- if .Values.enabled }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} + {{- if .Values.global.externalIstiod }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote {{- end }} namespace: {{ .Release.Namespace }} labels: @@ -24,3 +26,4 @@ subsets: protocol: TCP --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/services.yaml b/resources/latest/charts/istiod/templates/remote-istiod-service.yaml similarity index 71% rename from resources/latest/charts/istiod-remote/templates/services.yaml rename to resources/latest/charts/istiod/templates/remote-istiod-service.yaml index fe9b701aa..d33196301 100644 --- a/resources/latest/charts/istiod-remote/templates/services.yaml +++ b/resources/latest/charts/istiod/templates/remote-istiod-service.yaml @@ -1,13 +1,12 @@ -{{- if .Values.global.remotePilotAddress }} +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} apiVersion: v1 kind: Service metadata: - {{- if .Values.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane + {{- if .Values.global.externalIstiod }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote {{- end }} namespace: {{ .Release.Namespace }} labels: @@ -22,7 +21,7 @@ spec: targetPort: 15017 name: tcp-webhook protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} # if the remotePilotAddress is not an IP addr, we use ExternalName type: ExternalName externalName: {{ .Values.global.remotePilotAddress }} diff --git a/resources/latest/charts/istiod/templates/revision-tags.yaml b/resources/latest/charts/istiod/templates/revision-tags.yaml index 9c1d2784a..31c221d30 100644 --- a/resources/latest/charts/istiod/templates/revision-tags.yaml +++ b/resources/latest/charts/istiod/templates/revision-tags.yaml @@ -1,6 +1,7 @@ # Adapted from istio-discovery/templates/mutatingwebhook.yaml # Removed paths for legacy and default selectors since a revision tag # is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. {{- $whv := dict "revision" .Values.revision "injectionPath" .Values.istiodRemote.injectionPath @@ -30,6 +31,8 @@ a unique prefix to each. */}} failurePolicy: Fail admissionReviewVersions: ["v1"] {{- end }} +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} {{- range $tagName := $.Values.revisionTags }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration @@ -48,6 +51,10 @@ metadata: release: {{ $.Release.Name }} app.kubernetes.io/name: "istiod" {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} webhooks: {{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} namespaceSelector: @@ -141,3 +148,4 @@ webhooks: {{- end }} --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/role.yaml b/resources/latest/charts/istiod/templates/role.yaml index 68e44d4de..10d89e8d1 100644 --- a/resources/latest/charts/istiod/templates/role.yaml +++ b/resources/latest/charts/istiod/templates/role.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -30,3 +32,4 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/resources/latest/charts/istiod/templates/rolebinding.yaml b/resources/latest/charts/istiod/templates/rolebinding.yaml index cdb3f5dab..a42f4ec44 100644 --- a/resources/latest/charts/istiod/templates/rolebinding.yaml +++ b/resources/latest/charts/istiod/templates/rolebinding.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16,3 +18,4 @@ subjects: - kind: ServiceAccount name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/service.yaml b/resources/latest/charts/istiod/templates/service.yaml index d474462c6..8829f0f43 100644 --- a/resources/latest/charts/istiod/templates/service.yaml +++ b/resources/latest/charts/istiod/templates/service.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} apiVersion: v1 kind: Service metadata: @@ -50,3 +52,4 @@ spec: {{- end }} {{- end }} --- +{{- end }} diff --git a/resources/latest/charts/istiod/templates/serviceaccount.yaml b/resources/latest/charts/istiod/templates/serviceaccount.yaml index 280695d5a..22b841e87 100644 --- a/resources/latest/charts/istiod/templates/serviceaccount.yaml +++ b/resources/latest/charts/istiod/templates/serviceaccount.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} apiVersion: v1 kind: ServiceAccount {{- if .Values.global.imagePullSecrets }} @@ -18,4 +20,5 @@ metadata: annotations: {{- toYaml .Values.serviceAccountAnnotations | indent 4 }} {{- end }} +{{- end }} --- diff --git a/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml index acf732916..d36eef68e 100644 --- a/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml +++ b/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} {{- if .Values.experimental.stableValidationPolicy }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy @@ -58,3 +60,4 @@ spec: policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" validationActions: [Deny] {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml index 116ce4ce7..fb28836a0 100644 --- a/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ b/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} {{- if .Values.global.configValidation }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -63,3 +65,4 @@ webhooks: {{- end }} --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/zzz_profile.yaml b/resources/latest/charts/istiod/templates/zzz_profile.yaml index 4eea73812..35623047c 100644 --- a/resources/latest/charts/istiod/templates/zzz_profile.yaml +++ b/resources/latest/charts/istiod/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,11 +38,11 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} -{{- if $globals.platform }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} {{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} {{- else }} -{{ fail (cat "unknown platform" $globals.platform) }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} {{- end }} {{- end }} {{- if $profile }} @@ -45,7 +50,7 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- end }} # Flatten globals, if defined on a per-chart basis {{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index 93ebefbd8..c727eb887 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -1,6 +1,6 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: autoscaleEnabled: true autoscaleMin: 1 autoscaleMax: 5 @@ -67,6 +67,7 @@ defaults: podAnnotations: {} serviceAnnotations: {} serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} topologySpreadConstraints: [] @@ -165,6 +166,10 @@ defaults: # defaultTemplates: ["sidecar", "hello"] defaultTemplates: [] istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false # Sidecar injector mutating webhook configuration clientConfig.url value. # For example: https://$remotePilotAddress:15017/inject # The host should not refer to a service running in the cluster; use a service reference by specifying @@ -237,7 +242,7 @@ defaults: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index c2d07c68c..c6f4a8861 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/ztunnel/files/profile-remote.yaml b/resources/latest/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/ztunnel/templates/zzz_profile.yaml b/resources/latest/charts/ztunnel/templates/zzz_profile.yaml index 680b3d5c3..72d3adc53 100644 --- a/resources/latest/charts/ztunnel/templates/zzz_profile.yaml +++ b/resources/latest/charts/ztunnel/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,11 +38,11 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} -{{- if $globals.platform }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" $globals.platform) }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} {{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} {{- else }} -{{ fail (cat "unknown platform" $globals.platform) }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} {{- end }} {{- end }} {{- if $profile }} @@ -45,7 +50,7 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- end }} # Flatten globals, if defined on a per-chart basis {{- if true }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index c5e3ebe7b..877f05f27 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -1,10 +1,10 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/resources/v1.21.5/charts/base/Chart.yaml b/resources/v1.21.6/charts/base/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/base/Chart.yaml rename to resources/v1.21.6/charts/base/Chart.yaml index 61e7978b9..df758d1a4 100644 --- a/resources/v1.21.5/charts/base/Chart.yaml +++ b/resources/v1.21.6/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.21.5 +appVersion: 1.21.6 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.21.5 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/base/README.md b/resources/v1.21.6/charts/base/README.md similarity index 100% rename from resources/v1.21.5/charts/base/README.md rename to resources/v1.21.6/charts/base/README.md diff --git a/resources/v1.21.5/charts/base/crds/crd-all.gen.yaml b/resources/v1.21.6/charts/base/crds/crd-all.gen.yaml similarity index 100% rename from resources/v1.21.5/charts/base/crds/crd-all.gen.yaml rename to resources/v1.21.6/charts/base/crds/crd-all.gen.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-ambient.yaml b/resources/v1.21.6/charts/base/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-ambient.yaml rename to resources/v1.21.6/charts/base/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/base/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/base/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-demo.yaml b/resources/v1.21.6/charts/base/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-demo.yaml rename to resources/v1.21.6/charts/base/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-openshift.yaml b/resources/v1.21.6/charts/base/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-openshift.yaml rename to resources/v1.21.6/charts/base/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-preview.yaml b/resources/v1.21.6/charts/base/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-preview.yaml rename to resources/v1.21.6/charts/base/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/base/templates/NOTES.txt b/resources/v1.21.6/charts/base/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/base/templates/NOTES.txt rename to resources/v1.21.6/charts/base/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/base/templates/crds.yaml b/resources/v1.21.6/charts/base/templates/crds.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/crds.yaml rename to resources/v1.21.6/charts/base/templates/crds.yaml diff --git a/resources/v1.21.5/charts/base/templates/default.yaml b/resources/v1.21.6/charts/base/templates/default.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/default.yaml rename to resources/v1.21.6/charts/base/templates/default.yaml diff --git a/resources/v1.21.5/charts/base/templates/endpoints.yaml b/resources/v1.21.6/charts/base/templates/endpoints.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/endpoints.yaml rename to resources/v1.21.6/charts/base/templates/endpoints.yaml diff --git a/resources/v1.21.5/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.21.6/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/reader-serviceaccount.yaml rename to resources/v1.21.6/charts/base/templates/reader-serviceaccount.yaml diff --git a/resources/v1.21.5/charts/base/templates/services.yaml b/resources/v1.21.6/charts/base/templates/services.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/services.yaml rename to resources/v1.21.6/charts/base/templates/services.yaml diff --git a/resources/v1.21.5/charts/base/templates/zzz_profile.yaml b/resources/v1.21.6/charts/base/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/base/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/base/values.yaml b/resources/v1.21.6/charts/base/values.yaml similarity index 100% rename from resources/v1.21.5/charts/base/values.yaml rename to resources/v1.21.6/charts/base/values.yaml diff --git a/resources/v1.21.5/charts/cni/Chart.yaml b/resources/v1.21.6/charts/cni/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/cni/Chart.yaml rename to resources/v1.21.6/charts/cni/Chart.yaml index 8c4d91551..6435229e4 100644 --- a/resources/v1.21.5/charts/cni/Chart.yaml +++ b/resources/v1.21.6/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.21.5 +appVersion: 1.21.6 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio/tree/release-1.21/cni -version: 1.21.5 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/cni/README.md b/resources/v1.21.6/charts/cni/README.md similarity index 100% rename from resources/v1.21.5/charts/cni/README.md rename to resources/v1.21.6/charts/cni/README.md diff --git a/resources/v1.21.5/charts/cni/files/profile-ambient.yaml b/resources/v1.21.6/charts/cni/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-ambient.yaml rename to resources/v1.21.6/charts/cni/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/cni/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/cni/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/cni/files/profile-demo.yaml b/resources/v1.21.6/charts/cni/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-demo.yaml rename to resources/v1.21.6/charts/cni/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/cni/files/profile-openshift.yaml b/resources/v1.21.6/charts/cni/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-openshift.yaml rename to resources/v1.21.6/charts/cni/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/cni/files/profile-preview.yaml b/resources/v1.21.6/charts/cni/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-preview.yaml rename to resources/v1.21.6/charts/cni/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/cni/templates/NOTES.txt b/resources/v1.21.6/charts/cni/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/cni/templates/NOTES.txt rename to resources/v1.21.6/charts/cni/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/cni/templates/clusterrole.yaml b/resources/v1.21.6/charts/cni/templates/clusterrole.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/clusterrole.yaml rename to resources/v1.21.6/charts/cni/templates/clusterrole.yaml diff --git a/resources/v1.21.5/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.21.6/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/clusterrolebinding.yaml rename to resources/v1.21.6/charts/cni/templates/clusterrolebinding.yaml diff --git a/resources/v1.21.5/charts/cni/templates/configmap-cni.yaml b/resources/v1.21.6/charts/cni/templates/configmap-cni.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/configmap-cni.yaml rename to resources/v1.21.6/charts/cni/templates/configmap-cni.yaml diff --git a/resources/v1.21.5/charts/cni/templates/daemonset.yaml b/resources/v1.21.6/charts/cni/templates/daemonset.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/daemonset.yaml rename to resources/v1.21.6/charts/cni/templates/daemonset.yaml diff --git a/resources/v1.21.5/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.21.6/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/network-attachment-definition.yaml rename to resources/v1.21.6/charts/cni/templates/network-attachment-definition.yaml diff --git a/resources/v1.21.5/charts/cni/templates/resourcequota.yaml b/resources/v1.21.6/charts/cni/templates/resourcequota.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/resourcequota.yaml rename to resources/v1.21.6/charts/cni/templates/resourcequota.yaml diff --git a/resources/v1.21.5/charts/cni/templates/serviceaccount.yaml b/resources/v1.21.6/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/serviceaccount.yaml rename to resources/v1.21.6/charts/cni/templates/serviceaccount.yaml diff --git a/resources/v1.21.5/charts/cni/templates/zzz_profile.yaml b/resources/v1.21.6/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/cni/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/cni/values.yaml b/resources/v1.21.6/charts/cni/values.yaml similarity index 99% rename from resources/v1.21.5/charts/cni/values.yaml rename to resources/v1.21.6/charts/cni/values.yaml index 8f65adbea..e23c58b64 100644 --- a/resources/v1.21.5/charts/cni/values.yaml +++ b/resources/v1.21.6/charts/cni/values.yaml @@ -116,7 +116,7 @@ defaults: hub: docker.io/istio # Default tag for Istio images. - tag: 1.21.5 + tag: 1.21.6 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/v1.22.3/charts/gateway/Chart.yaml b/resources/v1.21.6/charts/gateway/Chart.yaml similarity index 86% rename from resources/v1.22.3/charts/gateway/Chart.yaml rename to resources/v1.21.6/charts/gateway/Chart.yaml index 626ba6957..b5b027eb3 100644 --- a/resources/v1.22.3/charts/gateway/Chart.yaml +++ b/resources/v1.21.6/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.22.3 +appVersion: 1.21.6 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.22.3 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/gateway/README.md b/resources/v1.21.6/charts/gateway/README.md similarity index 100% rename from resources/v1.21.5/charts/gateway/README.md rename to resources/v1.21.6/charts/gateway/README.md diff --git a/resources/v1.21.5/charts/gateway/files/profile-ambient.yaml b/resources/v1.21.6/charts/gateway/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-ambient.yaml rename to resources/v1.21.6/charts/gateway/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/gateway/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/gateway/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/gateway/files/profile-demo.yaml b/resources/v1.21.6/charts/gateway/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-demo.yaml rename to resources/v1.21.6/charts/gateway/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/gateway/files/profile-openshift.yaml b/resources/v1.21.6/charts/gateway/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-openshift.yaml rename to resources/v1.21.6/charts/gateway/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/gateway/files/profile-preview.yaml b/resources/v1.21.6/charts/gateway/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-preview.yaml rename to resources/v1.21.6/charts/gateway/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/NOTES.txt b/resources/v1.21.6/charts/gateway/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/NOTES.txt rename to resources/v1.21.6/charts/gateway/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/gateway/templates/_helpers.tpl b/resources/v1.21.6/charts/gateway/templates/_helpers.tpl similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/_helpers.tpl rename to resources/v1.21.6/charts/gateway/templates/_helpers.tpl diff --git a/resources/v1.21.5/charts/gateway/templates/deployment.yaml b/resources/v1.21.6/charts/gateway/templates/deployment.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/deployment.yaml rename to resources/v1.21.6/charts/gateway/templates/deployment.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/hpa.yaml b/resources/v1.21.6/charts/gateway/templates/hpa.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/hpa.yaml rename to resources/v1.21.6/charts/gateway/templates/hpa.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.21.6/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/poddisruptionbudget.yaml rename to resources/v1.21.6/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/role.yaml b/resources/v1.21.6/charts/gateway/templates/role.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/role.yaml rename to resources/v1.21.6/charts/gateway/templates/role.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/service.yaml b/resources/v1.21.6/charts/gateway/templates/service.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/service.yaml rename to resources/v1.21.6/charts/gateway/templates/service.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/serviceaccount.yaml b/resources/v1.21.6/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/serviceaccount.yaml rename to resources/v1.21.6/charts/gateway/templates/serviceaccount.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/zzz_profile.yaml b/resources/v1.21.6/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/gateway/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/gateway/values.schema.json b/resources/v1.21.6/charts/gateway/values.schema.json similarity index 100% rename from resources/v1.21.5/charts/gateway/values.schema.json rename to resources/v1.21.6/charts/gateway/values.schema.json diff --git a/resources/v1.21.5/charts/gateway/values.yaml b/resources/v1.21.6/charts/gateway/values.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/values.yaml rename to resources/v1.21.6/charts/gateway/values.yaml diff --git a/resources/v1.21.5/charts/istiod/Chart.yaml b/resources/v1.21.6/charts/istiod/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/istiod/Chart.yaml rename to resources/v1.21.6/charts/istiod/Chart.yaml index 9a783f4eb..121a4ab64 100644 --- a/resources/v1.21.5/charts/istiod/Chart.yaml +++ b/resources/v1.21.6/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.21.5 +appVersion: 1.21.6 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.21.5 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/istiod/README.md b/resources/v1.21.6/charts/istiod/README.md similarity index 100% rename from resources/v1.21.5/charts/istiod/README.md rename to resources/v1.21.6/charts/istiod/README.md diff --git a/resources/v1.21.5/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.21.6/charts/istiod/files/gateway-injection-template.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/gateway-injection-template.yaml rename to resources/v1.21.6/charts/istiod/files/gateway-injection-template.yaml diff --git a/resources/v1.21.5/charts/istiod/files/grpc-agent.yaml b/resources/v1.21.6/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/grpc-agent.yaml rename to resources/v1.21.6/charts/istiod/files/grpc-agent.yaml diff --git a/resources/v1.21.5/charts/istiod/files/grpc-simple.yaml b/resources/v1.21.6/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/grpc-simple.yaml rename to resources/v1.21.6/charts/istiod/files/grpc-simple.yaml diff --git a/resources/v1.21.5/charts/istiod/files/injection-template.yaml b/resources/v1.21.6/charts/istiod/files/injection-template.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/injection-template.yaml rename to resources/v1.21.6/charts/istiod/files/injection-template.yaml diff --git a/resources/v1.21.5/charts/istiod/files/kube-gateway.yaml b/resources/v1.21.6/charts/istiod/files/kube-gateway.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/kube-gateway.yaml rename to resources/v1.21.6/charts/istiod/files/kube-gateway.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-ambient.yaml b/resources/v1.21.6/charts/istiod/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-ambient.yaml rename to resources/v1.21.6/charts/istiod/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/istiod/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/istiod/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-demo.yaml b/resources/v1.21.6/charts/istiod/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-demo.yaml rename to resources/v1.21.6/charts/istiod/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-openshift.yaml b/resources/v1.21.6/charts/istiod/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-openshift.yaml rename to resources/v1.21.6/charts/istiod/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-preview.yaml b/resources/v1.21.6/charts/istiod/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-preview.yaml rename to resources/v1.21.6/charts/istiod/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/istiod/files/waypoint.yaml b/resources/v1.21.6/charts/istiod/files/waypoint.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/waypoint.yaml rename to resources/v1.21.6/charts/istiod/files/waypoint.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/NOTES.txt b/resources/v1.21.6/charts/istiod/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/NOTES.txt rename to resources/v1.21.6/charts/istiod/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/istiod/templates/_helpers.tpl b/resources/v1.21.6/charts/istiod/templates/_helpers.tpl similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/_helpers.tpl rename to resources/v1.21.6/charts/istiod/templates/_helpers.tpl diff --git a/resources/v1.21.5/charts/istiod/templates/autoscale.yaml b/resources/v1.21.6/charts/istiod/templates/autoscale.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/autoscale.yaml rename to resources/v1.21.6/charts/istiod/templates/autoscale.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/clusterrole.yaml b/resources/v1.21.6/charts/istiod/templates/clusterrole.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/clusterrole.yaml rename to resources/v1.21.6/charts/istiod/templates/clusterrole.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.21.6/charts/istiod/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/clusterrolebinding.yaml rename to resources/v1.21.6/charts/istiod/templates/clusterrolebinding.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.21.6/charts/istiod/templates/configmap-jwks.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/configmap-jwks.yaml rename to resources/v1.21.6/charts/istiod/templates/configmap-jwks.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/configmap.yaml b/resources/v1.21.6/charts/istiod/templates/configmap.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/configmap.yaml rename to resources/v1.21.6/charts/istiod/templates/configmap.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/deployment.yaml b/resources/v1.21.6/charts/istiod/templates/deployment.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/deployment.yaml rename to resources/v1.21.6/charts/istiod/templates/deployment.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.21.6/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/istiod-injector-configmap.yaml rename to resources/v1.21.6/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.21.6/charts/istiod/templates/mutatingwebhook.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/mutatingwebhook.yaml rename to resources/v1.21.6/charts/istiod/templates/mutatingwebhook.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.21.6/charts/istiod/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/poddisruptionbudget.yaml rename to resources/v1.21.6/charts/istiod/templates/poddisruptionbudget.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.21.6/charts/istiod/templates/reader-clusterrole.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/reader-clusterrole.yaml rename to resources/v1.21.6/charts/istiod/templates/reader-clusterrole.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.21.6/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/reader-clusterrolebinding.yaml rename to resources/v1.21.6/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/revision-tags.yaml b/resources/v1.21.6/charts/istiod/templates/revision-tags.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/revision-tags.yaml rename to resources/v1.21.6/charts/istiod/templates/revision-tags.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/role.yaml b/resources/v1.21.6/charts/istiod/templates/role.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/role.yaml rename to resources/v1.21.6/charts/istiod/templates/role.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/rolebinding.yaml b/resources/v1.21.6/charts/istiod/templates/rolebinding.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/rolebinding.yaml rename to resources/v1.21.6/charts/istiod/templates/rolebinding.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/service.yaml b/resources/v1.21.6/charts/istiod/templates/service.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/service.yaml rename to resources/v1.21.6/charts/istiod/templates/service.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/serviceaccount.yaml b/resources/v1.21.6/charts/istiod/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/serviceaccount.yaml rename to resources/v1.21.6/charts/istiod/templates/serviceaccount.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.21.6/charts/istiod/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/validatingwebhookconfiguration.yaml rename to resources/v1.21.6/charts/istiod/templates/validatingwebhookconfiguration.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/zzz_profile.yaml b/resources/v1.21.6/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/istiod/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/istiod/values.yaml b/resources/v1.21.6/charts/istiod/values.yaml similarity index 99% rename from resources/v1.21.5/charts/istiod/values.yaml rename to resources/v1.21.6/charts/istiod/values.yaml index a520c7a48..2a80fa50d 100644 --- a/resources/v1.21.5/charts/istiod/values.yaml +++ b/resources/v1.21.6/charts/istiod/values.yaml @@ -216,7 +216,7 @@ defaults: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.21.5 + tag: 1.21.6 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/v1.22.3/charts/ztunnel/Chart.yaml b/resources/v1.21.6/charts/ztunnel/Chart.yaml similarity index 86% rename from resources/v1.22.3/charts/ztunnel/Chart.yaml rename to resources/v1.21.6/charts/ztunnel/Chart.yaml index 8bc58b9bd..d557e634b 100644 --- a/resources/v1.22.3/charts/ztunnel/Chart.yaml +++ b/resources/v1.21.6/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.22.3 +appVersion: 1.21.6 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.22.3 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/ztunnel/README.md b/resources/v1.21.6/charts/ztunnel/README.md similarity index 100% rename from resources/v1.21.5/charts/ztunnel/README.md rename to resources/v1.21.6/charts/ztunnel/README.md diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-ambient.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-demo.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-demo.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-openshift.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-preview.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-preview.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/ztunnel/templates/NOTES.txt b/resources/v1.21.6/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/ztunnel/templates/NOTES.txt rename to resources/v1.21.6/charts/ztunnel/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/ztunnel/templates/daemonset.yaml b/resources/v1.21.6/charts/ztunnel/templates/daemonset.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/templates/daemonset.yaml rename to resources/v1.21.6/charts/ztunnel/templates/daemonset.yaml diff --git a/resources/v1.21.5/charts/ztunnel/templates/rbac.yaml b/resources/v1.21.6/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/templates/rbac.yaml rename to resources/v1.21.6/charts/ztunnel/templates/rbac.yaml diff --git a/resources/v1.21.5/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.21.6/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/ztunnel/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/ztunnel/values.yaml b/resources/v1.21.6/charts/ztunnel/values.yaml similarity index 99% rename from resources/v1.21.5/charts/ztunnel/values.yaml rename to resources/v1.21.6/charts/ztunnel/values.yaml index 0416f7374..3929f153f 100644 --- a/resources/v1.21.5/charts/ztunnel/values.yaml +++ b/resources/v1.21.6/charts/ztunnel/values.yaml @@ -2,7 +2,7 @@ defaults: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: docker.io/istio # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.21.5 + tag: 1.21.6 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/resources/v1.21.5/profiles/ambient.yaml b/resources/v1.21.6/profiles/ambient.yaml similarity index 100% rename from resources/v1.21.5/profiles/ambient.yaml rename to resources/v1.21.6/profiles/ambient.yaml diff --git a/resources/v1.21.5/profiles/default.yaml b/resources/v1.21.6/profiles/default.yaml similarity index 100% rename from resources/v1.21.5/profiles/default.yaml rename to resources/v1.21.6/profiles/default.yaml diff --git a/resources/v1.21.5/profiles/demo.yaml b/resources/v1.21.6/profiles/demo.yaml similarity index 100% rename from resources/v1.21.5/profiles/demo.yaml rename to resources/v1.21.6/profiles/demo.yaml diff --git a/resources/v1.21.5/profiles/empty.yaml b/resources/v1.21.6/profiles/empty.yaml similarity index 100% rename from resources/v1.21.5/profiles/empty.yaml rename to resources/v1.21.6/profiles/empty.yaml diff --git a/resources/v1.21.5/profiles/external.yaml b/resources/v1.21.6/profiles/external.yaml similarity index 100% rename from resources/v1.21.5/profiles/external.yaml rename to resources/v1.21.6/profiles/external.yaml diff --git a/resources/v1.21.5/profiles/openshift.yaml b/resources/v1.21.6/profiles/openshift.yaml similarity index 100% rename from resources/v1.21.5/profiles/openshift.yaml rename to resources/v1.21.6/profiles/openshift.yaml diff --git a/resources/v1.21.5/profiles/preview.yaml b/resources/v1.21.6/profiles/preview.yaml similarity index 100% rename from resources/v1.21.5/profiles/preview.yaml rename to resources/v1.21.6/profiles/preview.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 808d224ed..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 6359d435a..000000000 --- a/resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.3/charts/base/Chart.yaml b/resources/v1.22.5/charts/base/Chart.yaml similarity index 86% rename from resources/v1.22.3/charts/base/Chart.yaml rename to resources/v1.22.5/charts/base/Chart.yaml index bf0eebf6f..61e79a1e5 100644 --- a/resources/v1.22.3/charts/base/Chart.yaml +++ b/resources/v1.22.5/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.22.3 +appVersion: 1.22.5 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.22.3 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/base/README.md b/resources/v1.22.5/charts/base/README.md similarity index 100% rename from resources/v1.22.3/charts/base/README.md rename to resources/v1.22.5/charts/base/README.md diff --git a/resources/v1.22.3/charts/base/crds/crd-all.gen.yaml b/resources/v1.22.5/charts/base/crds/crd-all.gen.yaml similarity index 100% rename from resources/v1.22.3/charts/base/crds/crd-all.gen.yaml rename to resources/v1.22.5/charts/base/crds/crd-all.gen.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-ambient.yaml b/resources/v1.22.5/charts/base/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-ambient.yaml rename to resources/v1.22.5/charts/base/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/base/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/base/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/base/files/profile-compatibility-version-1.21.yaml similarity index 90% rename from resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml rename to resources/v1.22.5/charts/base/files/profile-compatibility-version-1.21.yaml index 808d224ed..a204a7ad4 100644 --- a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.22.5/charts/base/files/profile-compatibility-version-1.21.yaml @@ -9,9 +9,9 @@ pilot: ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" meshConfig: # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/base/files/profile-demo.yaml b/resources/v1.22.5/charts/base/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-demo.yaml rename to resources/v1.22.5/charts/base/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/base/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/base/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-openshift.yaml b/resources/v1.22.5/charts/base/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-openshift.yaml rename to resources/v1.22.5/charts/base/files/profile-openshift.yaml diff --git a/resources/latest/charts/istiod-remote/files/profile-preview.yaml b/resources/v1.22.5/charts/base/files/profile-preview.yaml similarity index 100% rename from resources/latest/charts/istiod-remote/files/profile-preview.yaml rename to resources/v1.22.5/charts/base/files/profile-preview.yaml diff --git a/resources/latest/charts/istiod-remote/files/profile-stable.yaml b/resources/v1.22.5/charts/base/files/profile-stable.yaml similarity index 100% rename from resources/latest/charts/istiod-remote/files/profile-stable.yaml rename to resources/v1.22.5/charts/base/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/base/templates/NOTES.txt b/resources/v1.22.5/charts/base/templates/NOTES.txt similarity index 100% rename from resources/v1.22.3/charts/base/templates/NOTES.txt rename to resources/v1.22.5/charts/base/templates/NOTES.txt diff --git a/resources/v1.22.3/charts/base/templates/crds.yaml b/resources/v1.22.5/charts/base/templates/crds.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/crds.yaml rename to resources/v1.22.5/charts/base/templates/crds.yaml diff --git a/resources/v1.22.3/charts/base/templates/default.yaml b/resources/v1.22.5/charts/base/templates/default.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/default.yaml rename to resources/v1.22.5/charts/base/templates/default.yaml diff --git a/resources/v1.22.3/charts/base/templates/endpoints.yaml b/resources/v1.22.5/charts/base/templates/endpoints.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/endpoints.yaml rename to resources/v1.22.5/charts/base/templates/endpoints.yaml diff --git a/resources/v1.22.3/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.22.5/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/reader-serviceaccount.yaml rename to resources/v1.22.5/charts/base/templates/reader-serviceaccount.yaml diff --git a/resources/v1.22.3/charts/base/templates/services.yaml b/resources/v1.22.5/charts/base/templates/services.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/services.yaml rename to resources/v1.22.5/charts/base/templates/services.yaml diff --git a/resources/v1.22.3/charts/base/templates/validatingadmissionpolicy.yaml b/resources/v1.22.5/charts/base/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/validatingadmissionpolicy.yaml rename to resources/v1.22.5/charts/base/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/base/templates/zzz_profile.yaml b/resources/v1.22.5/charts/base/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/base/templates/zzz_profile.yaml diff --git a/resources/v1.22.3/charts/base/values.yaml b/resources/v1.22.5/charts/base/values.yaml similarity index 100% rename from resources/v1.22.3/charts/base/values.yaml rename to resources/v1.22.5/charts/base/values.yaml diff --git a/resources/v1.22.3/charts/cni/Chart.yaml b/resources/v1.22.5/charts/cni/Chart.yaml similarity index 85% rename from resources/v1.22.3/charts/cni/Chart.yaml rename to resources/v1.22.5/charts/cni/Chart.yaml index 990f1e4e3..ab2bf2a1b 100644 --- a/resources/v1.22.3/charts/cni/Chart.yaml +++ b/resources/v1.22.5/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.22.3 +appVersion: 1.22.5 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.22.3 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/cni/README.md b/resources/v1.22.5/charts/cni/README.md similarity index 100% rename from resources/v1.22.3/charts/cni/README.md rename to resources/v1.22.5/charts/cni/README.md diff --git a/resources/v1.22.3/charts/cni/files/profile-ambient.yaml b/resources/v1.22.5/charts/cni/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-ambient.yaml rename to resources/v1.22.5/charts/cni/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.21.yaml similarity index 90% rename from resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml rename to resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.21.yaml index 808d224ed..a204a7ad4 100644 --- a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -9,9 +9,9 @@ pilot: ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" meshConfig: # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/cni/files/profile-demo.yaml b/resources/v1.22.5/charts/cni/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-demo.yaml rename to resources/v1.22.5/charts/cni/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/cni/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/cni/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-openshift.yaml b/resources/v1.22.5/charts/cni/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-openshift.yaml rename to resources/v1.22.5/charts/cni/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-preview.yaml b/resources/v1.22.5/charts/cni/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-preview.yaml rename to resources/v1.22.5/charts/cni/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-stable.yaml b/resources/v1.22.5/charts/cni/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-stable.yaml rename to resources/v1.22.5/charts/cni/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/cni/templates/NOTES.txt b/resources/v1.22.5/charts/cni/templates/NOTES.txt similarity index 100% rename from resources/v1.22.3/charts/cni/templates/NOTES.txt rename to resources/v1.22.5/charts/cni/templates/NOTES.txt diff --git a/resources/v1.22.3/charts/cni/templates/clusterrole.yaml b/resources/v1.22.5/charts/cni/templates/clusterrole.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/clusterrole.yaml rename to resources/v1.22.5/charts/cni/templates/clusterrole.yaml diff --git a/resources/v1.22.3/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.22.5/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/clusterrolebinding.yaml rename to resources/v1.22.5/charts/cni/templates/clusterrolebinding.yaml diff --git a/resources/v1.22.3/charts/cni/templates/configmap-cni.yaml b/resources/v1.22.5/charts/cni/templates/configmap-cni.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/configmap-cni.yaml rename to resources/v1.22.5/charts/cni/templates/configmap-cni.yaml diff --git a/resources/v1.22.3/charts/cni/templates/daemonset.yaml b/resources/v1.22.5/charts/cni/templates/daemonset.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/daemonset.yaml rename to resources/v1.22.5/charts/cni/templates/daemonset.yaml diff --git a/resources/v1.22.3/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.22.5/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/network-attachment-definition.yaml rename to resources/v1.22.5/charts/cni/templates/network-attachment-definition.yaml diff --git a/resources/v1.22.3/charts/cni/templates/resourcequota.yaml b/resources/v1.22.5/charts/cni/templates/resourcequota.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/resourcequota.yaml rename to resources/v1.22.5/charts/cni/templates/resourcequota.yaml diff --git a/resources/v1.22.3/charts/cni/templates/serviceaccount.yaml b/resources/v1.22.5/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/serviceaccount.yaml rename to resources/v1.22.5/charts/cni/templates/serviceaccount.yaml diff --git a/resources/v1.23.0/charts/cni/templates/zzz_profile.yaml b/resources/v1.22.5/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/cni/templates/zzz_profile.yaml diff --git a/resources/v1.22.3/charts/cni/values.yaml b/resources/v1.22.5/charts/cni/values.yaml similarity index 99% rename from resources/v1.22.3/charts/cni/values.yaml rename to resources/v1.22.5/charts/cni/values.yaml index f40a5f801..3c1031325 100644 --- a/resources/v1.22.3/charts/cni/values.yaml +++ b/resources/v1.22.5/charts/cni/values.yaml @@ -110,7 +110,7 @@ defaults: hub: docker.io/istio # Default tag for Istio images. - tag: 1.22.3 + tag: 1.22.5 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/v1.23.0/charts/gateway/Chart.yaml b/resources/v1.22.5/charts/gateway/Chart.yaml similarity index 86% rename from resources/v1.23.0/charts/gateway/Chart.yaml rename to resources/v1.22.5/charts/gateway/Chart.yaml index e96b476bc..bd4020cd7 100644 --- a/resources/v1.23.0/charts/gateway/Chart.yaml +++ b/resources/v1.22.5/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.22.5 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.23.0 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/gateway/README.md b/resources/v1.22.5/charts/gateway/README.md similarity index 100% rename from resources/v1.22.3/charts/gateway/README.md rename to resources/v1.22.5/charts/gateway/README.md diff --git a/resources/v1.22.3/charts/gateway/files/profile-ambient.yaml b/resources/v1.22.5/charts/gateway/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-ambient.yaml rename to resources/v1.22.5/charts/gateway/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.21.yaml similarity index 90% rename from resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml rename to resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.21.yaml index 808d224ed..a204a7ad4 100644 --- a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -9,9 +9,9 @@ pilot: ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" meshConfig: # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/gateway/files/profile-demo.yaml b/resources/v1.22.5/charts/gateway/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-demo.yaml rename to resources/v1.22.5/charts/gateway/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/gateway/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/gateway/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-openshift.yaml b/resources/v1.22.5/charts/gateway/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-openshift.yaml rename to resources/v1.22.5/charts/gateway/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-preview.yaml b/resources/v1.22.5/charts/gateway/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-preview.yaml rename to resources/v1.22.5/charts/gateway/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-stable.yaml b/resources/v1.22.5/charts/gateway/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-stable.yaml rename to resources/v1.22.5/charts/gateway/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/NOTES.txt b/resources/v1.22.5/charts/gateway/templates/NOTES.txt similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/NOTES.txt rename to resources/v1.22.5/charts/gateway/templates/NOTES.txt diff --git a/resources/v1.22.3/charts/gateway/templates/_helpers.tpl b/resources/v1.22.5/charts/gateway/templates/_helpers.tpl similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/_helpers.tpl rename to resources/v1.22.5/charts/gateway/templates/_helpers.tpl diff --git a/resources/v1.22.3/charts/gateway/templates/deployment.yaml b/resources/v1.22.5/charts/gateway/templates/deployment.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/deployment.yaml rename to resources/v1.22.5/charts/gateway/templates/deployment.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/hpa.yaml b/resources/v1.22.5/charts/gateway/templates/hpa.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/hpa.yaml rename to resources/v1.22.5/charts/gateway/templates/hpa.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.22.5/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/poddisruptionbudget.yaml rename to resources/v1.22.5/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/role.yaml b/resources/v1.22.5/charts/gateway/templates/role.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/role.yaml rename to resources/v1.22.5/charts/gateway/templates/role.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/service.yaml b/resources/v1.22.5/charts/gateway/templates/service.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/service.yaml rename to resources/v1.22.5/charts/gateway/templates/service.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/serviceaccount.yaml b/resources/v1.22.5/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/serviceaccount.yaml rename to resources/v1.22.5/charts/gateway/templates/serviceaccount.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/zzz_profile.yaml b/resources/v1.22.5/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/gateway/templates/zzz_profile.yaml diff --git a/resources/v1.23.0/charts/gateway/values.schema.json b/resources/v1.22.5/charts/gateway/values.schema.json similarity index 100% rename from resources/v1.23.0/charts/gateway/values.schema.json rename to resources/v1.22.5/charts/gateway/values.schema.json diff --git a/resources/v1.22.3/charts/gateway/values.yaml b/resources/v1.22.5/charts/gateway/values.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/values.yaml rename to resources/v1.22.5/charts/gateway/values.yaml diff --git a/resources/v1.22.3/charts/istiod/Chart.yaml b/resources/v1.22.5/charts/istiod/Chart.yaml similarity index 86% rename from resources/v1.22.3/charts/istiod/Chart.yaml rename to resources/v1.22.5/charts/istiod/Chart.yaml index 3cf7bd630..dc261d81a 100644 --- a/resources/v1.22.3/charts/istiod/Chart.yaml +++ b/resources/v1.22.5/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.22.3 +appVersion: 1.22.5 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.22.3 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/istiod/README.md b/resources/v1.22.5/charts/istiod/README.md similarity index 100% rename from resources/v1.22.3/charts/istiod/README.md rename to resources/v1.22.5/charts/istiod/README.md diff --git a/resources/v1.22.3/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.22.5/charts/istiod/files/gateway-injection-template.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/gateway-injection-template.yaml rename to resources/v1.22.5/charts/istiod/files/gateway-injection-template.yaml diff --git a/resources/v1.22.3/charts/istiod/files/grpc-agent.yaml b/resources/v1.22.5/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/grpc-agent.yaml rename to resources/v1.22.5/charts/istiod/files/grpc-agent.yaml diff --git a/resources/v1.22.3/charts/istiod/files/grpc-simple.yaml b/resources/v1.22.5/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/grpc-simple.yaml rename to resources/v1.22.5/charts/istiod/files/grpc-simple.yaml diff --git a/resources/v1.22.3/charts/istiod/files/injection-template.yaml b/resources/v1.22.5/charts/istiod/files/injection-template.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/injection-template.yaml rename to resources/v1.22.5/charts/istiod/files/injection-template.yaml diff --git a/resources/v1.22.3/charts/istiod/files/kube-gateway.yaml b/resources/v1.22.5/charts/istiod/files/kube-gateway.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/kube-gateway.yaml rename to resources/v1.22.5/charts/istiod/files/kube-gateway.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-ambient.yaml b/resources/v1.22.5/charts/istiod/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-ambient.yaml rename to resources/v1.22.5/charts/istiod/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.21.yaml similarity index 90% rename from resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml rename to resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.21.yaml index 808d224ed..a204a7ad4 100644 --- a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.21.yaml @@ -9,9 +9,9 @@ pilot: ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" meshConfig: # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/istiod/files/profile-demo.yaml b/resources/v1.22.5/charts/istiod/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-demo.yaml rename to resources/v1.22.5/charts/istiod/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/istiod/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/istiod/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-openshift.yaml b/resources/v1.22.5/charts/istiod/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-openshift.yaml rename to resources/v1.22.5/charts/istiod/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-preview.yaml b/resources/v1.22.5/charts/istiod/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-preview.yaml rename to resources/v1.22.5/charts/istiod/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-stable.yaml b/resources/v1.22.5/charts/istiod/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-stable.yaml rename to resources/v1.22.5/charts/istiod/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/istiod/files/waypoint.yaml b/resources/v1.22.5/charts/istiod/files/waypoint.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/waypoint.yaml rename to resources/v1.22.5/charts/istiod/files/waypoint.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/NOTES.txt b/resources/v1.22.5/charts/istiod/templates/NOTES.txt similarity index 98% rename from resources/v1.22.3/charts/istiod/templates/NOTES.txt rename to resources/v1.22.5/charts/istiod/templates/NOTES.txt index 0771b919d..1acb4dbf9 100644 --- a/resources/v1.22.3/charts/istiod/templates/NOTES.txt +++ b/resources/v1.22.5/charts/istiod/templates/NOTES.txt @@ -5,7 +5,8 @@ To learn more about the release, try: $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} Next steps: -{{- if (eq .Values.profile "ambient") }} +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ {{- else }} diff --git a/resources/v1.22.3/charts/istiod/templates/_helpers.tpl b/resources/v1.22.5/charts/istiod/templates/_helpers.tpl similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/_helpers.tpl rename to resources/v1.22.5/charts/istiod/templates/_helpers.tpl diff --git a/resources/v1.22.3/charts/istiod/templates/autoscale.yaml b/resources/v1.22.5/charts/istiod/templates/autoscale.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/autoscale.yaml rename to resources/v1.22.5/charts/istiod/templates/autoscale.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/clusterrole.yaml b/resources/v1.22.5/charts/istiod/templates/clusterrole.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/clusterrole.yaml rename to resources/v1.22.5/charts/istiod/templates/clusterrole.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.22.5/charts/istiod/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/clusterrolebinding.yaml rename to resources/v1.22.5/charts/istiod/templates/clusterrolebinding.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.22.5/charts/istiod/templates/configmap-jwks.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/configmap-jwks.yaml rename to resources/v1.22.5/charts/istiod/templates/configmap-jwks.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/configmap.yaml b/resources/v1.22.5/charts/istiod/templates/configmap.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/configmap.yaml rename to resources/v1.22.5/charts/istiod/templates/configmap.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/deployment.yaml b/resources/v1.22.5/charts/istiod/templates/deployment.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/deployment.yaml rename to resources/v1.22.5/charts/istiod/templates/deployment.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.22.5/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/istiod-injector-configmap.yaml rename to resources/v1.22.5/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.22.5/charts/istiod/templates/mutatingwebhook.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/mutatingwebhook.yaml rename to resources/v1.22.5/charts/istiod/templates/mutatingwebhook.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.22.5/charts/istiod/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/poddisruptionbudget.yaml rename to resources/v1.22.5/charts/istiod/templates/poddisruptionbudget.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.22.5/charts/istiod/templates/reader-clusterrole.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/reader-clusterrole.yaml rename to resources/v1.22.5/charts/istiod/templates/reader-clusterrole.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.22.5/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/reader-clusterrolebinding.yaml rename to resources/v1.22.5/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/revision-tags.yaml b/resources/v1.22.5/charts/istiod/templates/revision-tags.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/revision-tags.yaml rename to resources/v1.22.5/charts/istiod/templates/revision-tags.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/role.yaml b/resources/v1.22.5/charts/istiod/templates/role.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/role.yaml rename to resources/v1.22.5/charts/istiod/templates/role.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/rolebinding.yaml b/resources/v1.22.5/charts/istiod/templates/rolebinding.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/rolebinding.yaml rename to resources/v1.22.5/charts/istiod/templates/rolebinding.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/service.yaml b/resources/v1.22.5/charts/istiod/templates/service.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/service.yaml rename to resources/v1.22.5/charts/istiod/templates/service.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/serviceaccount.yaml b/resources/v1.22.5/charts/istiod/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/serviceaccount.yaml rename to resources/v1.22.5/charts/istiod/templates/serviceaccount.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/v1.22.5/charts/istiod/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/validatingadmissionpolicy.yaml rename to resources/v1.22.5/charts/istiod/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.22.5/charts/istiod/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/validatingwebhookconfiguration.yaml rename to resources/v1.22.5/charts/istiod/templates/validatingwebhookconfiguration.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/zzz_profile.yaml b/resources/v1.22.5/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/istiod/templates/zzz_profile.yaml diff --git a/resources/v1.22.3/charts/istiod/values.yaml b/resources/v1.22.5/charts/istiod/values.yaml similarity index 99% rename from resources/v1.22.3/charts/istiod/values.yaml rename to resources/v1.22.5/charts/istiod/values.yaml index cde10002b..1eff1e7b3 100644 --- a/resources/v1.22.3/charts/istiod/values.yaml +++ b/resources/v1.22.5/charts/istiod/values.yaml @@ -234,7 +234,7 @@ defaults: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.22.3 + tag: 1.22.5 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/v1.21.5/charts/ztunnel/Chart.yaml b/resources/v1.22.5/charts/ztunnel/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/ztunnel/Chart.yaml rename to resources/v1.22.5/charts/ztunnel/Chart.yaml index 39c53c819..a4ad01f5c 100644 --- a/resources/v1.21.5/charts/ztunnel/Chart.yaml +++ b/resources/v1.22.5/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.21.5 +appVersion: 1.22.5 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.21.5 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/ztunnel/README.md b/resources/v1.22.5/charts/ztunnel/README.md similarity index 100% rename from resources/v1.22.3/charts/ztunnel/README.md rename to resources/v1.22.5/charts/ztunnel/README.md diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-ambient.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..a204a7ad4 --- /dev/null +++ b/resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-demo.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-demo.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-openshift.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-preview.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-preview.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-stable.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-stable.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/ztunnel/templates/NOTES.txt b/resources/v1.22.5/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from resources/v1.22.3/charts/ztunnel/templates/NOTES.txt rename to resources/v1.22.5/charts/ztunnel/templates/NOTES.txt diff --git a/resources/latest/charts/ztunnel/templates/_helpers.tpl b/resources/v1.22.5/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from resources/latest/charts/ztunnel/templates/_helpers.tpl rename to resources/v1.22.5/charts/ztunnel/templates/_helpers.tpl diff --git a/resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml b/resources/v1.22.5/charts/ztunnel/templates/daemonset.yaml similarity index 98% rename from resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml rename to resources/v1.22.5/charts/ztunnel/templates/daemonset.yaml index 5d600d3cc..f83c36dfa 100644 --- a/resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml +++ b/resources/v1.22.5/charts/ztunnel/templates/daemonset.yaml @@ -4,7 +4,8 @@ metadata: name: ztunnel namespace: {{ .Release.Namespace }} labels: - {{- .Values.labels | toYaml | nindent 4}} +{{- template "istio-labels" -}} +{{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} annotations: {{- .Values.annotations | toYaml | nindent 4 }} spec: diff --git a/resources/v1.22.3/charts/ztunnel/templates/rbac.yaml b/resources/v1.22.5/charts/ztunnel/templates/rbac.yaml similarity index 93% rename from resources/v1.22.3/charts/ztunnel/templates/rbac.yaml rename to resources/v1.22.5/charts/ztunnel/templates/rbac.yaml index 9583b200e..f332898e1 100644 --- a/resources/v1.22.3/charts/ztunnel/templates/rbac.yaml +++ b/resources/v1.22.5/charts/ztunnel/templates/rbac.yaml @@ -10,7 +10,8 @@ metadata: name: ztunnel namespace: {{ .Release.Namespace }} labels: - {{- .Values.labels | toYaml | nindent 4}} +{{- template "istio-labels" -}} +{{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} annotations: {{- .Values.annotations | toYaml | nindent 4 }} --- diff --git a/resources/v1.23.0/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.22.5/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/ztunnel/templates/zzz_profile.yaml diff --git a/resources/v1.22.3/charts/ztunnel/values.yaml b/resources/v1.22.5/charts/ztunnel/values.yaml similarity index 99% rename from resources/v1.22.3/charts/ztunnel/values.yaml rename to resources/v1.22.5/charts/ztunnel/values.yaml index 1e51bdb60..d45fcf86c 100644 --- a/resources/v1.22.3/charts/ztunnel/values.yaml +++ b/resources/v1.22.5/charts/ztunnel/values.yaml @@ -2,7 +2,7 @@ defaults: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: docker.io/istio # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.22.3 + tag: 1.22.5 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/resources/v1.22.3/profiles/ambient.yaml b/resources/v1.22.5/profiles/ambient.yaml similarity index 100% rename from resources/v1.22.3/profiles/ambient.yaml rename to resources/v1.22.5/profiles/ambient.yaml diff --git a/resources/v1.22.3/profiles/default.yaml b/resources/v1.22.5/profiles/default.yaml similarity index 100% rename from resources/v1.22.3/profiles/default.yaml rename to resources/v1.22.5/profiles/default.yaml diff --git a/resources/v1.22.3/profiles/demo.yaml b/resources/v1.22.5/profiles/demo.yaml similarity index 100% rename from resources/v1.22.3/profiles/demo.yaml rename to resources/v1.22.5/profiles/demo.yaml diff --git a/resources/v1.22.3/profiles/empty.yaml b/resources/v1.22.5/profiles/empty.yaml similarity index 100% rename from resources/v1.22.3/profiles/empty.yaml rename to resources/v1.22.5/profiles/empty.yaml diff --git a/resources/v1.22.3/profiles/openshift-ambient.yaml b/resources/v1.22.5/profiles/openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/profiles/openshift-ambient.yaml rename to resources/v1.22.5/profiles/openshift-ambient.yaml diff --git a/resources/v1.22.3/profiles/openshift.yaml b/resources/v1.22.5/profiles/openshift.yaml similarity index 100% rename from resources/v1.22.3/profiles/openshift.yaml rename to resources/v1.22.5/profiles/openshift.yaml diff --git a/resources/v1.22.3/profiles/preview.yaml b/resources/v1.22.5/profiles/preview.yaml similarity index 100% rename from resources/v1.22.3/profiles/preview.yaml rename to resources/v1.22.5/profiles/preview.yaml diff --git a/resources/v1.22.3/profiles/stable.yaml b/resources/v1.22.5/profiles/stable.yaml similarity index 100% rename from resources/v1.22.3/profiles/stable.yaml rename to resources/v1.22.5/profiles/stable.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/NOTES.txt b/resources/v1.23.0/charts/istiod-remote/NOTES.txt deleted file mode 100644 index 0230b6f86..000000000 --- a/resources/v1.23.0/charts/istiod-remote/NOTES.txt +++ /dev/null @@ -1,4 +0,0 @@ -Install for a remote cluster using an external control plane. - -The templates in this directory are copies of base and istio-discovery templates. -DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. diff --git a/resources/v1.23.0/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.23.0/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index 97ffb71f2..000000000 --- a/resources/v1.23.0/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,250 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 292f60742..000000000 --- a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 16a7e6481..000000000 --- a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 292f60742..000000000 --- a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 16a7e6481..000000000 --- a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-preview.yaml b/resources/v1.23.0/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/v1.23.0/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-stable.yaml b/resources/v1.23.0/charts/ztunnel/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/v1.23.0/charts/ztunnel/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/v1.23.0/charts/base/Chart.yaml b/resources/v1.23.2/charts/base/Chart.yaml similarity index 86% rename from resources/v1.23.0/charts/base/Chart.yaml rename to resources/v1.23.2/charts/base/Chart.yaml index a09228e65..ad303d352 100644 --- a/resources/v1.23.0/charts/base/Chart.yaml +++ b/resources/v1.23.2/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/base/README.md b/resources/v1.23.2/charts/base/README.md similarity index 100% rename from resources/v1.23.0/charts/base/README.md rename to resources/v1.23.2/charts/base/README.md diff --git a/resources/v1.23.0/charts/base/crds/crd-all.gen.yaml b/resources/v1.23.2/charts/base/crds/crd-all.gen.yaml similarity index 99% rename from resources/v1.23.0/charts/base/crds/crd-all.gen.yaml rename to resources/v1.23.2/charts/base/crds/crd-all.gen.yaml index 5efc8b4a5..2f3d6a4b0 100644 --- a/resources/v1.23.0/charts/base/crds/crd-all.gen.yaml +++ b/resources/v1.23.2/charts/base/crds/crd-all.gen.yaml @@ -11895,8 +11895,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -12093,8 +12091,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -12291,8 +12287,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' diff --git a/resources/v1.23.0/charts/base/files/profile-ambient.yaml b/resources/v1.23.2/charts/base/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-ambient.yaml rename to resources/v1.23.2/charts/base/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/base/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.21.yaml similarity index 88% rename from resources/v1.23.0/charts/base/files/profile-compatibility-version-1.21.yaml rename to resources/v1.23.2/charts/base/files/profile-compatibility-version-1.21.yaml index 292f60742..d11c242b5 100644 --- a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.21.yaml @@ -7,6 +7,10 @@ pilot: # 1.22 behavioral changes ENABLE_ENHANCED_RESOURCE_SCOPING: "false" ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: # 1.22 behavioral changes defaultConfig: diff --git a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.22.yaml similarity index 72% rename from resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.22.yaml rename to resources/v1.23.2/charts/base/files/profile-compatibility-version-1.22.yaml index 16a7e6481..b091e2b94 100644 --- a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.22.yaml +++ b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.22.yaml @@ -2,10 +2,15 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: defaultConfig: proxyMetadata: # 1.22 behavioral changes ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/base/files/profile-demo.yaml b/resources/v1.23.2/charts/base/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-demo.yaml rename to resources/v1.23.2/charts/base/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/base/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/base/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-openshift.yaml b/resources/v1.23.2/charts/base/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-openshift.yaml rename to resources/v1.23.2/charts/base/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-preview.yaml b/resources/v1.23.2/charts/base/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-preview.yaml rename to resources/v1.23.2/charts/base/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-stable.yaml b/resources/v1.23.2/charts/base/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-stable.yaml rename to resources/v1.23.2/charts/base/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/base/templates/NOTES.txt b/resources/v1.23.2/charts/base/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/base/templates/NOTES.txt rename to resources/v1.23.2/charts/base/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/base/templates/crds.yaml b/resources/v1.23.2/charts/base/templates/crds.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/crds.yaml rename to resources/v1.23.2/charts/base/templates/crds.yaml diff --git a/resources/v1.23.0/charts/base/templates/default.yaml b/resources/v1.23.2/charts/base/templates/default.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/default.yaml rename to resources/v1.23.2/charts/base/templates/default.yaml diff --git a/resources/v1.23.0/charts/base/templates/endpoints.yaml b/resources/v1.23.2/charts/base/templates/endpoints.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/endpoints.yaml rename to resources/v1.23.2/charts/base/templates/endpoints.yaml diff --git a/resources/v1.23.0/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.23.2/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/reader-serviceaccount.yaml rename to resources/v1.23.2/charts/base/templates/reader-serviceaccount.yaml diff --git a/resources/v1.23.0/charts/base/templates/services.yaml b/resources/v1.23.2/charts/base/templates/services.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/services.yaml rename to resources/v1.23.2/charts/base/templates/services.yaml diff --git a/resources/v1.23.0/charts/base/templates/validatingadmissionpolicy.yaml b/resources/v1.23.2/charts/base/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/validatingadmissionpolicy.yaml rename to resources/v1.23.2/charts/base/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/zzz_profile.yaml b/resources/v1.23.2/charts/base/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/base/templates/zzz_profile.yaml diff --git a/resources/v1.23.0/charts/base/values.yaml b/resources/v1.23.2/charts/base/values.yaml similarity index 100% rename from resources/v1.23.0/charts/base/values.yaml rename to resources/v1.23.2/charts/base/values.yaml diff --git a/resources/v1.23.0/charts/cni/Chart.yaml b/resources/v1.23.2/charts/cni/Chart.yaml similarity index 85% rename from resources/v1.23.0/charts/cni/Chart.yaml rename to resources/v1.23.2/charts/cni/Chart.yaml index 399703948..4ffafb619 100644 --- a/resources/v1.23.0/charts/cni/Chart.yaml +++ b/resources/v1.23.2/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/cni/README.md b/resources/v1.23.2/charts/cni/README.md similarity index 100% rename from resources/v1.23.0/charts/cni/README.md rename to resources/v1.23.2/charts/cni/README.md diff --git a/resources/v1.23.0/charts/cni/files/profile-ambient.yaml b/resources/v1.23.2/charts/cni/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-ambient.yaml rename to resources/v1.23.2/charts/cni/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.21.yaml similarity index 88% rename from resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.21.yaml rename to resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.21.yaml index 292f60742..d11c242b5 100644 --- a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -7,6 +7,10 @@ pilot: # 1.22 behavioral changes ENABLE_ENHANCED_RESOURCE_SCOPING: "false" ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: # 1.22 behavioral changes defaultConfig: diff --git a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.22.yaml similarity index 72% rename from resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.22.yaml rename to resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.22.yaml index 16a7e6481..b091e2b94 100644 --- a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.22.yaml +++ b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.22.yaml @@ -2,10 +2,15 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: defaultConfig: proxyMetadata: # 1.22 behavioral changes ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/cni/files/profile-demo.yaml b/resources/v1.23.2/charts/cni/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-demo.yaml rename to resources/v1.23.2/charts/cni/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/cni/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/cni/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-openshift.yaml b/resources/v1.23.2/charts/cni/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-openshift.yaml rename to resources/v1.23.2/charts/cni/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-preview.yaml b/resources/v1.23.2/charts/cni/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-preview.yaml rename to resources/v1.23.2/charts/cni/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-stable.yaml b/resources/v1.23.2/charts/cni/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-stable.yaml rename to resources/v1.23.2/charts/cni/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/cni/templates/NOTES.txt b/resources/v1.23.2/charts/cni/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/cni/templates/NOTES.txt rename to resources/v1.23.2/charts/cni/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/cni/templates/_helpers.tpl b/resources/v1.23.2/charts/cni/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/cni/templates/_helpers.tpl rename to resources/v1.23.2/charts/cni/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/cni/templates/clusterrole.yaml b/resources/v1.23.2/charts/cni/templates/clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/clusterrole.yaml rename to resources/v1.23.2/charts/cni/templates/clusterrole.yaml diff --git a/resources/v1.23.0/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.23.2/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/clusterrolebinding.yaml rename to resources/v1.23.2/charts/cni/templates/clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/cni/templates/configmap-cni.yaml b/resources/v1.23.2/charts/cni/templates/configmap-cni.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/configmap-cni.yaml rename to resources/v1.23.2/charts/cni/templates/configmap-cni.yaml diff --git a/resources/v1.23.0/charts/cni/templates/daemonset.yaml b/resources/v1.23.2/charts/cni/templates/daemonset.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/daemonset.yaml rename to resources/v1.23.2/charts/cni/templates/daemonset.yaml diff --git a/resources/v1.23.0/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.23.2/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/network-attachment-definition.yaml rename to resources/v1.23.2/charts/cni/templates/network-attachment-definition.yaml diff --git a/resources/v1.23.0/charts/cni/templates/resourcequota.yaml b/resources/v1.23.2/charts/cni/templates/resourcequota.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/resourcequota.yaml rename to resources/v1.23.2/charts/cni/templates/resourcequota.yaml diff --git a/resources/v1.23.0/charts/cni/templates/serviceaccount.yaml b/resources/v1.23.2/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/serviceaccount.yaml rename to resources/v1.23.2/charts/cni/templates/serviceaccount.yaml diff --git a/resources/v1.22.3/charts/base/templates/zzz_profile.yaml b/resources/v1.23.2/charts/cni/templates/zzz_profile.yaml similarity index 88% rename from resources/v1.22.3/charts/base/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/cni/templates/zzz_profile.yaml index 6359d435a..2d0bd4af7 100644 --- a/resources/v1.22.3/charts/base/templates/zzz_profile.yaml +++ b/resources/v1.23.2/charts/cni/templates/zzz_profile.yaml @@ -15,6 +15,7 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} +{{- $globals := $.Values.global | default dict | deepCopy }} {{- $defaults := $.Values.defaults }} {{- $_ := unset $.Values "defaults" }} {{- $profile := dict }} @@ -35,4 +36,8 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.0/charts/cni/values.yaml b/resources/v1.23.2/charts/cni/values.yaml similarity index 99% rename from resources/v1.23.0/charts/cni/values.yaml rename to resources/v1.23.2/charts/cni/values.yaml index 073f6366a..4c467874d 100644 --- a/resources/v1.23.0/charts/cni/values.yaml +++ b/resources/v1.23.2/charts/cni/values.yaml @@ -113,7 +113,7 @@ defaults: hub: docker.io/istio # Default tag for Istio images. - tag: 1.23.0 + tag: 1.23.2 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/v1.21.5/charts/gateway/Chart.yaml b/resources/v1.23.2/charts/gateway/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/gateway/Chart.yaml rename to resources/v1.23.2/charts/gateway/Chart.yaml index f17abf8ab..d1391f70a 100644 --- a/resources/v1.21.5/charts/gateway/Chart.yaml +++ b/resources/v1.23.2/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.21.5 +appVersion: 1.23.2 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.21.5 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/gateway/README.md b/resources/v1.23.2/charts/gateway/README.md similarity index 100% rename from resources/v1.23.0/charts/gateway/README.md rename to resources/v1.23.2/charts/gateway/README.md diff --git a/resources/v1.23.0/charts/gateway/files/profile-ambient.yaml b/resources/v1.23.2/charts/gateway/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-ambient.yaml rename to resources/v1.23.2/charts/gateway/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.21.yaml similarity index 88% rename from resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.21.yaml rename to resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.21.yaml index 292f60742..d11c242b5 100644 --- a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -7,6 +7,10 @@ pilot: # 1.22 behavioral changes ENABLE_ENHANCED_RESOURCE_SCOPING: "false" ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: # 1.22 behavioral changes defaultConfig: diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.22.yaml similarity index 72% rename from resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml rename to resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.22.yaml index 16a7e6481..b091e2b94 100644 --- a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml +++ b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.22.yaml @@ -2,10 +2,15 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: defaultConfig: proxyMetadata: # 1.22 behavioral changes ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/gateway/files/profile-demo.yaml b/resources/v1.23.2/charts/gateway/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-demo.yaml rename to resources/v1.23.2/charts/gateway/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/gateway/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/gateway/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-openshift.yaml b/resources/v1.23.2/charts/gateway/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-openshift.yaml rename to resources/v1.23.2/charts/gateway/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-preview.yaml b/resources/v1.23.2/charts/gateway/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-preview.yaml rename to resources/v1.23.2/charts/gateway/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-stable.yaml b/resources/v1.23.2/charts/gateway/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-stable.yaml rename to resources/v1.23.2/charts/gateway/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/NOTES.txt b/resources/v1.23.2/charts/gateway/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/NOTES.txt rename to resources/v1.23.2/charts/gateway/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/gateway/templates/_helpers.tpl b/resources/v1.23.2/charts/gateway/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/_helpers.tpl rename to resources/v1.23.2/charts/gateway/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/gateway/templates/deployment.yaml b/resources/v1.23.2/charts/gateway/templates/deployment.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/deployment.yaml rename to resources/v1.23.2/charts/gateway/templates/deployment.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/hpa.yaml b/resources/v1.23.2/charts/gateway/templates/hpa.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/hpa.yaml rename to resources/v1.23.2/charts/gateway/templates/hpa.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.23.2/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/poddisruptionbudget.yaml rename to resources/v1.23.2/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/role.yaml b/resources/v1.23.2/charts/gateway/templates/role.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/role.yaml rename to resources/v1.23.2/charts/gateway/templates/role.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/service.yaml b/resources/v1.23.2/charts/gateway/templates/service.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/service.yaml rename to resources/v1.23.2/charts/gateway/templates/service.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/serviceaccount.yaml b/resources/v1.23.2/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/serviceaccount.yaml rename to resources/v1.23.2/charts/gateway/templates/serviceaccount.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml b/resources/v1.23.2/charts/gateway/templates/zzz_profile.yaml similarity index 88% rename from resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/gateway/templates/zzz_profile.yaml index 6359d435a..2d0bd4af7 100644 --- a/resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml +++ b/resources/v1.23.2/charts/gateway/templates/zzz_profile.yaml @@ -15,6 +15,7 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} +{{- $globals := $.Values.global | default dict | deepCopy }} {{- $defaults := $.Values.defaults }} {{- $_ := unset $.Values "defaults" }} {{- $profile := dict }} @@ -35,4 +36,8 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.3/charts/gateway/values.schema.json b/resources/v1.23.2/charts/gateway/values.schema.json similarity index 97% rename from resources/v1.22.3/charts/gateway/values.schema.json rename to resources/v1.23.2/charts/gateway/values.schema.json index c97d84c1e..4c4f0836d 100644 --- a/resources/v1.22.3/charts/gateway/values.schema.json +++ b/resources/v1.23.2/charts/gateway/values.schema.json @@ -99,10 +99,10 @@ "type": "object", "properties": { "cpu": { - "type": "string" + "type": ["string", "null"] }, "memory": { - "type": "string" + "type": ["string", "null"] } } }, @@ -110,10 +110,10 @@ "type": "object", "properties": { "cpu": { - "type": "string" + "type": ["string", "null"] }, "memory": { - "type": "string" + "type": ["string", "null"] } } } diff --git a/resources/v1.23.0/charts/gateway/values.yaml b/resources/v1.23.2/charts/gateway/values.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/values.yaml rename to resources/v1.23.2/charts/gateway/values.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/Chart.yaml b/resources/v1.23.2/charts/istiod-remote/Chart.yaml similarity index 87% rename from resources/v1.23.0/charts/istiod-remote/Chart.yaml rename to resources/v1.23.2/charts/istiod-remote/Chart.yaml index 5761e4804..9c2932152 100644 --- a/resources/v1.23.0/charts/istiod-remote/Chart.yaml +++ b/resources/v1.23.2/charts/istiod-remote/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for a remote cluster using an external istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: istiod-remote sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/latest/charts/istiod-remote/NOTES.txt b/resources/v1.23.2/charts/istiod-remote/NOTES.txt similarity index 100% rename from resources/latest/charts/istiod-remote/NOTES.txt rename to resources/v1.23.2/charts/istiod-remote/NOTES.txt diff --git a/resources/latest/charts/istiod-remote/files/gateway-injection-template.yaml b/resources/v1.23.2/charts/istiod-remote/files/gateway-injection-template.yaml similarity index 100% rename from resources/latest/charts/istiod-remote/files/gateway-injection-template.yaml rename to resources/v1.23.2/charts/istiod-remote/files/gateway-injection-template.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/injection-template.yaml b/resources/v1.23.2/charts/istiod-remote/files/injection-template.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/injection-template.yaml rename to resources/v1.23.2/charts/istiod-remote/files/injection-template.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-ambient.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-ambient.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml similarity index 88% rename from resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml index 292f60742..d11c242b5 100644 --- a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml @@ -7,6 +7,10 @@ pilot: # 1.22 behavioral changes ENABLE_ENHANCED_RESOURCE_SCOPING: "false" ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: # 1.22 behavioral changes defaultConfig: diff --git a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml similarity index 72% rename from resources/v1.23.0/charts/base/files/profile-compatibility-version-1.22.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml index 16a7e6481..b091e2b94 100644 --- a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.22.yaml +++ b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml @@ -2,10 +2,15 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: defaultConfig: proxyMetadata: # 1.22 behavioral changes ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-demo.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-demo.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-openshift.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-openshift.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-preview.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-preview.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-stable.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-stable.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/_helpers.tpl b/resources/v1.23.2/charts/istiod-remote/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/_helpers.tpl rename to resources/v1.23.2/charts/istiod-remote/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/istiod-remote/templates/clusterrole.yaml b/resources/v1.23.2/charts/istiod-remote/templates/clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/clusterrole.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/clusterrole.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/clusterrolebinding.yaml b/resources/v1.23.2/charts/istiod-remote/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/clusterrolebinding.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/configmap.yaml b/resources/v1.23.2/charts/istiod-remote/templates/configmap.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/configmap.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/configmap.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/default.yaml b/resources/v1.23.2/charts/istiod-remote/templates/default.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/default.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/default.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml b/resources/v1.23.2/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/endpoints.yaml b/resources/v1.23.2/charts/istiod-remote/templates/endpoints.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/endpoints.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/endpoints.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/resources/v1.23.2/charts/istiod-remote/templates/istiod-injector-configmap.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/istiod-injector-configmap.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/istiod-injector-configmap.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/mutatingwebhook.yaml b/resources/v1.23.2/charts/istiod-remote/templates/mutatingwebhook.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/mutatingwebhook.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/mutatingwebhook.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/reader-clusterrole.yaml b/resources/v1.23.2/charts/istiod-remote/templates/reader-clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/reader-clusterrole.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/reader-clusterrole.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/resources/v1.23.2/charts/istiod-remote/templates/reader-clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/reader-clusterrolebinding.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/reader-clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/reader-serviceaccount.yaml b/resources/v1.23.2/charts/istiod-remote/templates/reader-serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/reader-serviceaccount.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/reader-serviceaccount.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/role.yaml b/resources/v1.23.2/charts/istiod-remote/templates/role.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/role.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/role.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/rolebinding.yaml b/resources/v1.23.2/charts/istiod-remote/templates/rolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/rolebinding.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/rolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/serviceaccount.yaml b/resources/v1.23.2/charts/istiod-remote/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/serviceaccount.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/serviceaccount.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/services.yaml b/resources/v1.23.2/charts/istiod-remote/templates/services.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/services.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/services.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/validatingadmissionpolicy.yaml b/resources/v1.23.2/charts/istiod-remote/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/validatingadmissionpolicy.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/resources/v1.23.2/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml b/resources/v1.23.2/charts/istiod-remote/templates/zzz_profile.yaml similarity index 88% rename from resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/zzz_profile.yaml index 6359d435a..2d0bd4af7 100644 --- a/resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml +++ b/resources/v1.23.2/charts/istiod-remote/templates/zzz_profile.yaml @@ -15,6 +15,7 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} +{{- $globals := $.Values.global | default dict | deepCopy }} {{- $defaults := $.Values.defaults }} {{- $_ := unset $.Values "defaults" }} {{- $profile := dict }} @@ -35,4 +36,8 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.0/charts/istiod-remote/values.yaml b/resources/v1.23.2/charts/istiod-remote/values.yaml similarity index 99% rename from resources/v1.23.0/charts/istiod-remote/values.yaml rename to resources/v1.23.2/charts/istiod-remote/values.yaml index bf321991b..9e7033e2b 100644 --- a/resources/v1.23.0/charts/istiod-remote/values.yaml +++ b/resources/v1.23.2/charts/istiod-remote/values.yaml @@ -201,7 +201,7 @@ defaults: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.23.0 + tag: 1.23.2 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/v1.23.0/charts/istiod/Chart.yaml b/resources/v1.23.2/charts/istiod/Chart.yaml similarity index 86% rename from resources/v1.23.0/charts/istiod/Chart.yaml rename to resources/v1.23.2/charts/istiod/Chart.yaml index e5d4e8096..2370157bb 100644 --- a/resources/v1.23.0/charts/istiod/Chart.yaml +++ b/resources/v1.23.2/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/istiod/README.md b/resources/v1.23.2/charts/istiod/README.md similarity index 100% rename from resources/v1.23.0/charts/istiod/README.md rename to resources/v1.23.2/charts/istiod/README.md diff --git a/resources/v1.23.0/charts/istiod-remote/files/gateway-injection-template.yaml b/resources/v1.23.2/charts/istiod/files/gateway-injection-template.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/gateway-injection-template.yaml rename to resources/v1.23.2/charts/istiod/files/gateway-injection-template.yaml diff --git a/resources/v1.23.0/charts/istiod/files/grpc-agent.yaml b/resources/v1.23.2/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/grpc-agent.yaml rename to resources/v1.23.2/charts/istiod/files/grpc-agent.yaml diff --git a/resources/v1.23.0/charts/istiod/files/grpc-simple.yaml b/resources/v1.23.2/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/grpc-simple.yaml rename to resources/v1.23.2/charts/istiod/files/grpc-simple.yaml diff --git a/resources/v1.23.0/charts/istiod/files/injection-template.yaml b/resources/v1.23.2/charts/istiod/files/injection-template.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/injection-template.yaml rename to resources/v1.23.2/charts/istiod/files/injection-template.yaml diff --git a/resources/v1.23.0/charts/istiod/files/kube-gateway.yaml b/resources/v1.23.2/charts/istiod/files/kube-gateway.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/kube-gateway.yaml rename to resources/v1.23.2/charts/istiod/files/kube-gateway.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-ambient.yaml b/resources/v1.23.2/charts/istiod/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-ambient.yaml rename to resources/v1.23.2/charts/istiod/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/istiod/files/profile-demo.yaml b/resources/v1.23.2/charts/istiod/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-demo.yaml rename to resources/v1.23.2/charts/istiod/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/istiod/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/istiod/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-openshift.yaml b/resources/v1.23.2/charts/istiod/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-openshift.yaml rename to resources/v1.23.2/charts/istiod/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-preview.yaml b/resources/v1.23.2/charts/istiod/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-preview.yaml rename to resources/v1.23.2/charts/istiod/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-stable.yaml b/resources/v1.23.2/charts/istiod/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-stable.yaml rename to resources/v1.23.2/charts/istiod/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/istiod/files/waypoint.yaml b/resources/v1.23.2/charts/istiod/files/waypoint.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/waypoint.yaml rename to resources/v1.23.2/charts/istiod/files/waypoint.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/NOTES.txt b/resources/v1.23.2/charts/istiod/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/NOTES.txt rename to resources/v1.23.2/charts/istiod/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/istiod/templates/_helpers.tpl b/resources/v1.23.2/charts/istiod/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/_helpers.tpl rename to resources/v1.23.2/charts/istiod/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/istiod/templates/autoscale.yaml b/resources/v1.23.2/charts/istiod/templates/autoscale.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/autoscale.yaml rename to resources/v1.23.2/charts/istiod/templates/autoscale.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/clusterrole.yaml b/resources/v1.23.2/charts/istiod/templates/clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/clusterrole.yaml rename to resources/v1.23.2/charts/istiod/templates/clusterrole.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.23.2/charts/istiod/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/clusterrolebinding.yaml rename to resources/v1.23.2/charts/istiod/templates/clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.23.2/charts/istiod/templates/configmap-jwks.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/configmap-jwks.yaml rename to resources/v1.23.2/charts/istiod/templates/configmap-jwks.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/configmap.yaml b/resources/v1.23.2/charts/istiod/templates/configmap.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/configmap.yaml rename to resources/v1.23.2/charts/istiod/templates/configmap.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/deployment.yaml b/resources/v1.23.2/charts/istiod/templates/deployment.yaml similarity index 97% rename from resources/v1.23.0/charts/istiod/templates/deployment.yaml rename to resources/v1.23.2/charts/istiod/templates/deployment.yaml index ec688808d..940c49a8e 100644 --- a/resources/v1.23.0/charts/istiod/templates/deployment.yaml +++ b/resources/v1.23.2/charts/istiod/templates/deployment.yaml @@ -166,7 +166,8 @@ spec: {{- end }} # If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then # don't set it here to avoid duplication. -{{- if and .Values.global.externalIstiod (eq .Values.pilot.env.EXTERNAL_ISTIOD "")}} +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.pilot.env .Values.pilot.env.EXTERNAL_ISTIOD)) }} - name: EXTERNAL_ISTIOD value: "{{ .Values.global.externalIstiod }}" {{- end }} diff --git a/resources/v1.23.0/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.23.2/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/istiod-injector-configmap.yaml rename to resources/v1.23.2/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.23.2/charts/istiod/templates/mutatingwebhook.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/mutatingwebhook.yaml rename to resources/v1.23.2/charts/istiod/templates/mutatingwebhook.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.23.2/charts/istiod/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/poddisruptionbudget.yaml rename to resources/v1.23.2/charts/istiod/templates/poddisruptionbudget.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.23.2/charts/istiod/templates/reader-clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/reader-clusterrole.yaml rename to resources/v1.23.2/charts/istiod/templates/reader-clusterrole.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.23.2/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/reader-clusterrolebinding.yaml rename to resources/v1.23.2/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/revision-tags.yaml b/resources/v1.23.2/charts/istiod/templates/revision-tags.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/revision-tags.yaml rename to resources/v1.23.2/charts/istiod/templates/revision-tags.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/role.yaml b/resources/v1.23.2/charts/istiod/templates/role.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/role.yaml rename to resources/v1.23.2/charts/istiod/templates/role.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/rolebinding.yaml b/resources/v1.23.2/charts/istiod/templates/rolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/rolebinding.yaml rename to resources/v1.23.2/charts/istiod/templates/rolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/service.yaml b/resources/v1.23.2/charts/istiod/templates/service.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/service.yaml rename to resources/v1.23.2/charts/istiod/templates/service.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/serviceaccount.yaml b/resources/v1.23.2/charts/istiod/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/serviceaccount.yaml rename to resources/v1.23.2/charts/istiod/templates/serviceaccount.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/v1.23.2/charts/istiod/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/validatingadmissionpolicy.yaml rename to resources/v1.23.2/charts/istiod/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.23.2/charts/istiod/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/validatingwebhookconfiguration.yaml rename to resources/v1.23.2/charts/istiod/templates/validatingwebhookconfiguration.yaml diff --git a/resources/v1.23.2/charts/istiod/templates/zzz_profile.yaml b/resources/v1.23.2/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.23.2/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.0/charts/istiod/values.yaml b/resources/v1.23.2/charts/istiod/values.yaml similarity index 99% rename from resources/v1.23.0/charts/istiod/values.yaml rename to resources/v1.23.2/charts/istiod/values.yaml index df2cbf842..fbb4d2695 100644 --- a/resources/v1.23.0/charts/istiod/values.yaml +++ b/resources/v1.23.2/charts/istiod/values.yaml @@ -238,7 +238,7 @@ defaults: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.23.0 + tag: 1.23.2 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/v1.23.0/charts/ztunnel/Chart.yaml b/resources/v1.23.2/charts/ztunnel/Chart.yaml similarity index 86% rename from resources/v1.23.0/charts/ztunnel/Chart.yaml rename to resources/v1.23.2/charts/ztunnel/Chart.yaml index 94cb4e67d..b811b639a 100644 --- a/resources/v1.23.0/charts/ztunnel/Chart.yaml +++ b/resources/v1.23.2/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/ztunnel/README.md b/resources/v1.23.2/charts/ztunnel/README.md similarity index 100% rename from resources/v1.23.0/charts/ztunnel/README.md rename to resources/v1.23.2/charts/ztunnel/README.md diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-ambient.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-demo.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-demo.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-openshift.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-preview.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-preview.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-stable.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-stable.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/ztunnel/templates/NOTES.txt b/resources/v1.23.2/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/NOTES.txt rename to resources/v1.23.2/charts/ztunnel/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/ztunnel/templates/_helpers.tpl b/resources/v1.23.2/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/_helpers.tpl rename to resources/v1.23.2/charts/ztunnel/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/ztunnel/templates/daemonset.yaml b/resources/v1.23.2/charts/ztunnel/templates/daemonset.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/daemonset.yaml rename to resources/v1.23.2/charts/ztunnel/templates/daemonset.yaml diff --git a/resources/v1.23.0/charts/ztunnel/templates/rbac.yaml b/resources/v1.23.2/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/rbac.yaml rename to resources/v1.23.2/charts/ztunnel/templates/rbac.yaml diff --git a/resources/v1.22.3/charts/cni/templates/zzz_profile.yaml b/resources/v1.23.2/charts/ztunnel/templates/zzz_profile.yaml similarity index 88% rename from resources/v1.22.3/charts/cni/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/ztunnel/templates/zzz_profile.yaml index 6359d435a..752a7f375 100644 --- a/resources/v1.22.3/charts/cni/templates/zzz_profile.yaml +++ b/resources/v1.23.2/charts/ztunnel/templates/zzz_profile.yaml @@ -15,6 +15,7 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} +{{- $globals := $.Values.global | default dict | deepCopy }} {{- $defaults := $.Values.defaults }} {{- $_ := unset $.Values "defaults" }} {{- $profile := dict }} @@ -35,4 +36,8 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.0/charts/ztunnel/values.yaml b/resources/v1.23.2/charts/ztunnel/values.yaml similarity index 99% rename from resources/v1.23.0/charts/ztunnel/values.yaml rename to resources/v1.23.2/charts/ztunnel/values.yaml index c3220356b..64ebfcaba 100644 --- a/resources/v1.23.0/charts/ztunnel/values.yaml +++ b/resources/v1.23.2/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ defaults: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: docker.io/istio # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.23.0 + tag: 1.23.2 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/resources/v1.23.0/profiles/ambient.yaml b/resources/v1.23.2/profiles/ambient.yaml similarity index 100% rename from resources/v1.23.0/profiles/ambient.yaml rename to resources/v1.23.2/profiles/ambient.yaml diff --git a/resources/v1.23.0/profiles/default.yaml b/resources/v1.23.2/profiles/default.yaml similarity index 100% rename from resources/v1.23.0/profiles/default.yaml rename to resources/v1.23.2/profiles/default.yaml diff --git a/resources/v1.23.0/profiles/demo.yaml b/resources/v1.23.2/profiles/demo.yaml similarity index 100% rename from resources/v1.23.0/profiles/demo.yaml rename to resources/v1.23.2/profiles/demo.yaml diff --git a/resources/v1.23.0/profiles/empty.yaml b/resources/v1.23.2/profiles/empty.yaml similarity index 100% rename from resources/v1.23.0/profiles/empty.yaml rename to resources/v1.23.2/profiles/empty.yaml diff --git a/resources/v1.23.0/profiles/openshift-ambient.yaml b/resources/v1.23.2/profiles/openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/profiles/openshift-ambient.yaml rename to resources/v1.23.2/profiles/openshift-ambient.yaml diff --git a/resources/v1.23.0/profiles/openshift.yaml b/resources/v1.23.2/profiles/openshift.yaml similarity index 100% rename from resources/v1.23.0/profiles/openshift.yaml rename to resources/v1.23.2/profiles/openshift.yaml diff --git a/resources/v1.23.0/profiles/preview.yaml b/resources/v1.23.2/profiles/preview.yaml similarity index 100% rename from resources/v1.23.0/profiles/preview.yaml rename to resources/v1.23.2/profiles/preview.yaml diff --git a/resources/v1.23.0/profiles/stable.yaml b/resources/v1.23.2/profiles/stable.yaml similarity index 100% rename from resources/v1.23.0/profiles/stable.yaml rename to resources/v1.23.2/profiles/stable.yaml diff --git a/versions.yaml b/versions.yaml index cad5acf9f..6f4a4e74a 100644 --- a/versions.yaml +++ b/versions.yaml @@ -11,45 +11,45 @@ # go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision), # as well as all the Istio CRDs (e.g. VirtualService). versions: - - name: v1.23.0 - version: 1.23.0 + - name: v1.23.2 + version: 1.23.2 repo: https://github.com/istio/istio - commit: 1.23.0 + commit: 1.23.2 charts: - - https://istio-release.storage.googleapis.com/charts/base-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-remote-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/gateway-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/cni-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/ztunnel-1.23.0.tgz - - name: v1.22.3 - version: 1.22.3 + - https://istio-release.storage.googleapis.com/charts/base-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-remote-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.23.2.tgz + - name: v1.22.5 + version: 1.22.5 repo: https://github.com/istio/istio - commit: 1.22.3 + commit: 1.22.5 charts: - - https://istio-release.storage.googleapis.com/charts/base-1.22.3.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-1.22.3.tgz - - https://istio-release.storage.googleapis.com/charts/gateway-1.22.3.tgz - - https://istio-release.storage.googleapis.com/charts/cni-1.22.3.tgz - - https://istio-release.storage.googleapis.com/charts/ztunnel-1.22.3.tgz - - name: v1.21.5 - version: 1.21.5 + - https://istio-release.storage.googleapis.com/charts/base-1.22.5.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.22.5.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.22.5.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.22.5.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.22.5.tgz + - name: v1.21.6 + version: 1.21.6 repo: https://github.com/istio/istio - commit: 1.21.5 + commit: 1.21.6 charts: - - https://istio-release.storage.googleapis.com/charts/base-1.21.5.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-1.21.5.tgz - - https://istio-release.storage.googleapis.com/charts/gateway-1.21.5.tgz - - https://istio-release.storage.googleapis.com/charts/cni-1.21.5.tgz - - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.5.tgz + - https://istio-release.storage.googleapis.com/charts/base-1.21.6.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.21.6.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.21.6.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe + version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 repo: https://github.com/istio/istio branch: master - commit: fe2a04689d3b7abf7630dc5646bf825e0c0592fe + commit: 6f95f8c912c44489b4f78568207337bd907f46c1 charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/base-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/cni-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/gateway-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/istiod-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe/helm/ztunnel-1.24-alpha.fe2a04689d3b7abf7630dc5646bf825e0c0592fe.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/base-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/cni-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/gateway-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/istiod-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/ztunnel-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz From 31f96d997d3fe9d8108b35860d767f839418063f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Mon, 7 Oct 2024 15:30:25 +0200 Subject: [PATCH 34/68] Add generics to EnqueueEventLogger and AdditionNotifierQueue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- pkg/enqueuelogger/queue.go | 25 +++++++++++-------------- pkg/enqueuelogger/wrapper.go | 15 ++++++++------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/pkg/enqueuelogger/queue.go b/pkg/enqueuelogger/queue.go index f0f3b4b55..b8c76d522 100644 --- a/pkg/enqueuelogger/queue.go +++ b/pkg/enqueuelogger/queue.go @@ -18,22 +18,19 @@ import ( "time" "k8s.io/client-go/util/workqueue" + "sigs.k8s.io/controller-runtime/pkg/reconcile" ) // AdditionNotifierQueue is a queue that calls an onAdd function whenever an item is added to the queue. // It is meant to be used in conjunction with EnqueueEventLogger to log items enqueued by a handler. type AdditionNotifierQueue struct { - delegate workqueue.RateLimitingInterface - onAdd func(item any) + delegate workqueue.TypedRateLimitingInterface[reconcile.Request] + onAdd func(item reconcile.Request) } -var _ workqueue.RateLimitingInterface = &AdditionNotifierQueue{} +var _ workqueue.TypedRateLimitingInterface[reconcile.Request] = &AdditionNotifierQueue{} -func NewAdditionNotifierQueue(delegate workqueue.RateLimitingInterface, onAddFunc func(item any)) *AdditionNotifierQueue { - return &AdditionNotifierQueue{delegate: delegate} -} - -func (q *AdditionNotifierQueue) Add(item interface{}) { +func (q *AdditionNotifierQueue) Add(item reconcile.Request) { q.delegate.Add(item) q.onAdd(item) } @@ -42,11 +39,11 @@ func (q *AdditionNotifierQueue) Len() int { return q.delegate.Len() } -func (q *AdditionNotifierQueue) Get() (item interface{}, shutdown bool) { +func (q *AdditionNotifierQueue) Get() (item reconcile.Request, shutdown bool) { return q.delegate.Get() } -func (q *AdditionNotifierQueue) Done(item interface{}) { +func (q *AdditionNotifierQueue) Done(item reconcile.Request) { q.delegate.Done(item) } @@ -62,20 +59,20 @@ func (q *AdditionNotifierQueue) ShuttingDown() bool { return q.delegate.ShuttingDown() } -func (q *AdditionNotifierQueue) AddAfter(item interface{}, duration time.Duration) { +func (q *AdditionNotifierQueue) AddAfter(item reconcile.Request, duration time.Duration) { q.delegate.AddAfter(item, duration) q.onAdd(item) } -func (q *AdditionNotifierQueue) AddRateLimited(item interface{}) { +func (q *AdditionNotifierQueue) AddRateLimited(item reconcile.Request) { q.delegate.AddRateLimited(item) q.onAdd(item) } -func (q *AdditionNotifierQueue) Forget(item interface{}) { +func (q *AdditionNotifierQueue) Forget(item reconcile.Request) { q.delegate.Forget(item) } -func (q *AdditionNotifierQueue) NumRequeues(item interface{}) int { +func (q *AdditionNotifierQueue) NumRequeues(item reconcile.Request) int { return q.delegate.NumRequeues(item) } diff --git a/pkg/enqueuelogger/wrapper.go b/pkg/enqueuelogger/wrapper.go index 6aae8122e..f7c20472d 100644 --- a/pkg/enqueuelogger/wrapper.go +++ b/pkg/enqueuelogger/wrapper.go @@ -40,27 +40,28 @@ type EnqueueEventLogger struct { var _ handler.EventHandler = &EnqueueEventLogger{} -func (h *EnqueueEventLogger) Create(ctx context.Context, e event.TypedCreateEvent[client.Object], q workqueue.RateLimitingInterface) { +func (h *EnqueueEventLogger) Create(ctx context.Context, e event.TypedCreateEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) { h.delegate.Create(ctx, e, h.wrapQueue(q, "Create", e.Object)) } -func (h *EnqueueEventLogger) Update(ctx context.Context, e event.TypedUpdateEvent[client.Object], q workqueue.RateLimitingInterface) { +func (h *EnqueueEventLogger) Update(ctx context.Context, e event.TypedUpdateEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) { h.delegate.Update(ctx, e, h.wrapQueue(q, "Update", e.ObjectNew)) } -func (h *EnqueueEventLogger) Delete(ctx context.Context, e event.TypedDeleteEvent[client.Object], q workqueue.RateLimitingInterface) { +func (h *EnqueueEventLogger) Delete(ctx context.Context, e event.TypedDeleteEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) { h.delegate.Delete(ctx, e, h.wrapQueue(q, "Delete", e.Object)) } -func (h *EnqueueEventLogger) Generic(ctx context.Context, e event.TypedGenericEvent[client.Object], q workqueue.RateLimitingInterface) { +func (h *EnqueueEventLogger) Generic(ctx context.Context, e event.TypedGenericEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) { h.delegate.Generic(ctx, e, h.wrapQueue(q, "Generic", e.Object)) } -func (h *EnqueueEventLogger) wrapQueue(q workqueue.RateLimitingInterface, eventType string, obj client.Object) workqueue.RateLimitingInterface { +func (h *EnqueueEventLogger) wrapQueue( + q workqueue.TypedRateLimitingInterface[reconcile.Request], eventType string, obj client.Object, +) workqueue.TypedRateLimitingInterface[reconcile.Request] { return &AdditionNotifierQueue{ delegate: q, - onAdd: func(item any) { - request := item.(reconcile.Request) + onAdd: func(request reconcile.Request) { requestSummary := ObjectSummary{ Kind: h.kind, Namespace: request.Namespace, From 747fcfbe64d945e57a067eaecd7ecf7022eb195b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Mon, 7 Oct 2024 15:31:03 +0200 Subject: [PATCH 35/68] Make gen MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- api/v1alpha1/istio_types.go | 4 ++-- api/v1alpha1/istiocni_types.go | 4 ++-- api/v1alpha1/remoteistio_types.go | 4 ++-- .../sailoperator.clusterserviceversion.yaml | 24 +++++++++---------- .../manifests/sailoperator.io_istiocnis.yaml | 3 ++- bundle/manifests/sailoperator.io_istios.yaml | 3 ++- .../sailoperator.io_remoteistios.yaml | 3 ++- chart/crds/sailoperator.io_istiocnis.yaml | 3 ++- chart/crds/sailoperator.io_istios.yaml | 3 ++- chart/crds/sailoperator.io_remoteistios.yaml | 3 ++- docs/api-reference/sailoperator.io.md | 6 ++--- 11 files changed, 33 insertions(+), 27 deletions(-) diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go index 2f5c80b1d..f4e492a2e 100644 --- a/api/v1alpha1/istio_types.go +++ b/api/v1alpha1/istio_types.go @@ -51,10 +51,10 @@ type IstioSpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio components should be installed. diff --git a/api/v1alpha1/istiocni_types.go b/api/v1alpha1/istiocni_types.go index e3decef59..535af7237 100644 --- a/api/v1alpha1/istiocni_types.go +++ b/api/v1alpha1/istiocni_types.go @@ -37,10 +37,10 @@ type IstioCNISpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio CNI component should be installed. diff --git a/api/v1alpha1/remoteistio_types.go b/api/v1alpha1/remoteistio_types.go index 50f773d33..463906896 100644 --- a/api/v1alpha1/remoteistio_types.go +++ b/api/v1alpha1/remoteistio_types.go @@ -41,10 +41,10 @@ type RemoteIstioSpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio components should be installed. diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 0d1dc579e..152be4751 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-07T12:34:17Z" + createdAt: "2024-10-07T12:47:15Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -177,7 +177,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. displayName: Profile path: profile x-descriptors: @@ -280,7 +280,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. displayName: Profile path: profile x-descriptors: @@ -352,7 +352,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. displayName: Profile path: profile x-descriptors: @@ -602,14 +602,14 @@ spec: images.latest.istiod: null/null:null images.latest.proxy: null/null:null images.latest.ztunnel: null/null:null - images.v1_21_6.cni: '/:' + images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 - images.v1_21_6.ztunnel: '/:' - images.v1_22_5.cni: '/:' + images.v1_21_6.ztunnel: docker.io/istio/ztunnel:1.21.6 + images.v1_22_5.cni: docker.io/istio/install-cni:1.22.5 images.v1_22_5.istiod: docker.io/istio/pilot:1.22.5 images.v1_22_5.proxy: docker.io/istio/proxyv2:1.22.5 - images.v1_22_5.ztunnel: '/:' + images.v1_22_5.ztunnel: docker.io/istio/ztunnel:1.22.5 images.v1_23_2.cni: docker.io/istio/install-cni:1.23.2 images.v1_23_2.istiod: docker.io/istio/pilot:1.23.2 images.v1_23_2.proxy: docker.io/istio/proxyv2:1.23.2 @@ -774,21 +774,21 @@ spec: name: latest.proxy - image: null/null:null name: latest.ztunnel - - image: '/:' + - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni - image: docker.io/istio/pilot:1.21.6 name: v1_21_6.istiod - image: docker.io/istio/proxyv2:1.21.6 name: v1_21_6.proxy - - image: '/:' + - image: docker.io/istio/ztunnel:1.21.6 name: v1_21_6.ztunnel - - image: '/:' + - image: docker.io/istio/install-cni:1.22.5 name: v1_22_5.cni - image: docker.io/istio/pilot:1.22.5 name: v1_22_5.istiod - image: docker.io/istio/proxyv2:1.22.5 name: v1_22_5.proxy - - image: '/:' + - image: docker.io/istio/ztunnel:1.22.5 name: v1_22_5.ztunnel - image: docker.io/istio/install-cni:1.23.2 name: v1_23_2.cni diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml index aa509468b..e3d386e7e 100644 --- a/bundle/manifests/sailoperator.io_istiocnis.yaml +++ b/bundle/manifests/sailoperator.io_istiocnis.yaml @@ -70,12 +70,13 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty + - external - openshift-ambient - openshift - preview diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index e4f2de090..57cd36751 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -91,12 +91,13 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty + - external - openshift-ambient - openshift - preview diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml index 660aa66a3..f0511ee38 100644 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ b/bundle/manifests/sailoperator.io_remoteistios.yaml @@ -86,12 +86,13 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty + - external - openshift-ambient - openshift - preview diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml index 10ec8a6fb..927c61c91 100644 --- a/chart/crds/sailoperator.io_istiocnis.yaml +++ b/chart/crds/sailoperator.io_istiocnis.yaml @@ -70,12 +70,13 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty + - external - openshift-ambient - openshift - preview diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index 8dd60f5af..f1b6843b9 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -91,12 +91,13 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty + - external - openshift-ambient - openshift - preview diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml index ab1d1f3dc..bd7b8e570 100644 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ b/chart/crds/sailoperator.io_remoteistios.yaml @@ -86,12 +86,13 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty + - external - openshift-ambient - openshift - preview diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index 08025c5d4..d028681b5 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -626,7 +626,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | -| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] | +| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio CNI component should be installed. | istio-cni | | | `values` _[CNIValues](#cnivalues)_ | Defines the values to be passed to the Helm charts when installing Istio CNI. | | | @@ -908,7 +908,7 @@ _Appears in:_ | --- | --- | --- | --- | | `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the Istio CR is updated. | \{ type:InPlace \} | | -| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] | +| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | @@ -2536,7 +2536,7 @@ _Appears in:_ | --- | --- | --- | --- | | `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the RemoteIstio CR is updated. | \{ type:InPlace \} | | -| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] | +| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | From 1336282d2bcb4025c8213e331d0974329c2fc0ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 8 Oct 2024 13:18:56 +0200 Subject: [PATCH 36/68] Temporarily disable RemoteIstio tests for 1.24+ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- tests/e2e/multicluster/multicluster_primaryremote_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index 0b55a1dac..8ee401723 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -73,8 +73,9 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Describe("Primary-Remote - Multi-Network configuration", func() { // Test the Primary-Remote - Multi-Network configuration for each supported Istio version for _, version := range supportedversion.List { - // The Primary-Remote - Multi-Network configuration is only supported in Istio 1.23 and later - if version.Version.LessThan(semver.MustParse("1.23.0")) { + // The Primary-Remote - Multi-Network configuration is only supported in Istio 1.23, because that's the only + // version that has the istiod-remote chart. For 1.24, we need to rewrite the support for RemoteIstio. + if version.Version.LessThan(semver.MustParse("1.23.0")) || version.Version.GreaterThanEqual(semver.MustParse("1.24.0")) { continue } From 216be066103edeb02cb5a705e960e1e2616f1897 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 8 Oct 2024 13:38:48 +0200 Subject: [PATCH 37/68] Print Istio CNI logs when test fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- tests/e2e/util/common/e2e_utils.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index cbc9d68c8..5fec5f6d0 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -190,6 +190,9 @@ func logCNIDebugInfo() { describe, err := k.SetNamespace(istioCniNamespace).Describe("daemonset", "istio-cni-node") logDebugElement("Istio CNI DaemonSet describe", describe, err) + + logs, err := k.SetNamespace(istioCniNamespace).Logs("daemonset/istio-cni-node", ptr.Of(120*time.Second)) + logDebugElement("Istio CNI logs", logs, err) } func logDebugElement(caption string, info string, err error) { From a6641276f46436dc28c18e20c1c59a3eb1e39623 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 8 Oct 2024 14:49:24 +0200 Subject: [PATCH 38/68] Ensure Primary-Remote e2e test is also skipped for 1.24 pre-release versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- tests/e2e/multicluster/multicluster_primaryremote_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index 8ee401723..e6e45e2fd 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -23,7 +23,6 @@ import ( "strings" "time" - "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/kube" "github.com/istio-ecosystem/sail-operator/pkg/test/project" @@ -75,7 +74,7 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { for _, version := range supportedversion.List { // The Primary-Remote - Multi-Network configuration is only supported in Istio 1.23, because that's the only // version that has the istiod-remote chart. For 1.24, we need to rewrite the support for RemoteIstio. - if version.Version.LessThan(semver.MustParse("1.23.0")) || version.Version.GreaterThanEqual(semver.MustParse("1.24.0")) { + if !(version.Version.Major() == 1 && version.Version.Minor() == 23) { continue } From b43355f2a4c135ab33d6b3c12cceba4da4e68708 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 8 Oct 2024 15:37:03 +0200 Subject: [PATCH 39/68] Fix patch-csv.sh so that it finds hub, image, and tag in newer Istio versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Newer Istio versions use `._internal_defaults_do_not_set` instead of `.defaults` in `values.yaml`. Signed-off-by: Marko Lukša --- .../sailoperator.clusterserviceversion.yaml | 18 +++---- hack/patch-csv.sh | 49 +++++++++++++------ 2 files changed, 43 insertions(+), 24 deletions(-) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 152be4751..9e416984c 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-07T12:47:15Z" + createdAt: "2024-10-08T13:33:26Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: null/null:null - images.latest.istiod: null/null:null - images.latest.proxy: null/null:null - images.latest.ztunnel: null/null:null + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -766,13 +766,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: null/null:null + - image: gcr.io/istio-testing/install-cni:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 name: latest.cni - - image: null/null:null + - image: gcr.io/istio-testing/pilot:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 name: latest.istiod - - image: null/null:null + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 name: latest.proxy - - image: null/null:null + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/hack/patch-csv.sh b/hack/patch-csv.sh index 10225cac5..5d8408e1e 100755 --- a/hack/patch-csv.sh +++ b/hack/patch-csv.sh @@ -52,28 +52,42 @@ function get_field() { component_dir="istiod" fi - # Set if non null order from the component most specific to the most generic + # The following code tries to find the field in several places: + # 1) .defaults.. + field="$(${YQ} ".defaults.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" # 2) .defaults.global.. + if is_empty_or_null "${field}"; then + field="$(${YQ} ".defaults.global.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + fi # 3) .defaults. + if is_empty_or_null "${field}"; then + field="$(${YQ} ".defaults.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + fi # 4) .defaults.global. - # Example: - # .defaults.istiod.hub == null - # .defaults.global.istiod.hub == null - # .defaults.hub == null - # .defaults.global.hub == "gcr.io/istio-testing" - - field="$(${YQ} ".defaults.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" if is_empty_or_null "${field}"; then - field="$(${YQ} ".defaults.global.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" - if is_empty_or_null "${field}"; then - field="$(${YQ} ".defaults.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" - if is_empty_or_null "${field}"; then - field="$(${YQ} ".defaults.global.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" - fi - fi + field="$(${YQ} ".defaults.global.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + fi + # 5) .._internal_defaults_do_not_set.. + if is_empty_or_null "${field}"; then + field="$(${YQ} ".._internal_defaults_do_not_set.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + fi + # 6) .._internal_defaults_do_not_set.global.. + if is_empty_or_null "${field}"; then + field="$(${YQ} "._internal_defaults_do_not_set.global.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + fi + # 7) .._internal_defaults_do_not_set. + if is_empty_or_null "${field}"; then + field="$(${YQ} "._internal_defaults_do_not_set.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + fi + # 8) .._internal_defaults_do_not_set.global. + if is_empty_or_null "${field}"; then + field="$(${YQ} "._internal_defaults_do_not_set.global.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" fi + if [ "${field}" == "null" ]; then + field="" + fi echo "${field}" } @@ -94,6 +108,11 @@ for version in ${versions}; do image=$(get_field "${version}" "image" "${component_name}") tag=$(get_field "${version}" "tag" "${component_name}") + if [ -z "${hub}" ] || [ -z "${image}" ] || [ -z "${tag}" ]; then + echo "Missing hub, image or tag for version ${version}, component ${component_name}" + exit 1 + fi + # Add .spec.install.spec.deployments[0].spec.template.metadata.annotations with olm.relatedImage ${YQ} -i '.spec.install.spec.deployments[0].spec.template.metadata.annotations |= (. + {"images.'"${name}"'": "'"${hub}"'/'"${image}"':'"${tag}"'"})' "${clusterserviceversion_file_path}" From bb67c212660d749645e09a83a44fd9b0c565bbba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 8 Oct 2024 15:42:32 +0200 Subject: [PATCH 40/68] Make patch-csv.sh more readable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- hack/patch-csv.sh | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/hack/patch-csv.sh b/hack/patch-csv.sh index 5d8408e1e..a5f5cfbd2 100755 --- a/hack/patch-csv.sh +++ b/hack/patch-csv.sh @@ -55,37 +55,37 @@ function get_field() { # The following code tries to find the field in several places: # 1) .defaults.. - field="$(${YQ} ".defaults.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + field="$(${YQ} ".defaults.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" # 2) .defaults.global.. if is_empty_or_null "${field}"; then - field="$(${YQ} ".defaults.global.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + field="$(${YQ} ".defaults.global.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" fi # 3) .defaults. if is_empty_or_null "${field}"; then - field="$(${YQ} ".defaults.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + field="$(${YQ} ".defaults.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" fi # 4) .defaults.global. if is_empty_or_null "${field}"; then - field="$(${YQ} ".defaults.global.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + field="$(${YQ} ".defaults.global.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" fi - # 5) .._internal_defaults_do_not_set.. + # 5) ._internal_defaults_do_not_set.. if is_empty_or_null "${field}"; then - field="$(${YQ} ".._internal_defaults_do_not_set.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + field="$(${YQ} "._internal_defaults_do_not_set.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" fi - # 6) .._internal_defaults_do_not_set.global.. + # 6) ._internal_defaults_do_not_set.global.. if is_empty_or_null "${field}"; then - field="$(${YQ} "._internal_defaults_do_not_set.global.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + field="$(${YQ} "._internal_defaults_do_not_set.global.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" fi - # 7) .._internal_defaults_do_not_set. + # 7) ._internal_defaults_do_not_set. if is_empty_or_null "${field}"; then - field="$(${YQ} "._internal_defaults_do_not_set.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + field="$(${YQ} "._internal_defaults_do_not_set.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" fi - # 8) .._internal_defaults_do_not_set.global. + # 8) ._internal_defaults_do_not_set.global. if is_empty_or_null "${field}"; then - field="$(${YQ} "._internal_defaults_do_not_set.global.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" + field="$(${YQ} "._internal_defaults_do_not_set.global.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" fi - if [ "${field}" == "null" ]; then + if is_empty_or_null "${field}"; then field="" fi echo "${field}" From 061d1165d24a8b531b1f5b173e6d648b8ffdb4d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 8 Oct 2024 18:18:44 +0200 Subject: [PATCH 41/68] Don't add istiod-remote chart when updating latest version (#396) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- hack/update-istio.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/hack/update-istio.sh b/hack/update-istio.sh index 8a1dae33a..b85508e7e 100755 --- a/hack/update-istio.sh +++ b/hack/update-istio.sh @@ -121,7 +121,6 @@ function update_latest() { "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/cni-'"${VERSION}"'.tgz", "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/gateway-'"${VERSION}"'.tgz", "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/istiod-'"${VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/istiod-remote-'"${VERSION}"'.tgz", "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/ztunnel-'"${VERSION}"'.tgz" ]' "${VERSIONS_YAML_FILE}" } From 8e10ad54a38426a4c02476ffc89e9df2515dcf76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 8 Oct 2024 19:12:43 +0200 Subject: [PATCH 42/68] Improve kubectl utility in e2e tests (#394) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Rename kubectl.KubectlBuilder to kubectl.Builder Signed-off-by: Marko Lukša * Remove unnecessary function newBuilder() Signed-off-by: Marko Lukša * Remove unnecessary function setBinary() Signed-off-by: Marko Lukša * Refactor to remove the need for ResetNamespace() By passing around Builder by value instead of by reference, we ensure that the functions SetNamespace()/SetKubeconfig/SetBinary() never modify the existing Builder and instead create a new copy and set the namespace/kubeconfig/binary there. This allows us to re-use the same builder in multiple places without having to call ResetNamespace() after calling SetNamespace(). Signed-off-by: Marko Lukša * Rename SetNamespace/SetBinary/SetKubeconfig to WithNamespace/WithBinary/WithKubeconfig Signed-off-by: Marko Lukša * Rename kubectl.Builder to kubectl.Kubectl Signed-off-by: Marko Lukša * Rename containerflag() to containerFlag() Signed-off-by: Marko Lukša * Remove DefaultBinary const Signed-off-by: Marko Lukša * Rename kubectlClient1/2 to k1/k2 Signed-off-by: Marko Lukša * Fix whitespace Signed-off-by: Marko Lukša * Fix test Signed-off-by: Marko Lukša * Fix PushIntermediateCA() Signed-off-by: Marko Lukša * A few micro improvements Signed-off-by: Marko Lukša --------- Signed-off-by: Marko Lukša --- .../controlplane/control_plane_suite_test.go | 4 +- tests/e2e/controlplane/control_plane_test.go | 14 ++- tests/e2e/dualstack/dualstack_suite_test.go | 4 +- tests/e2e/dualstack/dualstack_test.go | 16 +-- .../multicluster_multiprimary_test.go | 89 +++++++++-------- .../multicluster_primaryremote_test.go | 54 +++++----- .../multicluster/multicluster_suite_test.go | 8 +- tests/e2e/operator/operator_suite_test.go | 4 +- tests/e2e/util/certs/certs.go | 4 +- tests/e2e/util/common/e2e_utils.go | 34 +++---- tests/e2e/util/kubectl/kubectl.go | 98 ++++++++----------- 11 files changed, 153 insertions(+), 176 deletions(-) diff --git a/tests/e2e/controlplane/control_plane_suite_test.go b/tests/e2e/controlplane/control_plane_suite_test.go index b8e073099..a494a16d8 100644 --- a/tests/e2e/controlplane/control_plane_suite_test.go +++ b/tests/e2e/controlplane/control_plane_suite_test.go @@ -43,7 +43,7 @@ var ( bookinfoNamespace = env.Get("BOOKINFO_NAMESPACE", "bookinfo") multicluster = env.GetBool("MULTICLUSTER", false) - k *kubectl.KubectlBuilder + k kubectl.Kubectl ) func TestInstall(t *testing.T) { @@ -62,5 +62,5 @@ func setup() { cl, err = k8sclient.InitK8sClient("") Expect(err).NotTo(HaveOccurred()) - k = kubectl.NewKubectlBuilder() + k = kubectl.New() } diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go index c6db61e89..eafcc9a01 100644 --- a/tests/e2e/controlplane/control_plane_test.go +++ b/tests/e2e/controlplane/control_plane_test.go @@ -173,9 +173,8 @@ spec: }) It("doesn't continuously reconcile the IstioCNI CR", func() { - Eventually(k.SetNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)). + Eventually(k.WithNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)). ShouldNot(ContainSubstring("Reconciliation done"), "IstioCNI is continuously reconciling") - k.ResetNamespace() Success("IstioCNI stopped reconciling") }) }) @@ -222,9 +221,8 @@ spec: }) It("doesn't continuously reconcile the Istio CR", func() { - Eventually(k.SetNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)). + Eventually(k.WithNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)). ShouldNot(ContainSubstring("Reconciliation done"), "Istio CR is continuously reconciling") - k.ResetNamespace() Success("Istio CR stopped reconciling") }) }) @@ -269,7 +267,7 @@ spec: When("the Istio CR is deleted", func() { BeforeEach(func() { - Expect(k.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(k.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") Success("Istio CR deleted") }) @@ -283,7 +281,7 @@ spec: When("the IstioCNI CR is deleted", func() { BeforeEach(func() { - Expect(k.SetNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") + Expect(k.WithNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") Success("IstioCNI deleted") }) @@ -389,7 +387,7 @@ func getBookinfoURL(version supportedversion.VersionInfo) string { func deployBookinfo(version supportedversion.VersionInfo) error { bookinfoURL := getBookinfoURL(version) - err := k.SetNamespace(bookinfoNamespace).Apply(bookinfoURL) + err := k.WithNamespace(bookinfoNamespace).Apply(bookinfoURL) if err != nil { return fmt.Errorf("error deploying bookinfo: %w", err) } @@ -398,7 +396,7 @@ func deployBookinfo(version supportedversion.VersionInfo) error { } func getProxyVersion(podName, namespace string) (*semver.Version, error) { - output, err := k.SetNamespace(namespace).Exec( + output, err := k.WithNamespace(namespace).Exec( podName, "istio-proxy", `curl -s http://localhost:15000/server_info | grep "ISTIO_VERSION" | awk -F '"' '{print $4}'`) diff --git a/tests/e2e/dualstack/dualstack_suite_test.go b/tests/e2e/dualstack/dualstack_suite_test.go index d2fc4211f..99f82bab0 100644 --- a/tests/e2e/dualstack/dualstack_suite_test.go +++ b/tests/e2e/dualstack/dualstack_suite_test.go @@ -43,7 +43,7 @@ var ( multicluster = env.GetBool("MULTICLUSTER", false) ipFamily = env.Get("IP_FAMILY", "ipv4") - k *kubectl.KubectlBuilder + k kubectl.Kubectl ) func TestDualStack(t *testing.T) { @@ -63,5 +63,5 @@ func setup() { cl, err = k8sclient.InitK8sClient("") Expect(err).NotTo(HaveOccurred()) - k = kubectl.NewKubectlBuilder() + k = kubectl.New() } diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go index 3a4aae4fe..b4108509b 100644 --- a/tests/e2e/dualstack/dualstack_test.go +++ b/tests/e2e/dualstack/dualstack_test.go @@ -81,7 +81,7 @@ var _ = Describe("DualStack configuration ", Ordered, func() { continue } - Context("Istio version is: "+version.Version.String(), func() { + Context(fmt.Sprintf("Istio version %s", version.Version), func() { BeforeAll(func() { Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") Expect(k.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created") @@ -205,10 +205,10 @@ spec: Expect(k.Patch("namespace", SleepNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). To(Succeed(), "Error patching sleep namespace") - Expect(k.SetNamespace(DualStackNamespace).Apply(getYAMLPodURL(version, DualStackNamespace))).To(Succeed(), "error deploying tcpDualStack pod") - Expect(k.SetNamespace(IPv4Namespace).Apply(getYAMLPodURL(version, IPv4Namespace))).To(Succeed(), "error deploying ipv4 pod") - Expect(k.SetNamespace(IPv6Namespace).Apply(getYAMLPodURL(version, IPv6Namespace))).To(Succeed(), "error deploying ipv6 pod") - Expect(k.SetNamespace(SleepNamespace).Apply(getYAMLPodURL(version, SleepNamespace))).To(Succeed(), "error deploying sleep pod") + Expect(k.WithNamespace(DualStackNamespace).Apply(getYAMLPodURL(version, DualStackNamespace))).To(Succeed(), "error deploying tcpDualStack pod") + Expect(k.WithNamespace(IPv4Namespace).Apply(getYAMLPodURL(version, IPv4Namespace))).To(Succeed(), "error deploying ipv4 pod") + Expect(k.WithNamespace(IPv6Namespace).Apply(getYAMLPodURL(version, IPv6Namespace))).To(Succeed(), "error deploying ipv6 pod") + Expect(k.WithNamespace(SleepNamespace).Apply(getYAMLPodURL(version, SleepNamespace))).To(Succeed(), "error deploying sleep pod") Success("dualStack validation pods deployed") }) @@ -254,7 +254,7 @@ spec: When("the Istio CR is deleted", func() { BeforeEach(func() { - Expect(k.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(k.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") Success("Istio CR deleted") }) @@ -268,7 +268,7 @@ spec: When("the IstioCNI CR is deleted", func() { BeforeEach(func() { - Expect(k.SetNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") + Expect(k.WithNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") Success("IstioCNI deleted") }) @@ -356,7 +356,7 @@ func getYAMLPodURL(version supportedversion.VersionInfo, namespace string) strin func checkPodConnectivity(podName, namespace, echoStr string) { command := fmt.Sprintf(`sh -c 'echo %s | nc tcp-echo.%s 9000'`, echoStr, echoStr) - response, err := k.SetNamespace(namespace).Exec(podName, "sleep", command) + response, err := k.WithNamespace(namespace).Exec(podName, "sleep", command) Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("error connecting to the %q pod", podName)) Expect(response).To(ContainSubstring(fmt.Sprintf("hello %s", echoStr)), fmt.Sprintf("Unexpected response from %s pod", podName)) } diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go index 6f5397e2a..8cee0948e 100644 --- a/tests/e2e/multicluster/multicluster_multiprimary_test.go +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -49,8 +49,8 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { BeforeAll(func(ctx SpecContext) { if !skipDeploy { // Deploy the Sail Operator on both clusters - Expect(kubectlClient1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #1") - Expect(kubectlClient2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #2") + Expect(k1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #1") + Expect(k2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #2") Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). To(Succeed(), "Operator failed to be deployed in Cluster #1") @@ -73,15 +73,15 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Describe("Multi-Primary Multi-Network configuration", func() { // Test the Multi-Primary Multi-Network configuration for each supported Istio version for _, version := range supportedversion.List { - Context("Istio version is: "+version.Version.String(), func() { - When("Istio resources are created in both clusters with multicluster configuration", func() { + Context(fmt.Sprintf("Istio version %s", version.Version), func() { + When("Istio resources are created in both clusters", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectlClient1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") - Expect(kubectlClient2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + Expect(k1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + Expect(k2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") // Push the intermediate CA to both clusters - Expect(certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig, "east", "network1", artifacts, clPrimary)).To(Succeed()) - Expect(certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig2, "west", "network2", artifacts, clRemote)).To(Succeed()) + Expect(certs.PushIntermediateCA(k1, controlPlaneNamespace, "east", "network1", artifacts, clPrimary)).To(Succeed()) + Expect(certs.PushIntermediateCA(k2, controlPlaneNamespace, "west", "network2", artifacts, clRemote)).To(Succeed()) // Wait for the secret to be created in both clusters Eventually(func() error { @@ -110,11 +110,11 @@ spec: network: %s` multiclusterCluster1YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") Log("Istio CR Cluster #1: ", multiclusterCluster1YAML) - Expect(kubectlClient1.CreateFromString(multiclusterCluster1YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #1") + Expect(k1.CreateFromString(multiclusterCluster1YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #1") multiclusterCluster2YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster2", "network2") Log("Istio CR Cluster #2: ", multiclusterCluster2YAML) - Expect(kubectlClient2.CreateFromString(multiclusterCluster2YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #2") + Expect(k2.CreateFromString(multiclusterCluster2YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #2") }) It("updates both Istio CR status to Ready", func(ctx SpecContext) { @@ -140,19 +140,18 @@ spec: WithArguments(ctx, clRemote, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Cluster #2; unexpected Condition") Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") - Success("Istiod is deployed in the namespace and Running on Cluster #2") + Success("Istiod is deployed in the namespace and Running on Cluster #2") }) }) When("Gateway is created in both clusters", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #1") - - Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #2") + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #1") + Expect(k2.WithNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #2") // Expose the Gateway service in both clusters - Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #1") - Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #2") + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #1") + Expect(k2.WithNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #2") }) It("updates both Gateway status to Available", func(ctx SpecContext) { @@ -170,23 +169,23 @@ spec: When("are installed remote secrets on each cluster", func() { BeforeAll(func(ctx SpecContext) { // Get the internal IP of the control plane node in both clusters - internalIPCluster1, err := kubectlClient1.GetInternalIP("node-role.kubernetes.io/control-plane") + internalIPCluster1, err := k1.GetInternalIP("node-role.kubernetes.io/control-plane") Expect(err).NotTo(HaveOccurred()) Expect(internalIPCluster1).NotTo(BeEmpty(), "Internal IP is empty for Cluster #1") - internalIPCluster2, err := kubectlClient2.GetInternalIP("node-role.kubernetes.io/control-plane") + internalIPCluster2, err := k2.GetInternalIP("node-role.kubernetes.io/control-plane") Expect(internalIPCluster2).NotTo(BeEmpty(), "Internal IP is empty for Cluster #2") Expect(err).NotTo(HaveOccurred()) // Install a remote secret in Cluster #1 that provides access to the Cluster #2 API server. secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "cluster2", internalIPCluster2) Expect(err).NotTo(HaveOccurred()) - Expect(kubectlClient1.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1") + Expect(k1.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1") // Install a remote secret in Cluster #2 that provides access to the Cluster #1 API server. secret, err = istioctl.CreateRemoteSecret(kubeconfig, "cluster1", internalIPCluster1) Expect(err).NotTo(HaveOccurred()) - Expect(kubectlClient2.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1") + Expect(k2.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1") }) It("remote secrets are created", func(ctx SpecContext) { @@ -196,7 +195,7 @@ spec: secret, err = common.GetObject(ctx, clRemote, kube.Key("istio-remote-secret-cluster1", controlPlaneNamespace), &corev1.Secret{}) Expect(err).NotTo(HaveOccurred()) - Expect(secret).NotTo(BeNil(), "Secret is not created on Cluster #2") + Expect(secret).NotTo(BeNil(), "Secret is not created on Cluster #2") Success("Remote secrets are created in both clusters") }) }) @@ -238,16 +237,16 @@ spec: Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #1") sleepPodNameCluster2, err := common.GetPodNameByLabel(ctx, clRemote, "sample", "app", "sleep") - Expect(sleepPodNameCluster2).NotTo(BeEmpty(), "Sleep pod not found on Cluster #2") - Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #2") + Expect(sleepPodNameCluster2).NotTo(BeEmpty(), "Sleep pod not found on Cluster #2") + Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #2") // Run the curl command from the sleep pod in the Cluster #2 and get response list to validate that we get responses from both clusters - Cluster2Responses := strings.Join(getListCurlResponses(kubectlClient2, sleepPodNameCluster2), "\n") + Cluster2Responses := strings.Join(getListCurlResponses(k2, sleepPodNameCluster2), "\n") Expect(Cluster2Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #2 are not the expected") Expect(Cluster2Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #2 are not the expected") // Run the curl command from the sleep pod in the Cluster #1 and get response list to validate that we get responses from both clusters - Cluster1Responses := strings.Join(getListCurlResponses(kubectlClient1, sleepPodNameCluster1), "\n") + Cluster1Responses := strings.Join(getListCurlResponses(k1, sleepPodNameCluster1), "\n") Expect(Cluster1Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #1 are not the expected") Expect(Cluster1Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #1 are not the expected") Success("Sample app is accessible from both clusters") @@ -257,8 +256,8 @@ spec: When("istio CR is deleted in both clusters", func() { BeforeEach(func() { // Delete the Istio CR in both clusters - Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") - Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(k1.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(k2.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") Success("Istio CR is deleted in both clusters") }) @@ -273,16 +272,16 @@ spec: AfterAll(func(ctx SpecContext) { // Delete namespace to ensure clean up for new tests iteration - Expect(kubectlClient1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") - Expect(kubectlClient2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + Expect(k1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(k2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) Success("ControlPlane Namespaces are empty") // Delete the entire sample namespace in both clusters - Expect(kubectlClient1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #1") - Expect(kubectlClient2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + Expect(k1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(k2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #2") common.CheckNamespaceEmpty(ctx, clPrimary, "sample") common.CheckNamespaceEmpty(ctx, clRemote, "sample") @@ -294,8 +293,8 @@ spec: AfterAll(func(ctx SpecContext) { // Delete the Sail Operator from both clusters - Expect(kubectlClient1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") - Expect(kubectlClient2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + Expect(k1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(k2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") // Delete the intermediate CA from both clusters common.CheckNamespaceEmpty(ctx, clPrimary, namespace) @@ -306,13 +305,13 @@ spec: // deploySampleApp deploys the sample app in the given cluster func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo) { // Create the namespace - Expect(kubectlClient1.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created") - Expect(kubectlClient2.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created") + Expect(k1.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created") + Expect(k2.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created") // Label the namespace - Expect(kubectlClient1.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + Expect(k1.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). To(Succeed(), "Error patching sample namespace") - Expect(kubectlClient2.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + Expect(k2.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). To(Succeed(), "Error patching sample namespace") version := istioVersion.Version.String() @@ -321,22 +320,22 @@ func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo) { version = "master" } helloWorldURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/helloworld/helloworld.yaml", version) - Expect(kubectlClient1.SetNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #1") - Expect(kubectlClient2.SetNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #2") + Expect(k1.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #1") + Expect(k2.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #2") - Expect(kubectlClient1.SetNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v1")).To(Succeed(), "Sample service deploy failed on Cluster #1") - Expect(kubectlClient2.SetNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v2")).To(Succeed(), "Sample service deploy failed on Cluster #2") + Expect(k1.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v1")).To(Succeed(), "Sample service deploy failed on Cluster #1") + Expect(k2.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v2")).To(Succeed(), "Sample service deploy failed on Cluster #2") sleepURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/sleep/sleep.yaml", version) - Expect(kubectlClient1.SetNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #1") - Expect(kubectlClient2.SetNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #2") + Expect(k1.WithNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #1") + Expect(k2.WithNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #2") } // getListCurlResponses runs the curl command 10 times from the sleep pod in the given cluster and get response list -func getListCurlResponses(k *kubectl.KubectlBuilder, podName string) []string { +func getListCurlResponses(k kubectl.Kubectl, podName string) []string { var responses []string for i := 0; i < 10; i++ { - response, err := k.SetNamespace("sample").Exec(podName, "sleep", "curl -sS helloworld.sample:5000/hello") + response, err := k.WithNamespace("sample").Exec(podName, "sleep", "curl -sS helloworld.sample:5000/hello") Expect(err).NotTo(HaveOccurred()) responses = append(responses, response) } diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index e6e45e2fd..35c6fb240 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -48,8 +48,8 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { BeforeAll(func(ctx SpecContext) { if !skipDeploy { // Deploy the Sail Operator on both clusters - Expect(kubectlClient1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Primary Cluster") - Expect(kubectlClient2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Remote Cluster") + Expect(k1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Primary Cluster") + Expect(k2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Remote Cluster") Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). To(Succeed(), "Operator failed to be deployed in Primary Cluster") @@ -78,16 +78,16 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { continue } - Context("Istio version is: "+version.Version.String(), func() { + Context(fmt.Sprintf("Istio version %s", version.Version), func() { When("Istio resources are created in both clusters", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectlClient1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") - Expect(kubectlClient2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + Expect(k1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + Expect(k2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") // Push the intermediate CA to both clusters - Expect(certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig, "east", "network1", artifacts, clPrimary)). + Expect(certs.PushIntermediateCA(k1, controlPlaneNamespace, "east", "network1", artifacts, clPrimary)). To(Succeed(), "Error pushing intermediate CA to Primary Cluster") - Expect(certs.PushIntermediateCA(controlPlaneNamespace, kubeconfig2, "west", "network2", artifacts, clRemote)). + Expect(certs.PushIntermediateCA(k2, controlPlaneNamespace, "west", "network2", artifacts, clRemote)). To(Succeed(), "Error pushing intermediate CA to Remote Cluster") // Wait for the secret to be created in both clusters @@ -120,7 +120,7 @@ spec: network: %s` multiclusterPrimaryYAML := fmt.Sprintf(PrimaryYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") Log("Istio CR Primary: ", multiclusterPrimaryYAML) - Expect(kubectlClient1.CreateFromString(multiclusterPrimaryYAML)).To(Succeed(), "Istio Resource creation failed on Primary Cluster") + Expect(k1.CreateFromString(multiclusterPrimaryYAML)).To(Succeed(), "Istio Resource creation failed on Primary Cluster") }) It("updates Istio CR on Primary cluster status to Ready", func(ctx SpecContext) { @@ -141,13 +141,13 @@ spec: When("Gateway is created on Primary cluster ", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Primary Cluster") + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Primary Cluster") // Expose istiod service in Primary cluster - Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(exposeIstiodYAML)).To(Succeed(), "Expose Istiod creation failed on Primary Cluster") + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(exposeIstiodYAML)).To(Succeed(), "Expose Istiod creation failed on Primary Cluster") // Expose the Gateway service in both clusters - Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Primary Cluster") + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Primary Cluster") }) It("updates Gateway status to Available", func(ctx SpecContext) { @@ -179,19 +179,19 @@ spec: remoteIstioYAML := fmt.Sprintf(RemoteYAML, version.Name, remotePilotAddress) Log("RemoteIstio CR: ", remoteIstioYAML) By("Creating RemoteIstio CR on Remote Cluster") - Expect(kubectlClient2.CreateFromString(remoteIstioYAML)).To(Succeed(), "RemoteIstio Resource creation failed on Remote Cluster") + Expect(k2.CreateFromString(remoteIstioYAML)).To(Succeed(), "RemoteIstio Resource creation failed on Remote Cluster") // Set the controlplane cluster and network for Remote namespace By("Patching the istio-system namespace on Remote Cluster") Expect( - kubectlClient2.Patch( + k2.Patch( "namespace", controlPlaneNamespace, "merge", `{"metadata":{"annotations":{"topology.istio.io/controlPlaneClusters":"cluster1"}}}`)). To(Succeed(), "Error patching istio-system namespace") Expect( - kubectlClient2.Patch( + k2.Patch( "namespace", controlPlaneNamespace, "merge", @@ -201,7 +201,7 @@ spec: // To be able to access the remote cluster from the primary cluster, we need to create a secret in the primary cluster // RemoteIstio resource will not be Ready until the secret is created // Get the internal IP of the control plane node in Remote cluster - internalIPRemote, err := kubectlClient2.GetInternalIP("node-role.kubernetes.io/control-plane") + internalIPRemote, err := k2.GetInternalIP("node-role.kubernetes.io/control-plane") Expect(internalIPRemote).NotTo(BeEmpty(), "Internal IP is empty for Remote Cluster") Expect(err).NotTo(HaveOccurred()) @@ -212,7 +212,7 @@ spec: By("Creating Remote Secret on Primary Cluster") secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "remote", internalIPRemote) Expect(err).NotTo(HaveOccurred()) - Expect(kubectlClient1.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Primary Cluster") + Expect(k1.WithNamespace(controlPlaneNamespace).ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Primary Cluster") }) It("secret is created", func(ctx SpecContext) { @@ -232,7 +232,7 @@ spec: When("gateway is created in Remote cluster", func() { BeforeAll(func(ctx SpecContext) { - Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Remote Cluster") + Expect(k2.WithNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Remote Cluster") Success("Gateway is created in Remote cluster") }) @@ -285,12 +285,12 @@ spec: Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Remote Cluster") // Run the curl command from the sleep pod in the Remote Cluster and get response list to validate that we get responses from both clusters - remoteResponses := strings.Join(getListCurlResponses(kubectlClient2, sleepPodNameRemote), "\n") + remoteResponses := strings.Join(getListCurlResponses(k2, sleepPodNameRemote), "\n") Expect(remoteResponses).To(ContainSubstring("Hello version: v1"), "Responses from Remote Cluster are not the expected") Expect(remoteResponses).To(ContainSubstring("Hello version: v2"), "Responses from Remote Cluster are not the expected") // Run the curl command from the sleep pod in the Primary Cluster and get response list to validate that we get responses from both clusters - primaryResponses := strings.Join(getListCurlResponses(kubectlClient1, sleepPodNamePrimary), "\n") + primaryResponses := strings.Join(getListCurlResponses(k1, sleepPodNamePrimary), "\n") Expect(primaryResponses).To(ContainSubstring("Hello version: v1"), "Responses from Primary Cluster are not the expected") Expect(primaryResponses).To(ContainSubstring("Hello version: v2"), "Responses from Primary Cluster are not the expected") Success("Sample app is accessible from both clusters") @@ -299,8 +299,8 @@ spec: When("Istio CR and RemoteIstio CR are deleted in both clusters", func() { BeforeEach(func() { - Expect(kubectlClient1.SetNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") - Expect(kubectlClient2.SetNamespace(controlPlaneNamespace).Delete("remoteistio", istioName)).To(Succeed(), "RemoteIstio CR failed to be deleted") + Expect(k1.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(k2.WithNamespace(controlPlaneNamespace).Delete("remoteistio", istioName)).To(Succeed(), "RemoteIstio CR failed to be deleted") Success("Istio and RemoteIstio are deleted") }) @@ -313,16 +313,16 @@ spec: AfterAll(func(ctx SpecContext) { // Delete namespace to ensure clean up for new tests iteration - Expect(kubectlClient1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") - Expect(kubectlClient2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + Expect(k1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(k2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) Success("ControlPlane Namespaces are empty") // Delete the entire sample namespace in both clusters - Expect(kubectlClient1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") - Expect(kubectlClient2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + Expect(k1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(k2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") common.CheckNamespaceEmpty(ctx, clPrimary, "sample") common.CheckNamespaceEmpty(ctx, clRemote, "sample") @@ -334,8 +334,8 @@ spec: AfterAll(func(ctx SpecContext) { // Delete the Sail Operator from both clusters - Expect(kubectlClient1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") - Expect(kubectlClient2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + Expect(k1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(k2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") // Check that the namespace is empty common.CheckNamespaceEmpty(ctx, clPrimary, namespace) diff --git a/tests/e2e/multicluster/multicluster_suite_test.go b/tests/e2e/multicluster/multicluster_suite_test.go index a31105df8..09ca73fde 100644 --- a/tests/e2e/multicluster/multicluster_suite_test.go +++ b/tests/e2e/multicluster/multicluster_suite_test.go @@ -52,8 +52,8 @@ var ( exposeServiceYAML string exposeIstiodYAML string - kubectlClient1 *kubectl.KubectlBuilder - kubectlClient2 *kubectl.KubectlBuilder + k1 kubectl.Kubectl + k2 kubectl.Kubectl ) func TestInstall(t *testing.T) { @@ -99,6 +99,6 @@ func setup(t *testing.T) { exposeIstiodYAML = fmt.Sprintf("%s/docs/multicluster/expose-istiod.yaml", baseRepoDir) // Initialize kubectl utilities, one for each cluster - kubectlClient1 = kubectl.NewKubectlBuilder().SetKubeconfig(kubeconfig) - kubectlClient2 = kubectl.NewKubectlBuilder().SetKubeconfig(kubeconfig2) + k1 = kubectl.New().WithKubeconfig(kubeconfig) + k2 = kubectl.New().WithKubeconfig(kubeconfig2) } diff --git a/tests/e2e/operator/operator_suite_test.go b/tests/e2e/operator/operator_suite_test.go index 560855caa..952d7cd8e 100644 --- a/tests/e2e/operator/operator_suite_test.go +++ b/tests/e2e/operator/operator_suite_test.go @@ -36,7 +36,7 @@ var ( deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") multicluster = env.GetBool("MULTICLUSTER", false) - k *kubectl.KubectlBuilder + k kubectl.Kubectl ) func TestInstall(t *testing.T) { @@ -62,5 +62,5 @@ func setup() { GinkgoWriter.Println("Running on Kubernetes") } - k = kubectl.NewKubectlBuilder() + k = kubectl.New() } diff --git a/tests/e2e/util/certs/certs.go b/tests/e2e/util/certs/certs.go index c2fd599c6..505eebe6f 100644 --- a/tests/e2e/util/certs/certs.go +++ b/tests/e2e/util/certs/certs.go @@ -219,7 +219,7 @@ func writeFile(confPath string, confContent string) error { } // PushIntermediateCA pushes the intermediate CA to the cluster -func PushIntermediateCA(ns, kubeconfig, zone, network, basePath string, cl client.Client) error { +func PushIntermediateCA(k kubectl.Kubectl, ns, zone, network, basePath string, cl client.Client) error { // Set cert dir certDir := filepath.Join(basePath, "certs") @@ -227,8 +227,6 @@ func PushIntermediateCA(ns, kubeconfig, zone, network, basePath string, cl clien _, err := common.GetObject(context.Background(), cl, kube.Key("cacerts", ns), &corev1.Secret{}) if err != nil { // Label the namespace with the network - k := kubectl.NewKubectlBuilder() - k.SetKubeconfig(kubeconfig) err = k.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"topology.istio.io/network":"`+network+`"}}}`) if err != nil { return fmt.Errorf("failed to label namespace: %w", err) diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index 5fec5f6d0..4ccbe570a 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -52,7 +52,7 @@ var ( // - 1.24-alpha.feabc1234 istiodVersionRegex = regexp.MustCompile(`Version:"([^"]*)"`) - k = kubectl.NewKubectlBuilder() + k = kubectl.New() ) // GetObject returns the object with the given key @@ -141,21 +141,20 @@ func LogDebugInfo() { } func logOperatorDebugInfo() { - operator, err := k.SetNamespace(namespace).GetYAML("deployment", deploymentName) + operator, err := k.WithNamespace(namespace).GetYAML("deployment", deploymentName) logDebugElement("Operator Deployment YAML", operator, err) - logs, err := k.SetNamespace(namespace).Logs("deploy/"+deploymentName, ptr.Of(120*time.Second)) - k.ResetNamespace() + logs, err := k.WithNamespace(namespace).Logs("deploy/"+deploymentName, ptr.Of(120*time.Second)) logDebugElement("Operator logs", logs, err) - events, err := k.SetNamespace(namespace).GetEvents() + events, err := k.WithNamespace(namespace).GetEvents() logDebugElement("Events in "+namespace, events, err) // Temporary information to gather more details about failure - pods, err := k.SetNamespace(namespace).GetPods("", "-o wide") + pods, err := k.WithNamespace(namespace).GetPods("", "-o wide") logDebugElement("Pods in "+namespace, pods, err) - describe, err := k.SetNamespace(namespace).Describe("deployment", deploymentName) + describe, err := k.WithNamespace(namespace).Describe("deployment", deploymentName) logDebugElement("Operator Deployment describe", describe, err) } @@ -163,14 +162,13 @@ func logIstioDebugInfo() { resource, err := k.GetYAML("istio", istioName) logDebugElement("Istio YAML", resource, err) - output, err := k.SetNamespace(controlPlaneNamespace).GetPods("", "-o wide") + output, err := k.WithNamespace(controlPlaneNamespace).GetPods("", "-o wide") logDebugElement("Pods in "+controlPlaneNamespace, output, err) - logs, err := k.SetNamespace(controlPlaneNamespace).Logs("deploy/istiod", ptr.Of(120*time.Second)) - k.ResetNamespace() + logs, err := k.WithNamespace(controlPlaneNamespace).Logs("deploy/istiod", ptr.Of(120*time.Second)) logDebugElement("Istiod logs", logs, err) - events, err := k.SetNamespace(controlPlaneNamespace).GetEvents() + events, err := k.WithNamespace(controlPlaneNamespace).GetEvents() logDebugElement("Events in "+controlPlaneNamespace, events, err) } @@ -178,20 +176,20 @@ func logCNIDebugInfo() { resource, err := k.GetYAML("istiocni", istioCniName) logDebugElement("IstioCNI YAML", resource, err) - ds, err := k.SetNamespace(istioCniNamespace).GetYAML("daemonset", "istio-cni-node") + ds, err := k.WithNamespace(istioCniNamespace).GetYAML("daemonset", "istio-cni-node") logDebugElement("Istio CNI DaemonSet YAML", ds, err) - events, err := k.SetNamespace(istioCniNamespace).GetEvents() + events, err := k.WithNamespace(istioCniNamespace).GetEvents() logDebugElement("Events in "+istioCniNamespace, events, err) // Temporary information to gather more details about failure - pods, err := k.SetNamespace(istioCniNamespace).GetPods("", "-o wide") + pods, err := k.WithNamespace(istioCniNamespace).GetPods("", "-o wide") logDebugElement("Pods in "+istioCniNamespace, pods, err) - describe, err := k.SetNamespace(istioCniNamespace).Describe("daemonset", "istio-cni-node") + describe, err := k.WithNamespace(istioCniNamespace).Describe("daemonset", "istio-cni-node") logDebugElement("Istio CNI DaemonSet describe", describe, err) - logs, err := k.SetNamespace(istioCniNamespace).Logs("daemonset/istio-cni-node", ptr.Of(120*time.Second)) + logs, err := k.WithNamespace(istioCniNamespace).Logs("daemonset/istio-cni-node", ptr.Of(120*time.Second)) logDebugElement("Istio CNI logs", logs, err) } @@ -206,8 +204,8 @@ func logDebugElement(caption string, info string, err error) { } func GetVersionFromIstiod() (*semver.Version, error) { - k := kubectl.NewKubectlBuilder() - output, err := k.SetNamespace(controlPlaneNamespace).Exec("deploy/istiod", "", "pilot-discovery version") + k := kubectl.New() + output, err := k.WithNamespace(controlPlaneNamespace).Exec("deploy/istiod", "", "pilot-discovery version") if err != nil { return nil, fmt.Errorf("error getting version from istiod: %w", err) } diff --git a/tests/e2e/util/kubectl/kubectl.go b/tests/e2e/util/kubectl/kubectl.go index f07035513..f1b69576f 100644 --- a/tests/e2e/util/kubectl/kubectl.go +++ b/tests/e2e/util/kubectl/kubectl.go @@ -23,28 +23,18 @@ import ( "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell" ) -type KubectlBuilder struct { +type Kubectl struct { binary string namespace string kubeconfig string } -const DefaultBinary = "kubectl" - -func newKubectlBuilder() *KubectlBuilder { - return &KubectlBuilder{} -} - -func (k *KubectlBuilder) setBinary() { - binary := DefaultBinary - if cmd := os.Getenv("COMMAND"); cmd != "" { - binary = cmd - } - - k.binary = binary +// New creates a new kubectl.Kubectl +func New() Kubectl { + return Kubectl{}.WithBinary(os.Getenv("COMMAND")) } -func (k *KubectlBuilder) build(cmd string) string { +func (k Kubectl) build(cmd string) string { args := []string{k.binary} // Only append namespace if it's set @@ -63,15 +53,18 @@ func (k *KubectlBuilder) build(cmd string) string { return strings.Join(args, " ") } -// NewKubectlBuilder creates a new KubectlBuilder -func NewKubectlBuilder() *KubectlBuilder { - k := newKubectlBuilder() - k.setBinary() +// WithBinary returns a new Kubectl with the binary set to the given value; if the value is "", the binary is set to "kubectl" +func (k Kubectl) WithBinary(binary string) Kubectl { + if binary == "" { + k.binary = "kubectl" + } else { + k.binary = binary + } return k } -// SetNamespace sets the namespace -func (k *KubectlBuilder) SetNamespace(ns string) *KubectlBuilder { +// WithNamespace returns a new Kubectl with the namespace set to the given value +func (k Kubectl) WithNamespace(ns string) Kubectl { if ns == "" { k.namespace = "--all-namespaces" } else { @@ -80,9 +73,11 @@ func (k *KubectlBuilder) SetNamespace(ns string) *KubectlBuilder { return k } -// SetKubeconfig sets the kubeconfig -func (k *KubectlBuilder) SetKubeconfig(kubeconfig string) *KubectlBuilder { - if kubeconfig != "" { +// WithKubeconfig returns a new Kubectl with kubeconfig set to the given value +func (k Kubectl) WithKubeconfig(kubeconfig string) Kubectl { + if kubeconfig == "" { + k.kubeconfig = "" + } else { k.kubeconfig = fmt.Sprintf("--kubeconfig %s", kubeconfig) } return k @@ -90,7 +85,7 @@ func (k *KubectlBuilder) SetKubeconfig(kubeconfig string) *KubectlBuilder { // CreateNamespace creates a namespace // If the namespace already exists, it will return nil -func (k *KubectlBuilder) CreateNamespace(ns string) error { +func (k Kubectl) CreateNamespace(ns string) error { cmd := k.build(" create namespace " + ns) output, err := k.executeCommand(cmd) if err != nil { @@ -105,10 +100,9 @@ func (k *KubectlBuilder) CreateNamespace(ns string) error { } // CreateFromString creates a resource from the given yaml string -func (k *KubectlBuilder) CreateFromString(yamlString string) error { +func (k Kubectl) CreateFromString(yamlString string) error { cmd := k.build(" create -f -") _, err := shell.ExecuteCommandWithInput(cmd, yamlString) - k.ResetNamespace() if err != nil { return fmt.Errorf("error creating resource from yaml: %w", err) } @@ -116,22 +110,20 @@ func (k *KubectlBuilder) CreateFromString(yamlString string) error { } // DeleteCRDs deletes the CRDs by given list of crds names -func (k *KubectlBuilder) DeleteCRDs(crds []string) error { +func (k Kubectl) DeleteCRDs(crds []string) error { for _, crd := range crds { cmd := k.build(" delete crd " + crd) _, err := shell.ExecuteCommand(cmd) if err != nil { - k.ResetNamespace() return fmt.Errorf("error deleting crd %s: %w", crd, err) } } - k.ResetNamespace() return nil } // DeleteNamespace deletes a namespace -func (k *KubectlBuilder) DeleteNamespace(ns string) error { +func (k Kubectl) DeleteNamespace(ns string) error { cmd := k.build(" delete namespace " + ns) _, err := k.executeCommand(cmd) if err != nil { @@ -142,10 +134,9 @@ func (k *KubectlBuilder) DeleteNamespace(ns string) error { } // ApplyString applies the given yaml string to the cluster -func (k *KubectlBuilder) ApplyString(yamlString string) error { +func (k Kubectl) ApplyString(yamlString string) error { cmd := k.build(" apply --server-side -f -") _, err := shell.ExecuteCommandWithInput(cmd, yamlString) - k.ResetNamespace() if err != nil { return fmt.Errorf("error applying yaml: %w", err) } @@ -154,13 +145,13 @@ func (k *KubectlBuilder) ApplyString(yamlString string) error { } // Apply applies the given yaml file to the cluster -func (k *KubectlBuilder) Apply(yamlFile string) error { +func (k Kubectl) Apply(yamlFile string) error { err := k.ApplyWithLabels(yamlFile, "") return err } // ApplyWithLabels applies the given yaml file to the cluster with the given labels -func (k *KubectlBuilder) ApplyWithLabels(yamlFile, label string) error { +func (k Kubectl) ApplyWithLabels(yamlFile, label string) error { cmd := k.build(" apply " + labelFlag(label) + " -f " + yamlFile) _, err := k.executeCommand(cmd) if err != nil { @@ -171,7 +162,7 @@ func (k *KubectlBuilder) ApplyWithLabels(yamlFile, label string) error { } // DeleteFromFile deletes a resource from the given yaml file -func (k *KubectlBuilder) DeleteFromFile(yamlFile string) error { +func (k Kubectl) DeleteFromFile(yamlFile string) error { cmd := k.build(" delete -f " + yamlFile) _, err := k.executeCommand(cmd) if err != nil { @@ -182,7 +173,7 @@ func (k *KubectlBuilder) DeleteFromFile(yamlFile string) error { } // Delete deletes a resource based on the namespace, kind and the name -func (k *KubectlBuilder) Delete(kind, name string) error { +func (k Kubectl) Delete(kind, name string) error { cmd := k.build(" delete " + kind + " " + name) _, err := k.executeCommand(cmd) if err != nil { @@ -193,7 +184,7 @@ func (k *KubectlBuilder) Delete(kind, name string) error { } // Patch patches a resource -func (k *KubectlBuilder) Patch(kind, name, patchType, patch string) error { +func (k Kubectl) Patch(kind, name, patchType, patch string) error { cmd := k.build(fmt.Sprintf(" patch %s %s --type=%s -p=%q", kind, name, patchType, patch)) _, err := k.executeCommand(cmd) if err != nil { @@ -203,7 +194,7 @@ func (k *KubectlBuilder) Patch(kind, name, patchType, patch string) error { } // ForceDelete deletes a resource by removing its finalizers -func (k *KubectlBuilder) ForceDelete(kind, name string) error { +func (k Kubectl) ForceDelete(kind, name string) error { // Not all resources have finalizers, trying to remove them returns an error here. // We explicitly ignore the error and attempt to delete the resource anyway. _ = k.Patch(kind, name, "json", `[{"op": "remove", "path": "/metadata/finalizers"}]`) @@ -211,7 +202,7 @@ func (k *KubectlBuilder) ForceDelete(kind, name string) error { } // GetYAML returns the yaml of a resource -func (k *KubectlBuilder) GetYAML(kind, name string) (string, error) { +func (k Kubectl) GetYAML(kind, name string) (string, error) { cmd := k.build(fmt.Sprintf(" get %s %s -o yaml", kind, name)) output, err := k.executeCommand(cmd) if err != nil { @@ -222,7 +213,7 @@ func (k *KubectlBuilder) GetYAML(kind, name string) (string, error) { } // GetPods returns the pods of a namespace -func (k *KubectlBuilder) GetPods(args ...string) (string, error) { +func (k Kubectl) GetPods(args ...string) (string, error) { cmd := k.build(fmt.Sprintf(" get pods %s", strings.Join(args, " "))) output, err := k.executeCommand(cmd) if err != nil { @@ -233,7 +224,7 @@ func (k *KubectlBuilder) GetPods(args ...string) (string, error) { } // GetInternalIP returns the internal IP of a node -func (k *KubectlBuilder) GetInternalIP(label string) (string, error) { +func (k Kubectl) GetInternalIP(label string) (string, error) { cmd := k.build(fmt.Sprintf(" get nodes -l %s -o jsonpath='{.items[0].status.addresses[?(@.type==\"InternalIP\")].address}'", label)) output, err := k.executeCommand(cmd) if err != nil { @@ -244,8 +235,8 @@ func (k *KubectlBuilder) GetInternalIP(label string) (string, error) { } // Exec executes a command in the pod or specific container -func (k *KubectlBuilder) Exec(pod, container, command string) (string, error) { - cmd := k.build(fmt.Sprintf(" exec %s %s -- %s", pod, containerflag(container), command)) +func (k Kubectl) Exec(pod, container, command string) (string, error) { + cmd := k.build(fmt.Sprintf(" exec %s %s -- %s", pod, containerFlag(container), command)) output, err := k.executeCommand(cmd) if err != nil { return "", err @@ -254,7 +245,7 @@ func (k *KubectlBuilder) Exec(pod, container, command string) (string, error) { } // GetEvents returns the events of a namespace -func (k *KubectlBuilder) GetEvents() (string, error) { +func (k Kubectl) GetEvents() (string, error) { cmd := k.build(" get events") output, err := k.executeCommand(cmd) if err != nil { @@ -265,7 +256,7 @@ func (k *KubectlBuilder) GetEvents() (string, error) { } // Describe returns the description of a resource -func (k *KubectlBuilder) Describe(kind, name string) (string, error) { +func (k Kubectl) Describe(kind, name string) (string, error) { cmd := k.build(fmt.Sprintf(" describe %s %s", kind, name)) output, err := k.executeCommand(cmd) if err != nil { @@ -276,7 +267,7 @@ func (k *KubectlBuilder) Describe(kind, name string) (string, error) { } // Logs returns the logs of a deployment -func (k *KubectlBuilder) Logs(pod string, since *time.Duration) (string, error) { +func (k Kubectl) Logs(pod string, since *time.Duration) (string, error) { cmd := k.build(fmt.Sprintf(" logs %s %s", pod, sinceFlag(since))) output, err := shell.ExecuteCommand(cmd) if err != nil { @@ -286,15 +277,8 @@ func (k *KubectlBuilder) Logs(pod string, since *time.Duration) (string, error) } // executeCommand handles running the command and then resets the namespace automatically -func (k *KubectlBuilder) executeCommand(cmd string) (string, error) { - result, err := shell.ExecuteCommand(cmd) - k.ResetNamespace() - return result, err -} - -// ResetNamespace resets the namespace -func (k *KubectlBuilder) ResetNamespace() { - k.namespace = "" +func (k Kubectl) executeCommand(cmd string) (string, error) { + return shell.ExecuteCommand(cmd) } func sinceFlag(since *time.Duration) string { @@ -311,7 +295,7 @@ func labelFlag(label string) string { return "-l " + label } -func containerflag(container string) string { +func containerFlag(container string) string { if container == "" { return "" } From 68c658548224f4bc8cd9aaafd72ce1f3c814ea4c Mon Sep 17 00:00:00 2001 From: Jonh Wendell Date: Tue, 8 Oct 2024 11:18:12 -0400 Subject: [PATCH 43/68] Add the make clean target --- Makefile.core.mk | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile.core.mk b/Makefile.core.mk index 432245601..2bd53d407 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -254,6 +254,9 @@ docker-buildx: build-all ## Build and push docker image with cross-platform supp docker buildx rm project-v4-builder rm Dockerfile.cross +clean: ## Cleans all the intermediate files and folders previously generated. + rm -rf $(REPO_ROOT)/out + ##@ Deployment .PHONY: verify-kubeconfig From ade9a7191886bc77c21a7e359356af30ea3fdf1d Mon Sep 17 00:00:00 2001 From: Jonh Wendell Date: Tue, 8 Oct 2024 11:46:18 -0400 Subject: [PATCH 44/68] Fix the update location for the rbac proxy --- tools/update_deps.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/update_deps.sh b/tools/update_deps.sh index f544bbaff..6677af3de 100755 --- a/tools/update_deps.sh +++ b/tools/update_deps.sh @@ -58,7 +58,7 @@ sed -i "s|OPM_VERSION ?= .*|OPM_VERSION ?= ${OPM_LATEST_VERSION}|" "${ROOTDIR}/M RBAC_PROXY_LATEST_VERSION=$(getLatestVersion brancz/kube-rbac-proxy | cut -d/ -f1) # Only update it if the newer image is available in the registry if docker manifest inspect "gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}" >/dev/null 2>/dev/null; then - sed -i "s|gcr.io/kubebuilder/kube-rbac-proxy:.*|gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}|" "${ROOTDIR}/chart/templates/deployment.yaml" + sed -i "s|gcr.io/kubebuilder/kube-rbac-proxy:.*|gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}|" "${ROOTDIR}/chart/values.yaml" fi # Update gitleaks From 3656ec9be7edb0f93c8ec12cfefed985950c13b2 Mon Sep 17 00:00:00 2001 From: Jonh Wendell Date: Tue, 8 Oct 2024 11:49:30 -0400 Subject: [PATCH 45/68] Replace `manager` with `sail-operator` for the binary name --- Dockerfile | 4 ++-- Makefile.core.mk | 8 ++++---- .../manifests/sailoperator.clusterserviceversion.yaml | 10 +++++----- chart/README.md | 2 +- chart/templates/deployment.yaml | 8 ++++---- cmd/main.go | 6 +++--- 6 files changed, 19 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index f4831aa13..7f249db94 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,9 +2,9 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:latest ARG TARGETOS TARGETARCH -ADD out/${TARGETOS:-linux}_${TARGETARCH:-amd64}/manager /manager +ADD out/${TARGETOS:-linux}_${TARGETARCH:-amd64}/sail-operator /sail-operator ADD resources /var/lib/sail-operator/resources USER 65532:65532 WORKDIR / -ENTRYPOINT ["/manager"] +ENTRYPOINT ["/sail-operator"] diff --git a/Makefile.core.mk b/Makefile.core.mk index 2bd53d407..a3afbac6c 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -179,7 +179,7 @@ test.e2e.describe: ## Runs ginkgo outline -format indent over the e2e test to sh ##@ Build .PHONY: build -build: build-$(TARGET_ARCH) ## Build manager binary. +build: build-$(TARGET_ARCH) ## Build the sail-operator binary. .PHONY: run run: gen ## Run a controller from your host. @@ -221,7 +221,7 @@ endif # BUILDX_BUILD_ARGS are the additional --build-arg flags passed to the docker buildx build command. BUILDX_BUILD_ARGS = --build-arg TARGETOS=$(TARGET_OS) -# PLATFORMS defines the target platforms for the manager image be build to provide support to multiple +# PLATFORMS defines the target platforms for the sail-operator image be build to provide support to multiple # architectures. (i.e. make docker-buildx IMAGE=myregistry/mypoperator:0.0.1). To use this option you need to: # - able to use docker buildx . More info: https://docs.docker.com/build/buildx/ # - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/ @@ -233,8 +233,8 @@ PLATFORM_ARCHITECTURES = $(shell echo ${PLATFORMS} | sed -e 's/,/\ /g' -e 's/lin ifndef BUILDX define BUILDX .PHONY: build-$(1) -build-$(1): ## Build manager binary for specific architecture. - GOARCH=$(1) LDFLAGS="$(LD_FLAGS)" common/scripts/gobuild.sh $(REPO_ROOT)/out/$(TARGET_OS)_$(1)/manager cmd/main.go +build-$(1): ## Build sail-operator binary for specific architecture. + GOARCH=$(1) LDFLAGS="$(LD_FLAGS)" common/scripts/gobuild.sh $(REPO_ROOT)/out/$(TARGET_OS)_$(1)/sail-operator cmd/main.go .PHONY: build-all build-all: build-$(1) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 9e416984c..0a577c671 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-08T13:33:26Z" + createdAt: "2024-10-08T15:48:56Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -579,7 +579,7 @@ spec: serviceAccountName: sail-operator deployments: - label: - app.kubernetes.io/component: manager + app.kubernetes.io/component: sail-operator app.kubernetes.io/created-by: sailoperator app.kubernetes.io/instance: sail-operator app.kubernetes.io/managed-by: helm @@ -614,7 +614,7 @@ spec: images.v1_23_2.istiod: docker.io/istio/pilot:1.23.2 images.v1_23_2.proxy: docker.io/istio/proxyv2:1.23.2 images.v1_23_2.ztunnel: docker.io/istio/ztunnel:1.23.2 - kubectl.kubernetes.io/default-container: manager + kubectl.kubernetes.io/default-container: sail-operator labels: app.kubernetes.io/created-by: sailoperator app.kubernetes.io/part-of: sailoperator @@ -665,7 +665,7 @@ spec: - --metrics-bind-address=127.0.0.1:8080 - --default-profile=openshift command: - - /manager + - /sail-operator image: quay.io/maistra-dev/sail-operator:0.2-latest livenessProbe: httpGet: @@ -673,7 +673,7 @@ spec: port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager + name: sail-operator readinessProbe: httpGet: path: /readyz diff --git a/chart/README.md b/chart/README.md index e822fed6d..b7b40273e 100644 --- a/chart/README.md +++ b/chart/README.md @@ -86,7 +86,7 @@ Default configuration values can be changed using one or more `--set $ kubectl -n sail-operator get deployment --output wide NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR - sail-operator 1/1 1 1 107s kube-rbac-proxy,manager gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0,quay.io/maistra-dev/sail-operator:0.1-latest app.kubernetes.io/created-by=sailoperator,app.kubernetes.io/part-of=sailoperator,control-plane=sail-operator + sail-operator 1/1 1 1 107s kube-rbac-proxy,sail-operator gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0,quay.io/maistra-dev/sail-operator:0.1-latest app.kubernetes.io/created-by=sailoperator,app.kubernetes.io/part-of=sailoperator,control-plane=sail-operator $ kubectl -n sail-operator get pods -o wide diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 96d389713..bd8bb0d1e 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - app.kubernetes.io/component: manager + app.kubernetes.io/component: sail-operator app.kubernetes.io/created-by: {{ .Values.name }} app.kubernetes.io/instance: {{ .Values.deployment.name }} app.kubernetes.io/managed-by: helm @@ -22,7 +22,7 @@ spec: template: metadata: annotations: - kubectl.kubernetes.io/default-container: manager + kubectl.kubernetes.io/default-container: sail-operator {{- range $key, $val := .Values.deployment.annotations }} {{ $key | quote }}: {{ $val | quote}} {{- end }} @@ -81,7 +81,7 @@ spec: - --default-profile=openshift {{- end }} command: - - /manager + - /sail-operator image: {{ .Values.image }} {{- if .Values.proxy.imagePullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }} @@ -92,7 +92,7 @@ spec: port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager + name: sail-operator readinessProbe: httpGet: path: /readyz diff --git a/cmd/main.go b/cmd/main.go index 9f4452e8b..d4b48d789 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -120,7 +120,7 @@ func main() { // LeaderElectionReleaseOnCancel: true, }) if err != nil { - setupLog.Error(err, "unable to start manager") + setupLog.Error(err, "unable to start sail-operator manager") os.Exit(1) } @@ -171,9 +171,9 @@ func main() { os.Exit(1) } - setupLog.Info("starting manager") + setupLog.Info("starting sail-operator manager") if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { - setupLog.Error(err, "problem running manager") + setupLog.Error(err, "problem running sail-operator manager") os.Exit(1) } } From 4136a7b36a0830b26c575e11123c44cff33a0ee6 Mon Sep 17 00:00:00 2001 From: Daniel Grimm Date: Wed, 9 Oct 2024 11:43:44 +0200 Subject: [PATCH 46/68] Create GH Action for update-deps (#393) Signed-off-by: Daniel Grimm --- .github/workflows/update-deps.yaml | 43 ++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/update-deps.yaml diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml new file mode 100644 index 000000000..96bdc372f --- /dev/null +++ b/.github/workflows/update-deps.yaml @@ -0,0 +1,43 @@ +name: Update-deps workflow + +on: + schedule: + - cron: "0 5 * * *" # everyday at 5AM UTC + workflow_dispatch: + inputs: + branch: + description: "Branch to update" + default: "main" + required: true + +run-name: update-deps + +env: + GIT_USER: ${{ secrets.GIT_USER }} + GH_TOKEN: ${{ secrets.GIT_TOKEN }} + AUTOMATOR_ORG: istio-ecosystem + AUTOMATOR_REPO: sail-operator + AUTOMATOR_BRANCH: ${{ inputs.branch || 'main' }} + +jobs: + update-deps: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + repository: istio/test-infra + ref: master + + - name: Run Automator + run: | + ./tools/automator/automator.sh \ + --org=$AUTOMATOR_ORG \ + --repo=sail-operator \ + --branch=$AUTOMATOR_BRANCH \ + '--title=Automator: Update dependencies in $AUTOMATOR_ORG/$AUTOMATOR_REPO@$AUTOMATOR_BRANCH' \ + --labels=auto-merge \ + --modifier=update_deps \ + --token-env \ + --cmd=./tools/update_deps.sh \ + --signoff From fcb841847a3ea4fd9c9ebcd586c5506aa98b2011 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Wed, 9 Oct 2024 16:23:44 +0200 Subject: [PATCH 47/68] Fix flakiness in multi-cluster tests (#400) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous getListCurlResponses() function only performed 10 requests, which wasn't always enough to detect that responses were coming from both clusters. This caused the tests to fail even when everything was okay. Signed-off-by: Marko Lukša --- tests/e2e/multicluster/common.go | 36 +++++++++++++++++++ .../multicluster_multiprimary_test.go | 36 +++---------------- .../multicluster_primaryremote_test.go | 20 ++--------- 3 files changed, 42 insertions(+), 50 deletions(-) create mode 100644 tests/e2e/multicluster/common.go diff --git a/tests/e2e/multicluster/common.go b/tests/e2e/multicluster/common.go new file mode 100644 index 000000000..3309f26c1 --- /dev/null +++ b/tests/e2e/multicluster/common.go @@ -0,0 +1,36 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package multicluster + +import ( + "fmt" + "time" + + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" + . "github.com/onsi/gomega" +) + +// verifyResponsesAreReceivedFromBothClusters checks that when the sleep pod in the sample namespace +// sends a request to the helloworld service, it receives responses from both v1 and v2 versions, +// which are deployed in different clusters +func verifyResponsesAreReceivedFromBothClusters(k kubectl.Kubectl, clusterName string) { + expectedVersions := []string{"v1", "v2"} + for _, v := range expectedVersions { + Eventually(k.WithNamespace("sample").Exec, 10*time.Second, 10*time.Millisecond). + WithArguments("deploy/sleep", "sleep", "curl -sS helloworld.sample:5000/hello"). + Should(ContainSubstring(fmt.Sprintf("Hello version: %s", v)), + fmt.Sprintf("sleep pod in %s did not receive any response from %s", clusterName, v)) + } +} diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go index 8cee0948e..71cf1c7b8 100644 --- a/tests/e2e/multicluster/multicluster_multiprimary_test.go +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -20,7 +20,6 @@ import ( "context" "fmt" "path/filepath" - "strings" "time" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" @@ -33,7 +32,6 @@ import ( . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" @@ -61,7 +59,7 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Success("Operator is deployed in the Cluster #1 namespace and Running") Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). - To(Succeed(), "Operator failed to be deployed in Cluster #2") + To(Succeed(), "Operator failed to be deployed in Cluster #2") Eventually(common.GetObject). WithArguments(ctx, clRemote, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). @@ -174,7 +172,7 @@ spec: Expect(internalIPCluster1).NotTo(BeEmpty(), "Internal IP is empty for Cluster #1") internalIPCluster2, err := k2.GetInternalIP("node-role.kubernetes.io/control-plane") - Expect(internalIPCluster2).NotTo(BeEmpty(), "Internal IP is empty for Cluster #2") + Expect(internalIPCluster2).NotTo(BeEmpty(), "Internal IP is empty for Cluster #2") Expect(err).NotTo(HaveOccurred()) // Install a remote secret in Cluster #1 that provides access to the Cluster #2 API server. @@ -232,23 +230,8 @@ spec: }) It("can access the sample app from both clusters", func(ctx SpecContext) { - sleepPodNameCluster1, err := common.GetPodNameByLabel(ctx, clPrimary, "sample", "app", "sleep") - Expect(sleepPodNameCluster1).NotTo(BeEmpty(), "Sleep pod not found on Cluster #1") - Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #1") - - sleepPodNameCluster2, err := common.GetPodNameByLabel(ctx, clRemote, "sample", "app", "sleep") - Expect(sleepPodNameCluster2).NotTo(BeEmpty(), "Sleep pod not found on Cluster #2") - Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #2") - - // Run the curl command from the sleep pod in the Cluster #2 and get response list to validate that we get responses from both clusters - Cluster2Responses := strings.Join(getListCurlResponses(k2, sleepPodNameCluster2), "\n") - Expect(Cluster2Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #2 are not the expected") - Expect(Cluster2Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #2 are not the expected") - - // Run the curl command from the sleep pod in the Cluster #1 and get response list to validate that we get responses from both clusters - Cluster1Responses := strings.Join(getListCurlResponses(k1, sleepPodNameCluster1), "\n") - Expect(Cluster1Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #1 are not the expected") - Expect(Cluster1Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #1 are not the expected") + verifyResponsesAreReceivedFromBothClusters(k1, "Cluster #1") + verifyResponsesAreReceivedFromBothClusters(k2, "Cluster #2") Success("Sample app is accessible from both clusters") }) }) @@ -330,14 +313,3 @@ func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo) { Expect(k1.WithNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #1") Expect(k2.WithNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #2") } - -// getListCurlResponses runs the curl command 10 times from the sleep pod in the given cluster and get response list -func getListCurlResponses(k kubectl.Kubectl, podName string) []string { - var responses []string - for i := 0; i < 10; i++ { - response, err := k.WithNamespace("sample").Exec(podName, "sleep", "curl -sS helloworld.sample:5000/hello") - Expect(err).NotTo(HaveOccurred()) - responses = append(responses, response) - } - return responses -} diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index 35c6fb240..aaf002523 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -20,7 +20,6 @@ import ( "context" "fmt" "path/filepath" - "strings" "time" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" @@ -276,23 +275,8 @@ spec: }) It("can access the sample app from both clusters", func(ctx SpecContext) { - sleepPodNamePrimary, err := common.GetPodNameByLabel(ctx, clPrimary, "sample", "app", "sleep") - Expect(sleepPodNamePrimary).NotTo(BeEmpty(), "Sleep pod not found on Primary Cluster") - Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Primary Cluster") - - sleepPodNameRemote, err := common.GetPodNameByLabel(ctx, clRemote, "sample", "app", "sleep") - Expect(sleepPodNameRemote).NotTo(BeEmpty(), "Sleep pod not found on Remote Cluster") - Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Remote Cluster") - - // Run the curl command from the sleep pod in the Remote Cluster and get response list to validate that we get responses from both clusters - remoteResponses := strings.Join(getListCurlResponses(k2, sleepPodNameRemote), "\n") - Expect(remoteResponses).To(ContainSubstring("Hello version: v1"), "Responses from Remote Cluster are not the expected") - Expect(remoteResponses).To(ContainSubstring("Hello version: v2"), "Responses from Remote Cluster are not the expected") - - // Run the curl command from the sleep pod in the Primary Cluster and get response list to validate that we get responses from both clusters - primaryResponses := strings.Join(getListCurlResponses(k1, sleepPodNamePrimary), "\n") - Expect(primaryResponses).To(ContainSubstring("Hello version: v1"), "Responses from Primary Cluster are not the expected") - Expect(primaryResponses).To(ContainSubstring("Hello version: v2"), "Responses from Primary Cluster are not the expected") + verifyResponsesAreReceivedFromBothClusters(k1, "Cluster #1") + verifyResponsesAreReceivedFromBothClusters(k2, "Cluster #2") Success("Sample app is accessible from both clusters") }) }) From 1c56d16c8347a70b99fbf0af948caa616c6ed940 Mon Sep 17 00:00:00 2001 From: openshift-service-mesh-bot <165402251+openshift-service-mesh-bot@users.noreply.github.com> Date: Wed, 9 Oct 2024 18:41:45 +0200 Subject: [PATCH 48/68] Automator: Update dependencies in istio-ecosystem/sail-operator@main (#398) Signed-off-by: openshift-service-mesh-bot --- .devcontainer/devcontainer.json | 2 +- Makefile.core.mk | 2 +- api/v1alpha1/values_types.gen.go | 6 ++-- api/v1alpha1/zz_generated.deepcopy.go | 10 ++++++ .../sailoperator.clusterserviceversion.yaml | 20 ++++++------ .../sailoperator.io_istiorevisions.yaml | 2 ++ bundle/manifests/sailoperator.io_istios.yaml | 2 ++ .../sailoperator.io_remoteistios.yaml | 2 ++ .../crds/sailoperator.io_istiorevisions.yaml | 2 ++ chart/crds/sailoperator.io_istios.yaml | 2 ++ chart/crds/sailoperator.io_remoteistios.yaml | 2 ++ chart/values.yaml | 2 +- common/.commonfiles.sha | 2 +- common/scripts/setup_env.sh | 2 +- docs/api-reference/sailoperator.io.md | 4 +-- go.mod | 6 ++-- go.sum | 12 +++---- resources/latest/charts/base/Chart.yaml | 4 +-- resources/latest/charts/cni/Chart.yaml | 4 +-- resources/latest/charts/cni/values.yaml | 2 +- resources/latest/charts/gateway/Chart.yaml | 4 +-- resources/latest/charts/istiod/Chart.yaml | 4 +-- .../istiod/files/injection-template.yaml | 32 ++----------------- .../latest/charts/istiod/files/waypoint.yaml | 1 + resources/latest/charts/istiod/values.yaml | 5 +-- resources/latest/charts/ztunnel/Chart.yaml | 4 +-- resources/latest/charts/ztunnel/values.yaml | 2 +- versions.yaml | 14 ++++---- 28 files changed, 75 insertions(+), 81 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 2cb39e8ca..08329e1ab 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:master-8463430ba963638b35745d773045701f6d02014d", + "image": "gcr.io/istio-testing/build-tools:master-8eb42e9551b9a67c330aeef783f2498647d91289", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/Makefile.core.mk b/Makefile.core.mk index a3afbac6c..86c76e3ce 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -468,7 +468,7 @@ OPERATOR_SDK_VERSION ?= v1.37.0 HELM_VERSION ?= v3.16.1 CONTROLLER_TOOLS_VERSION ?= v0.16.3 OPM_VERSION ?= v1.47.0 -GITLEAKS_VERSION ?= v8.20.0 +GITLEAKS_VERSION ?= v8.20.1 ISTIOCTL_VERSION ?= 1.23.0 # GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not diff --git a/api/v1alpha1/values_types.gen.go b/api/v1alpha1/values_types.gen.go index f1d55adb4..1f156da29 100644 --- a/api/v1alpha1/values_types.gen.go +++ b/api/v1alpha1/values_types.gen.go @@ -685,6 +685,8 @@ type ProxyConfig struct { // Enables core dumps for newly injected sidecars. // // If set, newly injected sidecars will have core dumps enabled. + // + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. EnableCoreDump *bool `json:"enableCoreDump,omitempty"` // Specifies the Istio ingress ports not to capture. ExcludeInboundPorts string `json:"excludeInboundPorts,omitempty"` @@ -3228,12 +3230,12 @@ type ProxyConfigProxyHeadersSetCurrentClientCertDetails struct { // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the // XFCC header comma separated from other values with the value Cert="PEM". // Defaults to false. - Cert bool `json:"cert,omitempty"` + Cert *bool `json:"cert,omitempty"` // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM // format. This will appear in the XFCC header comma separated from other values with the value // Chain="PEM". // Defaults to false. - Chain bool `json:"chain,omitempty"` + Chain *bool `json:"chain,omitempty"` // Whether to forward the DNS type Subject Alternative Names of the client cert. // Defaults to true. Dns *bool `json:"dns,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 847e60775..516cdd97c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2939,6 +2939,16 @@ func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopyInto(out * *out = new(bool) **out = **in } + if in.Cert != nil { + in, out := &in.Cert, &out.Cert + *out = new(bool) + **out = **in + } + if in.Chain != nil { + in, out := &in.Chain, &out.Chain + *out = new(bool) + **out = **in + } if in.Dns != nil { in, out := &in.Dns, &out.Dns *out = new(bool) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 0a577c671..d23d2c956 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-08T15:48:56Z" + createdAt: "2024-10-09T14:29:03Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -374,7 +374,7 @@ spec: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (6f95f8c9) + - latest (51903838) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -766,13 +766,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + - image: gcr.io/istio-testing/install-cni:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + - image: gcr.io/istio-testing/pilot:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index f94de37ce..5370d3268 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -599,6 +599,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 57cd36751..8e16af7dd 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -658,6 +658,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml index f0511ee38..7954b577c 100644 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ b/bundle/manifests/sailoperator.io_remoteistios.yaml @@ -653,6 +653,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index 4cad3c0c0..e7533f351 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -599,6 +599,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index f1b6843b9..8254f7469 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -658,6 +658,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml index bd7b8e570..ee128cf3f 100644 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ b/chart/crds/sailoperator.io_remoteistios.yaml @@ -653,6 +653,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/chart/values.yaml b/chart/values.yaml index ad6afeb70..06a8ef4f1 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -19,7 +19,7 @@ csv: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (6f95f8c9) + - latest (51903838) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index 902101baf..22283f3bd 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -430db67c8ca3604651633bcf49bb096193933ef8 +c12e9c52ed2facb49d394df9b1c92ff36fc7f5f1 diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index 9418434d8..6cbe0225f 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=master-8463430ba963638b35745d773045701f6d02014d + IMAGE_VERSION=master-8eb42e9551b9a67c330aeef783f2498647d91289 fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index d028681b5..5e7ba430e 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -2196,7 +2196,7 @@ _Appears in:_ | `autoInject` _string_ | Controls the 'policy' in the sidecar injector. | | | | `clusterDomain` _string_ | Domain for the cluster, default: "cluster.local". K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ | | | | `componentLogLevel` _string_ | Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. | | | -| `enableCoreDump` _boolean_ | Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. | | | +| `enableCoreDump` _boolean_ | Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `excludeInboundPorts` _string_ | Specifies the Istio ingress ports not to capture. | | | | `excludeIPRanges` _string_ | Lists the excluded IP ranges of Istio egress traffic that the sidecar captures. | | | | `image` _string_ | Image name or path for the proxy, default: "proxyv2". If registry or tag are not specified, global.hub and global.tag are used. Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 | | | @@ -2330,7 +2330,7 @@ _Appears in:_ #### ProxyConfigProxyHeadersSetCurrentClientCertDetails -_Underlying type:_ _[struct{Subject *bool "json:\"subject,omitempty\""; Cert bool "json:\"cert,omitempty\""; Chain bool "json:\"chain,omitempty\""; Dns *bool "json:\"dns,omitempty\""; Uri *bool "json:\"uri,omitempty\""}](#struct{subject-*bool-"json:\"subject,omitempty\"";-cert-bool-"json:\"cert,omitempty\"";-chain-bool-"json:\"chain,omitempty\"";-dns-*bool-"json:\"dns,omitempty\"";-uri-*bool-"json:\"uri,omitempty\""})_ +_Underlying type:_ _[struct{Subject *bool "json:\"subject,omitempty\""; Cert *bool "json:\"cert,omitempty\""; Chain *bool "json:\"chain,omitempty\""; Dns *bool "json:\"dns,omitempty\""; Uri *bool "json:\"uri,omitempty\""}](#struct{subject-*bool-"json:\"subject,omitempty\"";-cert-*bool-"json:\"cert,omitempty\"";-chain-*bool-"json:\"chain,omitempty\"";-dns-*bool-"json:\"dns,omitempty\"";-uri-*bool-"json:\"uri,omitempty\""})_ diff --git a/go.mod b/go.mod index fcd7bd26d..5d10a7e8d 100644 --- a/go.mod +++ b/go.mod @@ -23,8 +23,8 @@ require ( gomodules.xyz/jsonpatch/v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 - istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d - istio.io/istio v0.0.0-20241006152922-6f95f8c912c4 + istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4 + istio.io/istio v0.0.0-20241009082345-51903838fc21 k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 @@ -166,7 +166,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gotest.tools/v3 v3.5.1 // indirect - istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22 // indirect + istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e // indirect k8s.io/apiserver v0.31.1 // indirect k8s.io/component-base v0.31.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/go.sum b/go.sum index 0cdb5dc87..667594e1c 100644 --- a/go.sum +++ b/go.sum @@ -489,12 +489,12 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= -istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22 h1:zJhF3wFCBR6aYymRVqO9/lSX2D/sk/qklQrRF7lbIj8= -istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= -istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d h1:rlMkdB4mK+b8TKSuxVOOZYh4mpDkDgYvVQj75wwLYKA= -istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d/go.mod h1:K/KtGTGAA72MC0oPUIFE1ux9aQUqepNP2e4YCz2YleE= -istio.io/istio v0.0.0-20241006152922-6f95f8c912c4 h1:njSM52+zyIPtmLYNr4jEFb7n4NBnudB95llLRzicBNs= -istio.io/istio v0.0.0-20241006152922-6f95f8c912c4/go.mod h1:///kOEmTI1EXlYBf1zS1l63r/Otcx0S1EG/95ZJ0LOo= +istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e h1:XFDQ7gJIvtFtqnQSkAUjj95+ZpgClPEz+pwSU3rvxkk= +istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= +istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4 h1:4CxCrMN+Q+S9GDSrlrigR63zYqQ+uc5nGmknHNhT+PU= +istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4/go.mod h1:72IX50+zpXByj9hYLJ5b28v6h62v/UHcU+ZFVJBiwao= +istio.io/istio v0.0.0-20241009082345-51903838fc21 h1:WeDrhaXfvt4Ufux7iLIXw/pXp36mF+Oh7dG/BEIRsfs= +istio.io/istio v0.0.0-20241009082345-51903838fc21/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 90d7c8743..cb509e593 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 07bc06d3c..98118950f 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index 491f58253..979c9b9e5 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -112,7 +112,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + tag: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index 49bde88c7..a0805dba7 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index c064a3baa..864a7c815 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/istiod/files/injection-template.yaml b/resources/latest/charts/istiod/files/injection-template.yaml index f41122f9b..a0b8d5b6f 100644 --- a/resources/latest/charts/istiod/files/injection-template.yaml +++ b/resources/latest/charts/istiod/files/injection-template.yaml @@ -161,34 +161,6 @@ spec: runAsNonRoot: true {{- end }} {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} {{ if not $nativeSidecar }} containers: {{ end }} @@ -384,7 +356,7 @@ spec: drop: - ALL privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 @@ -403,7 +375,7 @@ spec: drop: - ALL privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false diff --git a/resources/latest/charts/istiod/files/waypoint.yaml b/resources/latest/charts/istiod/files/waypoint.yaml index f12a128f4..570648f03 100644 --- a/resources/latest/charts/istiod/files/waypoint.yaml +++ b/resources/latest/charts/istiod/files/waypoint.yaml @@ -295,6 +295,7 @@ metadata: {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index c727eb887..35182b455 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + tag: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" @@ -314,9 +314,6 @@ _internal_defaults_do_not_set: # not set, then the global "logLevel" will be used. componentLogLevel: "misc:error" - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - # istio ingress capture allowlist # examples: # Redirect only selected ports: --includeInboundPorts="80,8080" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index c6f4a8861..65c98da26 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index 877f05f27..b26dca371 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + tag: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index 6f4a4e74a..28987ca1f 100644 --- a/versions.yaml +++ b/versions.yaml @@ -43,13 +43,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 repo: https://github.com/istio/istio branch: master - commit: 6f95f8c912c44489b4f78568207337bd907f46c1 + commit: 51903838fc216411efd9ad147ed3cfe0c6e258e9 charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/base-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/cni-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/gateway-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/istiod-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/ztunnel-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/base-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/cni-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/gateway-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/istiod-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/ztunnel-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz From 845bd13f5cc17b4b3d3f576e791c7c6804844e50 Mon Sep 17 00:00:00 2001 From: Daniel Grimm Date: Wed, 9 Oct 2024 19:48:44 +0200 Subject: [PATCH 49/68] Use upstream builder image in update-deps workflow (#399) Turns out we need the upstream image in order for the pr-creator tool to be present. Fixes #390 Signed-off-by: Daniel Grimm --- .github/workflows/update-deps.yaml | 9 ++++++++- tools/update_deps.sh | 4 ++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml index 96bdc372f..b66c6ed7c 100644 --- a/.github/workflows/update-deps.yaml +++ b/.github/workflows/update-deps.yaml @@ -22,6 +22,9 @@ env: jobs: update-deps: runs-on: ubuntu-latest + container: + image: gcr.io/istio-testing/build-tools:master-8eb42e9551b9a67c330aeef783f2498647d91289 + options: --entrypoint '' steps: - uses: actions/checkout@v4 @@ -29,6 +32,9 @@ jobs: repository: istio/test-infra ref: master + # this is a workaround for a permissions issue when using the istio build container + - run: git config --system --add safe.directory /__w/sail-operator/sail-operator + - name: Run Automator run: | ./tools/automator/automator.sh \ @@ -37,7 +43,8 @@ jobs: --branch=$AUTOMATOR_BRANCH \ '--title=Automator: Update dependencies in $AUTOMATOR_ORG/$AUTOMATOR_REPO@$AUTOMATOR_BRANCH' \ --labels=auto-merge \ + --email=openshiftservicemeshbot@gmail.com \ --modifier=update_deps \ --token-env \ - --cmd=./tools/update_deps.sh \ + --cmd='BUILD_WITH_CONTAINER=0 ./tools/update_deps.sh' \ --signoff diff --git a/tools/update_deps.sh b/tools/update_deps.sh index 6677af3de..90fd2a737 100755 --- a/tools/update_deps.sh +++ b/tools/update_deps.sh @@ -31,6 +31,10 @@ function getLatestVersion() { # Update common files make update-common +# update build container used in github actions +NEW_IMAGE_MASTER=$(grep IMAGE_VERSION= < common/scripts/setup_env.sh | cut -d= -f2) +sed -i -e "s|\(gcr.io/istio-testing/build-tools\):master.*|\1:$NEW_IMAGE_MASTER|" .github/workflows/update-deps.yaml + # Update go dependencies export GO111MODULE=on go get -u "istio.io/istio@${UPDATE_BRANCH}" From 5f65f6ccfaa27a746a99ce4db9d56f8c1189e6d2 Mon Sep 17 00:00:00 2001 From: openshift-service-mesh-bot <165402251+openshift-service-mesh-bot@users.noreply.github.com> Date: Thu, 10 Oct 2024 07:36:45 +0200 Subject: [PATCH 50/68] Automator: Update dependencies in istio-ecosystem/sail-operator@main (#402) Signed-off-by: openshift-service-mesh-bot --- Makefile.core.mk | 2 +- .../sailoperator.clusterserviceversion.yaml | 20 +++++++++---------- chart/values.yaml | 2 +- go.mod | 2 +- go.sum | 4 ++-- resources/latest/charts/base/Chart.yaml | 4 ++-- resources/latest/charts/cni/Chart.yaml | 4 ++-- resources/latest/charts/cni/values.yaml | 2 +- resources/latest/charts/gateway/Chart.yaml | 4 ++-- resources/latest/charts/istiod/Chart.yaml | 4 ++-- resources/latest/charts/istiod/values.yaml | 2 +- resources/latest/charts/ztunnel/Chart.yaml | 4 ++-- resources/latest/charts/ztunnel/values.yaml | 2 +- versions.yaml | 14 ++++++------- 14 files changed, 35 insertions(+), 35 deletions(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index 86c76e3ce..b879ae1f3 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -465,7 +465,7 @@ ISTIOCTL ?= $(LOCALBIN)/istioctl ## Tool Versions OPERATOR_SDK_VERSION ?= v1.37.0 -HELM_VERSION ?= v3.16.1 +HELM_VERSION ?= v3.16.2 CONTROLLER_TOOLS_VERSION ?= v0.16.3 OPM_VERSION ?= v1.47.0 GITLEAKS_VERSION ?= v8.20.1 diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index d23d2c956..00156a472 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-09T14:29:03Z" + createdAt: "2024-10-10T05:19:48Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -374,7 +374,7 @@ spec: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (51903838) + - latest (216aec97) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -766,13 +766,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + - image: gcr.io/istio-testing/install-cni:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + - image: gcr.io/istio-testing/pilot:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/chart/values.yaml b/chart/values.yaml index 06a8ef4f1..fb7054f76 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -19,7 +19,7 @@ csv: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (51903838) + - latest (216aec97) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/go.mod b/go.mod index 5d10a7e8d..ba5d46246 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4 - istio.io/istio v0.0.0-20241009082345-51903838fc21 + istio.io/istio v0.0.0-20241010021245-216aec97fa5b k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 diff --git a/go.sum b/go.sum index 667594e1c..6f876b6d7 100644 --- a/go.sum +++ b/go.sum @@ -493,8 +493,8 @@ istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e h1:XFDQ7gJIvtFtqnQSkA istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4 h1:4CxCrMN+Q+S9GDSrlrigR63zYqQ+uc5nGmknHNhT+PU= istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4/go.mod h1:72IX50+zpXByj9hYLJ5b28v6h62v/UHcU+ZFVJBiwao= -istio.io/istio v0.0.0-20241009082345-51903838fc21 h1:WeDrhaXfvt4Ufux7iLIXw/pXp36mF+Oh7dG/BEIRsfs= -istio.io/istio v0.0.0-20241009082345-51903838fc21/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= +istio.io/istio v0.0.0-20241010021245-216aec97fa5b h1:YWjIRRS0X1pW9OsBapZ30V14PGwywTKty2QWoBuwhPQ= +istio.io/istio v0.0.0-20241010021245-216aec97fa5b/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index cb509e593..c589fe584 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 98118950f..5e593f4c0 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index 979c9b9e5..ccb32b428 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -112,7 +112,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + tag: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index a0805dba7..3a4b25116 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index 864a7c815..cf72ba0c7 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index 35182b455..68e09d307 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + tag: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index 65c98da26..105d16f0b 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 +version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index b26dca371..e89105a6c 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + tag: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index 28987ca1f..81ee49867 100644 --- a/versions.yaml +++ b/versions.yaml @@ -43,13 +43,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 repo: https://github.com/istio/istio branch: master - commit: 51903838fc216411efd9ad147ed3cfe0c6e258e9 + commit: 216aec97fa5b90dce88e9f53307157bee2709be0 charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/base-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/cni-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/gateway-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/istiod-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/ztunnel-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/base-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/cni-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/gateway-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/istiod-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/ztunnel-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz From b263e62b6b7c808d047f9914808926c250aaa634 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Thu, 10 Oct 2024 14:28:46 +0200 Subject: [PATCH 51/68] Optimize multicluster e2e tests (#403) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Install operators on both clusters concurrently - Perform namespace deletions in parallel Signed-off-by: Marko Lukša --- .../multicluster_multiprimary_test.go | 38 ++++++++--------- .../multicluster_primaryremote_test.go | 42 +++++++++---------- tests/e2e/util/kubectl/kubectl.go | 27 ++++++++++-- 3 files changed, 60 insertions(+), 47 deletions(-) diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go index 71cf1c7b8..b59d60741 100644 --- a/tests/e2e/multicluster/multicluster_multiprimary_test.go +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -53,14 +53,14 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). To(Succeed(), "Operator failed to be deployed in Cluster #1") + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). + To(Succeed(), "Operator failed to be deployed in Cluster #2") + Eventually(common.GetObject). WithArguments(ctx, clPrimary, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") Success("Operator is deployed in the Cluster #1 namespace and Running") - Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). - To(Succeed(), "Operator failed to be deployed in Cluster #2") - Eventually(common.GetObject). WithArguments(ctx, clRemote, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") @@ -254,20 +254,18 @@ spec: }) AfterAll(func(ctx SpecContext) { - // Delete namespace to ensure clean up for new tests iteration - Expect(k1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") - Expect(k2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") - - common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) - common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) + // Delete namespaces to ensure clean up for new tests iteration + Expect(k1.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(k2.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + Expect(k1.DeleteNamespaceNoWait("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(k2.DeleteNamespaceNoWait("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + + Expect(k1.WaitNamespaceDeleted(controlPlaneNamespace)).To(Succeed()) + Expect(k2.WaitNamespaceDeleted(controlPlaneNamespace)).To(Succeed()) Success("ControlPlane Namespaces are empty") - // Delete the entire sample namespace in both clusters - Expect(k1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #1") - Expect(k2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #2") - - common.CheckNamespaceEmpty(ctx, clPrimary, "sample") - common.CheckNamespaceEmpty(ctx, clRemote, "sample") + Expect(k1.WaitNamespaceDeleted("sample")).To(Succeed()) + Expect(k2.WaitNamespaceDeleted("sample")).To(Succeed()) Success("Sample app is deleted in both clusters") }) }) @@ -276,12 +274,10 @@ spec: AfterAll(func(ctx SpecContext) { // Delete the Sail Operator from both clusters - Expect(k1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") - Expect(k2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") - - // Delete the intermediate CA from both clusters - common.CheckNamespaceEmpty(ctx, clPrimary, namespace) - common.CheckNamespaceEmpty(ctx, clRemote, namespace) + Expect(k1.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(k2.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + Expect(k1.WaitNamespaceDeleted(namespace)).To(Succeed()) + Expect(k2.WaitNamespaceDeleted(namespace)).To(Succeed()) }) }) diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index aaf002523..d2bf79a89 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -53,14 +53,14 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). To(Succeed(), "Operator failed to be deployed in Primary Cluster") + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). + To(Succeed(), "Operator failed to be deployed in Remote Cluster") + Eventually(common.GetObject). WithArguments(ctx, clPrimary, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") Success("Operator is deployed in the Primary namespace and Running") - Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). - To(Succeed(), "Operator failed to be deployed in Remote Cluster") - Eventually(common.GetObject). WithArguments(ctx, clRemote, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") @@ -296,20 +296,18 @@ spec: }) AfterAll(func(ctx SpecContext) { - // Delete namespace to ensure clean up for new tests iteration - Expect(k1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") - Expect(k2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") - - common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) - common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) - Success("ControlPlane Namespaces are empty") - - // Delete the entire sample namespace in both clusters - Expect(k1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") - Expect(k2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") - - common.CheckNamespaceEmpty(ctx, clPrimary, "sample") - common.CheckNamespaceEmpty(ctx, clRemote, "sample") + // Delete namespaces to ensure clean up for new tests iteration + Expect(k1.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(k2.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + Expect(k1.DeleteNamespaceNoWait("sample")).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(k2.DeleteNamespaceNoWait("sample")).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + + Expect(k1.WaitNamespaceDeleted(controlPlaneNamespace)).To(Succeed()) + Expect(k2.WaitNamespaceDeleted(controlPlaneNamespace)).To(Succeed()) + Success("ControlPlane Namespaces were deleted") + + Expect(k1.WaitNamespaceDeleted("sample")).To(Succeed()) + Expect(k2.WaitNamespaceDeleted("sample")).To(Succeed()) Success("Sample app is deleted in both clusters") }) }) @@ -318,11 +316,9 @@ spec: AfterAll(func(ctx SpecContext) { // Delete the Sail Operator from both clusters - Expect(k1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") - Expect(k2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") - - // Check that the namespace is empty - common.CheckNamespaceEmpty(ctx, clPrimary, namespace) - common.CheckNamespaceEmpty(ctx, clRemote, namespace) + Expect(k1.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(k2.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + Expect(k1.WaitNamespaceDeleted(namespace)).To(Succeed()) + Expect(k2.WaitNamespaceDeleted(namespace)).To(Succeed()) }) }) diff --git a/tests/e2e/util/kubectl/kubectl.go b/tests/e2e/util/kubectl/kubectl.go index f1b69576f..28e5b0adf 100644 --- a/tests/e2e/util/kubectl/kubectl.go +++ b/tests/e2e/util/kubectl/kubectl.go @@ -17,6 +17,7 @@ package kubectl import ( "fmt" "os" + "strconv" "strings" "time" @@ -122,14 +123,22 @@ func (k Kubectl) DeleteCRDs(crds []string) error { return nil } -// DeleteNamespace deletes a namespace +// DeleteNamespaceNoWait deletes a namespace and returns immediately (without waiting for the namespace to be removed). +func (k Kubectl) DeleteNamespaceNoWait(ns string) error { + return k.deleteNamespace(ns, false) +} + +// DeleteNamespace deletes a namespace and waits for it to be removed completely. func (k Kubectl) DeleteNamespace(ns string) error { - cmd := k.build(" delete namespace " + ns) + return k.deleteNamespace(ns, true) +} + +func (k Kubectl) deleteNamespace(ns string, wait bool) error { + cmd := k.build(" delete namespace " + ns + " --wait=" + strconv.FormatBool(wait)) _, err := k.executeCommand(cmd) if err != nil { return fmt.Errorf("error deleting namespace: %w", err) } - return nil } @@ -183,6 +192,13 @@ func (k Kubectl) Delete(kind, name string) error { return nil } +// Wait waits for a specific condition on one or many resources +func (k Kubectl) Wait(waitFor, resource string, timeout time.Duration) error { + cmd := k.build(fmt.Sprintf("wait --for %s %s --timeout %s", waitFor, resource, timeout.String())) + _, err := k.executeCommand(cmd) + return err +} + // Patch patches a resource func (k Kubectl) Patch(kind, name, patchType, patch string) error { cmd := k.build(fmt.Sprintf(" patch %s %s --type=%s -p=%q", kind, name, patchType, patch)) @@ -281,6 +297,11 @@ func (k Kubectl) executeCommand(cmd string) (string, error) { return shell.ExecuteCommand(cmd) } +// WaitNamespaceDeleted waits for a namespace to be deleted +func (k Kubectl) WaitNamespaceDeleted(ns string) error { + return k.Wait("delete", "namespace/"+ns, 2*time.Minute) +} + func sinceFlag(since *time.Duration) string { if since == nil { return "" From cfc54d216d543907f2ad036c60a059ccfac9a55b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Thu, 10 Oct 2024 16:42:46 +0200 Subject: [PATCH 52/68] Faster cleanup in dualstack_test.go (#404) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- tests/e2e/dualstack/dualstack_test.go | 6 ++---- tests/e2e/util/kubectl/kubectl.go | 12 ++++++------ 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go index b4108509b..e213c3d5e 100644 --- a/tests/e2e/dualstack/dualstack_test.go +++ b/tests/e2e/dualstack/dualstack_test.go @@ -244,10 +244,8 @@ spec: AfterAll(func(ctx SpecContext) { By("Deleting the pods") - Expect(k.DeleteNamespace(DualStackNamespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", DualStackNamespace)) - Expect(k.DeleteNamespace(IPv4Namespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", IPv4Namespace)) - Expect(k.DeleteNamespace(IPv6Namespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", IPv6Namespace)) - Expect(k.DeleteNamespace(SleepNamespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", SleepNamespace)) + Expect(k.DeleteNamespace(DualStackNamespace, IPv4Namespace, IPv6Namespace, SleepNamespace)). + To(Succeed(), "Failed to delete namespaces") Success("DualStack validation pods deleted") }) }) diff --git a/tests/e2e/util/kubectl/kubectl.go b/tests/e2e/util/kubectl/kubectl.go index 28e5b0adf..5c92fbee0 100644 --- a/tests/e2e/util/kubectl/kubectl.go +++ b/tests/e2e/util/kubectl/kubectl.go @@ -124,17 +124,17 @@ func (k Kubectl) DeleteCRDs(crds []string) error { } // DeleteNamespaceNoWait deletes a namespace and returns immediately (without waiting for the namespace to be removed). -func (k Kubectl) DeleteNamespaceNoWait(ns string) error { - return k.deleteNamespace(ns, false) +func (k Kubectl) DeleteNamespaceNoWait(namespaces ...string) error { + return k.deleteNamespace(namespaces, false) } // DeleteNamespace deletes a namespace and waits for it to be removed completely. -func (k Kubectl) DeleteNamespace(ns string) error { - return k.deleteNamespace(ns, true) +func (k Kubectl) DeleteNamespace(namespaces ...string) error { + return k.deleteNamespace(namespaces, true) } -func (k Kubectl) deleteNamespace(ns string, wait bool) error { - cmd := k.build(" delete namespace " + ns + " --wait=" + strconv.FormatBool(wait)) +func (k Kubectl) deleteNamespace(namespaces []string, wait bool) error { + cmd := k.build(" delete namespace " + strings.Join(namespaces, " ") + " --wait=" + strconv.FormatBool(wait)) _, err := k.executeCommand(cmd) if err != nil { return fmt.Errorf("error deleting namespace: %w", err) From ae7afa343dd16ce3956d193afa6fea2c5bc6004c Mon Sep 17 00:00:00 2001 From: openshift-service-mesh-bot <165402251+openshift-service-mesh-bot@users.noreply.github.com> Date: Fri, 11 Oct 2024 07:33:57 +0200 Subject: [PATCH 53/68] Automator: Update dependencies in istio-ecosystem/sail-operator@main (#408) Signed-off-by: openshift-service-mesh-bot --- .devcontainer/devcontainer.json | 2 +- .github/workflows/update-deps.yaml | 2 +- Makefile.core.mk | 2 +- api/v1alpha1/values_types.gen.go | 3 ++- .../sailoperator.clusterserviceversion.yaml | 20 +++++++++---------- .../manifests/sailoperator.io_istiocnis.yaml | 2 +- .../sailoperator.io_istiorevisions.yaml | 17 ++++++++++------ bundle/manifests/sailoperator.io_istios.yaml | 17 ++++++++++------ .../sailoperator.io_remoteistios.yaml | 17 ++++++++++------ chart/crds/sailoperator.io_istiocnis.yaml | 2 +- .../crds/sailoperator.io_istiorevisions.yaml | 17 ++++++++++------ chart/crds/sailoperator.io_istios.yaml | 17 ++++++++++------ chart/crds/sailoperator.io_remoteistios.yaml | 17 ++++++++++------ chart/values.yaml | 2 +- common/.commonfiles.sha | 2 +- common/scripts/setup_env.sh | 2 +- go.mod | 6 +++--- go.sum | 12 +++++------ resources/latest/charts/base/Chart.yaml | 4 ++-- resources/latest/charts/cni/Chart.yaml | 4 ++-- resources/latest/charts/cni/values.yaml | 2 +- resources/latest/charts/gateway/Chart.yaml | 4 ++-- resources/latest/charts/istiod/Chart.yaml | 4 ++-- resources/latest/charts/istiod/values.yaml | 2 +- resources/latest/charts/ztunnel/Chart.yaml | 4 ++-- resources/latest/charts/ztunnel/values.yaml | 2 +- versions.yaml | 14 ++++++------- 27 files changed, 115 insertions(+), 84 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 08329e1ab..c7d55891b 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:master-8eb42e9551b9a67c330aeef783f2498647d91289", + "image": "gcr.io/istio-testing/build-tools:master-621a64a11b30f703b2e887df91862fffdd16112e", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml index b66c6ed7c..8e7bf307a 100644 --- a/.github/workflows/update-deps.yaml +++ b/.github/workflows/update-deps.yaml @@ -23,7 +23,7 @@ jobs: update-deps: runs-on: ubuntu-latest container: - image: gcr.io/istio-testing/build-tools:master-8eb42e9551b9a67c330aeef783f2498647d91289 + image: gcr.io/istio-testing/build-tools:master-621a64a11b30f703b2e887df91862fffdd16112e options: --entrypoint '' steps: diff --git a/Makefile.core.mk b/Makefile.core.mk index b879ae1f3..eb6c82bd6 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -466,7 +466,7 @@ ISTIOCTL ?= $(LOCALBIN)/istioctl ## Tool Versions OPERATOR_SDK_VERSION ?= v1.37.0 HELM_VERSION ?= v3.16.2 -CONTROLLER_TOOLS_VERSION ?= v0.16.3 +CONTROLLER_TOOLS_VERSION ?= v0.16.4 OPM_VERSION ?= v1.47.0 GITLEAKS_VERSION ?= v8.20.1 ISTIOCTL_VERSION ?= 1.23.0 diff --git a/api/v1alpha1/values_types.gen.go b/api/v1alpha1/values_types.gen.go index 1f156da29..8911f556a 100644 --- a/api/v1alpha1/values_types.gen.go +++ b/api/v1alpha1/values_types.gen.go @@ -3505,7 +3505,8 @@ type ClientTLSSettings struct { // to use in verifying a presented server certificate. `CRL` is a list of certificates // that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. // If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - // If omitted, the proxy will not verify the certificate against the `crl`. + // If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + // `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. CaCrl string `json:"caCrl,omitempty"` } diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 00156a472..65d2af2d5 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-10T05:19:48Z" + createdAt: "2024-10-11T05:19:26Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -374,7 +374,7 @@ spec: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (216aec97) + - latest (67753026) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -766,13 +766,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + - image: gcr.io/istio-testing/install-cni:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + - image: gcr.io/istio-testing/pilot:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml index e3d386e7e..6ad4e92b2 100644 --- a/bundle/manifests/sailoperator.io_istiocnis.yaml +++ b/bundle/manifests/sailoperator.io_istiocnis.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.4 creationTimestamp: null name: istiocnis.sailoperator.io spec: diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index 5370d3268..0ef057f39 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.4 creationTimestamp: null name: istiorevisions.sailoperator.io spec: @@ -2588,7 +2588,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -2788,7 +2789,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -2986,7 +2988,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3114,7 +3117,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3886,7 +3890,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 8e16af7dd..17edac4d8 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.4 creationTimestamp: null name: istios.sailoperator.io spec: @@ -2647,7 +2647,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -2847,7 +2848,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3045,7 +3047,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3173,7 +3176,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3945,7 +3949,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml index 7954b577c..3cf7d688a 100644 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ b/bundle/manifests/sailoperator.io_remoteistios.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.4 creationTimestamp: null name: remoteistios.sailoperator.io spec: @@ -2642,7 +2642,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -2842,7 +2843,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3040,7 +3042,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3168,7 +3171,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3940,7 +3944,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml index 927c61c91..4b2873749 100644 --- a/chart/crds/sailoperator.io_istiocnis.yaml +++ b/chart/crds/sailoperator.io_istiocnis.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.4 name: istiocnis.sailoperator.io spec: group: sailoperator.io diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index e7533f351..066d23473 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.4 name: istiorevisions.sailoperator.io spec: group: sailoperator.io @@ -2588,7 +2588,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -2788,7 +2789,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -2986,7 +2988,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3114,7 +3117,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3886,7 +3890,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index 8254f7469..fa5b227ee 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.4 name: istios.sailoperator.io spec: group: sailoperator.io @@ -2647,7 +2647,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -2847,7 +2848,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3045,7 +3047,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3173,7 +3176,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3945,7 +3949,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml index ee128cf3f..f394984cf 100644 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ b/chart/crds/sailoperator.io_remoteistios.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.3 + controller-gen.kubebuilder.io/version: v0.16.4 name: remoteistios.sailoperator.io spec: group: sailoperator.io @@ -2642,7 +2642,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -2842,7 +2843,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3040,7 +3042,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3168,7 +3171,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- @@ -3940,7 +3944,8 @@ spec: to use in verifying a presented server certificate. `CRL` is a list of certificates that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. type: string clientCertificate: description: |- diff --git a/chart/values.yaml b/chart/values.yaml index fb7054f76..c0e33b8f1 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -19,7 +19,7 @@ csv: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (216aec97) + - latest (67753026) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index 22283f3bd..077219cb7 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -c12e9c52ed2facb49d394df9b1c92ff36fc7f5f1 +d09ba3d6a3a89b606bae1bbe4a1e6537b1b72d79 diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index 6cbe0225f..9dcc144a7 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=master-8eb42e9551b9a67c330aeef783f2498647d91289 + IMAGE_VERSION=master-621a64a11b30f703b2e887df91862fffdd16112e fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff --git a/go.mod b/go.mod index ba5d46246..8089c8e30 100644 --- a/go.mod +++ b/go.mod @@ -23,8 +23,8 @@ require ( gomodules.xyz/jsonpatch/v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 - istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4 - istio.io/istio v0.0.0-20241010021245-216aec97fa5b + istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd + istio.io/istio v0.0.0-20241011003352-6775302647bc k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 @@ -166,7 +166,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gotest.tools/v3 v3.5.1 // indirect - istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e // indirect + istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381 // indirect k8s.io/apiserver v0.31.1 // indirect k8s.io/component-base v0.31.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/go.sum b/go.sum index 6f876b6d7..7cb5d3401 100644 --- a/go.sum +++ b/go.sum @@ -489,12 +489,12 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= -istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e h1:XFDQ7gJIvtFtqnQSkAUjj95+ZpgClPEz+pwSU3rvxkk= -istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= -istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4 h1:4CxCrMN+Q+S9GDSrlrigR63zYqQ+uc5nGmknHNhT+PU= -istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4/go.mod h1:72IX50+zpXByj9hYLJ5b28v6h62v/UHcU+ZFVJBiwao= -istio.io/istio v0.0.0-20241010021245-216aec97fa5b h1:YWjIRRS0X1pW9OsBapZ30V14PGwywTKty2QWoBuwhPQ= -istio.io/istio v0.0.0-20241010021245-216aec97fa5b/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= +istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381 h1:ZgYTwI0GqRLuany0gLzohY9UW8cVS7cX7gRfGziGnP0= +istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= +istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd h1:rghOYcynTAXYGRJXkZjxAogTbNQE+ROTWPaGTcd84bM= +istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd/go.mod h1:oECxINJDBsN7AtQjcZVBQqQ73FHeYw6D3ihspfN7PDs= +istio.io/istio v0.0.0-20241011003352-6775302647bc h1:M6v0V3rsgXwkZyIYjALQSHJk/0W1jdbHNFMsj+jHLOE= +istio.io/istio v0.0.0-20241011003352-6775302647bc/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index c589fe584..345eaa359 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 5e593f4c0..0fff3f1f3 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index ccb32b428..1c657abb1 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -112,7 +112,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + tag: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index 3a4b25116..b385daacc 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index cf72ba0c7..61f8db36e 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index 68e09d307..0c3203a58 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + tag: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index 105d16f0b..4286088ce 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 +version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index e89105a6c..d1a2a7c04 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + tag: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index 81ee49867..754b18f64 100644 --- a/versions.yaml +++ b/versions.yaml @@ -43,13 +43,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0 + version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 repo: https://github.com/istio/istio branch: master - commit: 216aec97fa5b90dce88e9f53307157bee2709be0 + commit: 6775302647bcdb6c742b5c505945ee7a8911d811 charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/base-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/cni-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/gateway-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/istiod-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0/helm/ztunnel-1.24-alpha.216aec97fa5b90dce88e9f53307157bee2709be0.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/base-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/cni-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/gateway-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/istiod-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/ztunnel-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz From 1f338fff1545a2297ce5154c3abd30bd49993bd3 Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Fri, 11 Oct 2024 11:49:57 +0530 Subject: [PATCH 54/68] Documentation for dual-stack support (#407) * Documentation for dual-stack support Related to: https://github.com/istio-ecosystem/sail-operator/issues/372 Signed-off-by: Sridhar Gaddam * Update TOC Signed-off-by: Sridhar Gaddam * Minor updates to doc Signed-off-by: Sridhar Gaddam * Fix alignment Signed-off-by: Sridhar Gaddam --------- Signed-off-by: Sridhar Gaddam --- docs/README.md | 153 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 153 insertions(+) diff --git a/docs/README.md b/docs/README.md index e2c1572fd..25f05f8bd 100644 --- a/docs/README.md +++ b/docs/README.md @@ -27,6 +27,10 @@ - [Multi-Primary](#multi-primary---multi-network) - [Primary-Remote](#primary-remote---multi-network) - [External Control Plane](#external-controlplane) +- [Dual-stack Support](#dual-stack-support) + - [Prerequisites](#prerequisites) + - [Installation Steps](#installation-steps) + - [Validation](#ds-validation) - [Addons](#addons) - [Deploy Prometheus and Jaeger addons](#deploy-prometheus-and-jaeger-addons) - [Deploy Kiali addon](#deploy-kiali-addon) @@ -1150,6 +1154,155 @@ In this setup there is an external control plane cluster (`cluster1`) and a remo kubectl delete ns sample --context="${CTX_CLUSTER2}" ``` +## Dual-stack Support + +Kubernetes supports dual-stack networking as a stable feature starting from +[v1.23](https://kubernetes.io/docs/concepts/services-networking/dual-stack/), allowing clusters to handle both +IPv4 and IPv6 traffic. With many cloud providers also beginning to offer dual-stack Kubernetes clusters, it's easier +than ever to run services that function across both address types. Istio introduced dual-stack as an experimental +feature in version 1.17, and it's expected to be promoted to [Alpha](https://github.com/istio/istio/issues/47998) in +version 1.24. With Istio in dual-stack mode, services can communicate over both IPv4 and IPv6 endpoints, which helps +organizations transition to IPv6 while still maintaining compatibility with their existing IPv4 infrastructure. + +When Kubernetes is configured for dual-stack, it automatically assigns an IPv4 and an IPv6 address to each pod, +enabling them to communicate over both IP families. For services, however, you can control how they behave using +the `ipFamilyPolicy` setting. + +Service.Spec.ipFamilyPolicy can take the following values +- SingleStack: Only one IP family is configured for the service, which can be either IPv4 or IPv6. +- PreferDualStack: Both IPv4 and IPv6 cluster IPs are assigned to the Service when dual-stack is enabled. + However, if dual-stack is not enabled or supported, it falls back to singleStack behavior. +- RequireDualStack: The service will be created only if both IPv4 and IPv6 addresses can be assigned. + +This allows you to specify the type of service, providing flexibility in managing your network configuration. +For more details, you can refer to the Kubernetes [documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services). + +### Prerequisites + +- Kubernetes 1.23 or later configured with dual-stack support. +- Sail Operator is installed. +- Kind cluster with dual-stack networking. + +### Installation Steps + +You can use any existing Kind cluster that supports dual-stack networking or, alternatively, install one using the following command. + +```sh +kind create cluster --name istio-ds --config - < Date: Fri, 11 Oct 2024 10:27:57 +0200 Subject: [PATCH 55/68] Fix e2e test suite names (#409) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- tests/e2e/controlplane/control_plane_suite_test.go | 2 +- tests/e2e/dualstack/dualstack_suite_test.go | 2 +- tests/e2e/multicluster/multicluster_suite_test.go | 2 +- tests/e2e/operator/operator_suite_test.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/e2e/controlplane/control_plane_suite_test.go b/tests/e2e/controlplane/control_plane_suite_test.go index a494a16d8..aef6ba850 100644 --- a/tests/e2e/controlplane/control_plane_suite_test.go +++ b/tests/e2e/controlplane/control_plane_suite_test.go @@ -52,7 +52,7 @@ func TestInstall(t *testing.T) { } RegisterFailHandler(Fail) setup() - RunSpecs(t, "Control Plane Suite") + RunSpecs(t, "Control Plane Test Suite") } func setup() { diff --git a/tests/e2e/dualstack/dualstack_suite_test.go b/tests/e2e/dualstack/dualstack_suite_test.go index 99f82bab0..6f3cd0f7f 100644 --- a/tests/e2e/dualstack/dualstack_suite_test.go +++ b/tests/e2e/dualstack/dualstack_suite_test.go @@ -53,7 +53,7 @@ func TestDualStack(t *testing.T) { RegisterFailHandler(Fail) setup() - RunSpecs(t, "DualStack test suite") + RunSpecs(t, "DualStack Test Suite") } func setup() { diff --git a/tests/e2e/multicluster/multicluster_suite_test.go b/tests/e2e/multicluster/multicluster_suite_test.go index 09ca73fde..f25a427ea 100644 --- a/tests/e2e/multicluster/multicluster_suite_test.go +++ b/tests/e2e/multicluster/multicluster_suite_test.go @@ -67,7 +67,7 @@ func TestInstall(t *testing.T) { } RegisterFailHandler(Fail) setup(t) - RunSpecs(t, "Control Plane Suite") + RunSpecs(t, "Multi-Cluster Test Suite") } func setup(t *testing.T) { diff --git a/tests/e2e/operator/operator_suite_test.go b/tests/e2e/operator/operator_suite_test.go index 952d7cd8e..1a34174af 100644 --- a/tests/e2e/operator/operator_suite_test.go +++ b/tests/e2e/operator/operator_suite_test.go @@ -45,7 +45,7 @@ func TestInstall(t *testing.T) { } RegisterFailHandler(Fail) setup() - RunSpecs(t, "Install Operator Suite") + RunSpecs(t, "Operator Installation Test Suite") } func setup() { From 9b9078903a6eaa663981101ef46a31e77eba71f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Fri, 11 Oct 2024 13:36:57 +0200 Subject: [PATCH 56/68] Centralize operator installation code in e2e tests (#411) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- .../controlplane/control_plane_suite_test.go | 4 +-- tests/e2e/controlplane/control_plane_test.go | 7 ++-- tests/e2e/dualstack/dualstack_suite_test.go | 4 +-- tests/e2e/dualstack/dualstack_test.go | 7 ++-- .../multicluster_multiprimary_test.go | 7 ++-- .../multicluster_primaryremote_test.go | 7 ++-- .../multicluster/multicluster_suite_test.go | 4 +-- tests/e2e/operator/operator_install_test.go | 7 ++-- tests/e2e/operator/operator_suite_test.go | 4 +-- tests/e2e/util/common/e2e_utils.go | 36 ++++++++++++++----- 10 files changed, 46 insertions(+), 41 deletions(-) diff --git a/tests/e2e/controlplane/control_plane_suite_test.go b/tests/e2e/controlplane/control_plane_suite_test.go index aef6ba850..298a3b152 100644 --- a/tests/e2e/controlplane/control_plane_suite_test.go +++ b/tests/e2e/controlplane/control_plane_suite_test.go @@ -20,6 +20,7 @@ import ( "testing" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" @@ -31,13 +32,12 @@ var ( cl client.Client err error ocp = env.GetBool("OCP", false) - namespace = env.Get("NAMESPACE", "sail-operator") + namespace = common.OperatorNamespace deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system") istioName = env.Get("ISTIO_NAME", "default") istioCniNamespace = env.Get("ISTIOCNI_NAMESPACE", "istio-cni") istioCniName = env.Get("ISTIOCNI_NAME", "default") - image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") skipDeploy = env.GetBool("SKIP_DEPLOY", false) expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io") bookinfoNamespace = env.Get("BOOKINFO_NAMESPACE", "bookinfo") diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go index eafcc9a01..20c52e872 100644 --- a/tests/e2e/controlplane/control_plane_test.go +++ b/tests/e2e/controlplane/control_plane_test.go @@ -18,19 +18,16 @@ package controlplane import ( "fmt" - "path/filepath" "strings" "time" "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/kube" - "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/onsi/gomega/types" @@ -58,7 +55,7 @@ var _ = Describe("Control Plane Installation", Ordered, func() { if skipDeploy { Success("Skipping operator installation because it was deployed externally") } else { - Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, extraArg)). + Expect(common.InstallOperatorViaHelm(extraArg)). To(Succeed(), "Operator failed to be deployed") } @@ -327,7 +324,7 @@ spec: } By("Deleting operator deployment") - Expect(helm.Uninstall("sail-operator", "--namespace "+namespace)). + Expect(common.UninstallOperator()). To(Succeed(), "Operator failed to be deleted") GinkgoWriter.Println("Operator uninstalled") diff --git a/tests/e2e/dualstack/dualstack_suite_test.go b/tests/e2e/dualstack/dualstack_suite_test.go index 6f3cd0f7f..3dd477ce2 100644 --- a/tests/e2e/dualstack/dualstack_suite_test.go +++ b/tests/e2e/dualstack/dualstack_suite_test.go @@ -20,6 +20,7 @@ import ( "testing" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" @@ -31,13 +32,12 @@ var ( cl client.Client err error ocp = env.GetBool("OCP", false) - namespace = env.Get("NAMESPACE", "sail-operator") + namespace = common.OperatorNamespace deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system") istioName = env.Get("ISTIO_NAME", "default") istioCniNamespace = env.Get("ISTIOCNI_NAMESPACE", "istio-cni") istioCniName = env.Get("ISTIOCNI_NAME", "default") - image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") skipDeploy = env.GetBool("SKIP_DEPLOY", false) expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io") multicluster = env.GetBool("MULTICLUSTER", false) diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go index e213c3d5e..9d4fb4425 100644 --- a/tests/e2e/dualstack/dualstack_test.go +++ b/tests/e2e/dualstack/dualstack_test.go @@ -18,18 +18,15 @@ package dualstack import ( "fmt" - "path/filepath" "time" "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/kube" - "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/onsi/gomega/types" @@ -62,7 +59,7 @@ var _ = Describe("DualStack configuration ", Ordered, func() { if skipDeploy { Success("Skipping operator installation because it was deployed externally") } else { - Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, extraArg)). + Expect(common.InstallOperatorViaHelm(extraArg)). To(Succeed(), "Operator failed to be deployed") } @@ -308,7 +305,7 @@ spec: } By("Deleting operator deployment") - Expect(helm.Uninstall("sail-operator", "--namespace "+namespace)). + Expect(common.UninstallOperator()). To(Succeed(), "Operator failed to be deleted") GinkgoWriter.Println("Operator uninstalled") diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go index b59d60741..74603a0c7 100644 --- a/tests/e2e/multicluster/multicluster_multiprimary_test.go +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -19,18 +19,15 @@ package multicluster import ( "context" "fmt" - "path/filepath" "time" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/kube" - "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -50,10 +47,10 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Expect(k1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #1") Expect(k2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #2") - Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). + Expect(common.InstallOperatorViaHelm("--kubeconfig", kubeconfig)). To(Succeed(), "Operator failed to be deployed in Cluster #1") - Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). + Expect(common.InstallOperatorViaHelm("--kubeconfig "+kubeconfig2)). To(Succeed(), "Operator failed to be deployed in Cluster #2") Eventually(common.GetObject). diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index d2bf79a89..95865f4f0 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -19,18 +19,15 @@ package multicluster import ( "context" "fmt" - "path/filepath" "time" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/kube" - "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -50,10 +47,10 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Expect(k1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Primary Cluster") Expect(k2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Remote Cluster") - Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). + Expect(common.InstallOperatorViaHelm("--kubeconfig", kubeconfig)). To(Succeed(), "Operator failed to be deployed in Primary Cluster") - Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). + Expect(common.InstallOperatorViaHelm("--kubeconfig", kubeconfig2)). To(Succeed(), "Operator failed to be deployed in Remote Cluster") Eventually(common.GetObject). diff --git a/tests/e2e/multicluster/multicluster_suite_test.go b/tests/e2e/multicluster/multicluster_suite_test.go index f25a427ea..bf08d58d5 100644 --- a/tests/e2e/multicluster/multicluster_suite_test.go +++ b/tests/e2e/multicluster/multicluster_suite_test.go @@ -24,6 +24,7 @@ import ( "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" @@ -36,11 +37,10 @@ var ( clRemote client.Client err error ocp = env.GetBool("OCP", false) - namespace = env.Get("NAMESPACE", "sail-operator") + namespace = common.OperatorNamespace deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system") istioName = env.Get("ISTIO_NAME", "default") - image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") skipDeploy = env.GetBool("SKIP_DEPLOY", false) multicluster = env.GetBool("MULTICLUSTER", false) kubeconfig = env.Get("KUBECONFIG", "") diff --git a/tests/e2e/operator/operator_install_test.go b/tests/e2e/operator/operator_install_test.go index 28b760ad9..0bb5b887a 100644 --- a/tests/e2e/operator/operator_install_test.go +++ b/tests/e2e/operator/operator_install_test.go @@ -17,15 +17,12 @@ package operator import ( - "path/filepath" "time" "github.com/istio-ecosystem/sail-operator/pkg/kube" - "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" @@ -69,7 +66,7 @@ var _ = Describe("Operator", Ordered, func() { if skipDeploy { Success("Skipping operator installation because it was deployed externally") } else { - Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, extraArg)). + Expect(common.InstallOperatorViaHelm(extraArg)). To(Succeed(), "Operator failed to be deployed") } }) @@ -119,7 +116,7 @@ var _ = Describe("Operator", Ordered, func() { } By("Uninstalling the operator") - Expect(helm.Uninstall("sail-operator", "--namespace "+namespace)). + Expect(common.UninstallOperator()). To(Succeed(), "Operator failed to be deleted") Success("Operator uninstalled") diff --git a/tests/e2e/operator/operator_suite_test.go b/tests/e2e/operator/operator_suite_test.go index 1a34174af..5995af641 100644 --- a/tests/e2e/operator/operator_suite_test.go +++ b/tests/e2e/operator/operator_suite_test.go @@ -20,6 +20,7 @@ import ( "testing" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" @@ -31,8 +32,7 @@ var ( cl client.Client ocp = env.GetBool("OCP", false) skipDeploy = env.GetBool("SKIP_DEPLOY", false) - image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") - namespace = env.Get("NAMESPACE", "sail-operator") + namespace = common.OperatorNamespace deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") multicluster = env.GetBool("MULTICLUSTER", false) diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index 4ccbe570a..c778422bf 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -19,14 +19,17 @@ package common import ( "context" "fmt" + "path/filepath" "regexp" "strings" "time" "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/pkg/test/project" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -39,7 +42,9 @@ import ( ) var ( - namespace = env.Get("NAMESPACE", "sail-operator") + OperatorImage = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") + OperatorNamespace = env.Get("NAMESPACE", "sail-operator") + deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system") istioName = env.Get("ISTIO_NAME", "default") @@ -141,20 +146,21 @@ func LogDebugInfo() { } func logOperatorDebugInfo() { - operator, err := k.WithNamespace(namespace).GetYAML("deployment", deploymentName) + k := k.WithNamespace(OperatorNamespace) + operator, err := k.GetYAML("deployment", deploymentName) logDebugElement("Operator Deployment YAML", operator, err) - logs, err := k.WithNamespace(namespace).Logs("deploy/"+deploymentName, ptr.Of(120*time.Second)) + logs, err := k.Logs("deploy/"+deploymentName, ptr.Of(120*time.Second)) logDebugElement("Operator logs", logs, err) - events, err := k.WithNamespace(namespace).GetEvents() - logDebugElement("Events in "+namespace, events, err) + events, err := k.GetEvents() + logDebugElement("Events in "+OperatorNamespace, events, err) // Temporary information to gather more details about failure - pods, err := k.WithNamespace(namespace).GetPods("", "-o wide") - logDebugElement("Pods in "+namespace, pods, err) + pods, err := k.GetPods("", "-o wide") + logDebugElement("Pods in "+OperatorNamespace, pods, err) - describe, err := k.WithNamespace(namespace).Describe("deployment", deploymentName) + describe, err := k.Describe("deployment", deploymentName) logDebugElement("Operator Deployment describe", describe, err) } @@ -234,3 +240,17 @@ func CheckPodsReady(ctx SpecContext, cl client.Client, namespace string) (*corev return podList, nil } + +func InstallOperatorViaHelm(extraArgs ...string) error { + args := []string{ + "--namespace " + OperatorNamespace, + "--set image=" + OperatorImage, + } + args = append(args, extraArgs...) + + return helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), args...) +} + +func UninstallOperator() error { + return helm.Uninstall("sail-operator", "--namespace", OperatorNamespace) +} From 9c95e60253e7db4754bab916d321085cdf584851 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Fri, 11 Oct 2024 15:21:58 +0200 Subject: [PATCH 57/68] Enable verbose logging in operator in e2e tests (#412) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- tests/e2e/util/common/e2e_utils.go | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index c778422bf..b03cbc251 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -245,6 +245,7 @@ func InstallOperatorViaHelm(extraArgs ...string) error { args := []string{ "--namespace " + OperatorNamespace, "--set image=" + OperatorImage, + "--set operatorLogLevel=3", } args = append(args, extraArgs...) From 318fafd6f4fcfbd5cbc7f7f239af839ec0f4dc6a Mon Sep 17 00:00:00 2001 From: Travis White Date: Fri, 11 Oct 2024 10:12:58 -0500 Subject: [PATCH 58/68] helmified imagePullSecrets and resources (#371) * helmified pull secrets and resources Signed-off-by: Travis White * Rebase Signed-off-by: Travis White * Added nit newline, i think? Signed-off-by: Travis White --------- Signed-off-by: Travis White --- bundle/manifests/sailoperator.clusterserviceversion.yaml | 2 +- chart/templates/rbac/service_account.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 65d2af2d5..c6976f26f 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-11T05:19:26Z" + createdAt: "2024-10-11T14:52:21Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" diff --git a/chart/templates/rbac/service_account.yaml b/chart/templates/rbac/service_account.yaml index 1deb8c2b8..557a5a40f 100644 --- a/chart/templates/rbac/service_account.yaml +++ b/chart/templates/rbac/service_account.yaml @@ -8,3 +8,10 @@ metadata: app.kubernetes.io/managed-by: helm name: {{ .Values.serviceAccountName }} namespace: {{ .Release.Namespace }} + {{- if .Values.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + \ No newline at end of file From 1804918ebb7cccd5302d5df3c3df0e26236f7e99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Fri, 11 Oct 2024 19:14:58 +0200 Subject: [PATCH 59/68] Add operatorLogLevel to Operator Helm chart (#410) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- bundle/manifests/sailoperator.clusterserviceversion.yaml | 3 ++- chart/templates/deployment.yaml | 1 + chart/values.yaml | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index c6976f26f..660d28bc0 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-11T14:52:21Z" + createdAt: "2024-10-11T11:23:10Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -663,6 +663,7 @@ spec: - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 + - --zap-log-level=info - --default-profile=openshift command: - /sail-operator diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index bd8bb0d1e..7a6820bb6 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -77,6 +77,7 @@ spec: - args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 + - --zap-log-level={{ .Values.operatorLogLevel }} {{- if eq .Values.platform "openshift" }} - --default-profile=openshift {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index c0e33b8f1..d26e83ca7 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -6,6 +6,8 @@ service: port: 8443 serviceAccountName: sail-operator +operatorLogLevel: info + csv: displayName: Sail Operator categories: OpenShift Optional, Integration & Delivery, Networking, Security From 991cac7d3e39248991a02d0f55b2700c219cd2d0 Mon Sep 17 00:00:00 2001 From: openshift-service-mesh-bot <165402251+openshift-service-mesh-bot@users.noreply.github.com> Date: Sat, 12 Oct 2024 07:33:47 +0200 Subject: [PATCH 60/68] Automator: Update dependencies in istio-ecosystem/sail-operator@main (#415) Signed-off-by: openshift-service-mesh-bot --- .../sailoperator.clusterserviceversion.yaml | 20 +++++++++---------- chart/values.yaml | 2 +- go.mod | 2 +- go.sum | 4 ++-- resources/latest/charts/base/Chart.yaml | 4 ++-- .../files/profile-platform-openshift.yaml | 2 ++ resources/latest/charts/cni/Chart.yaml | 4 ++-- .../cni/files/profile-platform-openshift.yaml | 2 ++ .../charts/cni/templates/daemonset.yaml | 15 +++++++------- resources/latest/charts/cni/values.yaml | 2 +- resources/latest/charts/gateway/Chart.yaml | 4 ++-- .../files/profile-platform-openshift.yaml | 2 ++ resources/latest/charts/istiod/Chart.yaml | 4 ++-- .../files/profile-platform-openshift.yaml | 2 ++ resources/latest/charts/istiod/values.yaml | 2 +- resources/latest/charts/ztunnel/Chart.yaml | 4 ++-- .../files/profile-platform-openshift.yaml | 2 ++ resources/latest/charts/ztunnel/values.yaml | 2 +- versions.yaml | 14 ++++++------- 19 files changed, 52 insertions(+), 41 deletions(-) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 660d28bc0..32aeb00c1 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-11T11:23:10Z" + createdAt: "2024-10-12T05:18:57Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -374,7 +374,7 @@ spec: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (67753026) + - latest (a53849ef) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -767,13 +767,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + - image: gcr.io/istio-testing/install-cni:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + - image: gcr.io/istio-testing/pilot:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/chart/values.yaml b/chart/values.yaml index d26e83ca7..785c06958 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -21,7 +21,7 @@ csv: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (67753026) + - latest (a53849ef) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/go.mod b/go.mod index 8089c8e30..f43016077 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd - istio.io/istio v0.0.0-20241011003352-6775302647bc + istio.io/istio v0.0.0-20241012000449-a53849ef4734 k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 diff --git a/go.sum b/go.sum index 7cb5d3401..7ec802631 100644 --- a/go.sum +++ b/go.sum @@ -493,8 +493,8 @@ istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381 h1:ZgYTwI0GqRLuany0gL istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd h1:rghOYcynTAXYGRJXkZjxAogTbNQE+ROTWPaGTcd84bM= istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd/go.mod h1:oECxINJDBsN7AtQjcZVBQqQ73FHeYw6D3ihspfN7PDs= -istio.io/istio v0.0.0-20241011003352-6775302647bc h1:M6v0V3rsgXwkZyIYjALQSHJk/0W1jdbHNFMsj+jHLOE= -istio.io/istio v0.0.0-20241011003352-6775302647bc/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= +istio.io/istio v0.0.0-20241012000449-a53849ef4734 h1:MAqw2g72/EyyZey+CYD4G1CNf77ljUuI5n1ushpOAR8= +istio.io/istio v0.0.0-20241012000449-a53849ef4734/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 345eaa359..985cf5b56 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/base/files/profile-platform-openshift.yaml b/resources/latest/charts/base/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/base/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/base/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 0fff3f1f3..e9ddea890 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/cni/files/profile-platform-openshift.yaml b/resources/latest/charts/cni/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/cni/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/cni/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/cni/templates/daemonset.yaml b/resources/latest/charts/cni/templates/daemonset.yaml index 2ce4a0665..35cae7cb1 100644 --- a/resources/latest/charts/cni/templates/daemonset.yaml +++ b/resources/latest/charts/cni/templates/daemonset.yaml @@ -89,15 +89,13 @@ spec: path: /readyz port: 8000 securityContext: - privileged: true # always requires privilege to be useful (install node plugin, etc) + privileged: false runAsGroup: 0 runAsUser: 0 runAsNonRoot: false # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature. - # privileged is redundant with CAP_SYS_ADMIN - # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular - # capabilities we actually require + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. capabilities: drop: - ALL @@ -106,9 +104,12 @@ spec: - NET_ADMIN # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - NET_RAW + # CAP_SYS_PTRACE is required for repair mode to describe the pod's network namespace + # in ambient and repair mode. + - SYS_PTRACE # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod netnamespaces. - # There does not appear to be a more granular capability for this. + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. - SYS_ADMIN {{- if .Values.seccompProfile }} seccompProfile: diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index 1c657abb1..0f04c3fd7 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -112,7 +112,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + tag: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index b385daacc..d5ca64be5 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/gateway/files/profile-platform-openshift.yaml b/resources/latest/charts/gateway/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/gateway/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/gateway/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index 61f8db36e..ac161076c 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/istiod/files/profile-platform-openshift.yaml b/resources/latest/charts/istiod/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/istiod/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/istiod/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index 0c3203a58..e2aea83bb 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + tag: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index 4286088ce..5955f3f17 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml b/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index d1a2a7c04..f28b7c2ee 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + tag: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index 754b18f64..c8894a70e 100644 --- a/versions.yaml +++ b/versions.yaml @@ -43,13 +43,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce repo: https://github.com/istio/istio branch: master - commit: 6775302647bcdb6c742b5c505945ee7a8911d811 + commit: a53849ef473456ec1c6c178d94ca57bc4aa024ce charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/base-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/cni-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/gateway-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/istiod-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/ztunnel-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/base-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/cni-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/gateway-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/istiod-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/ztunnel-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz From 6ccd68265c8c227352dc153f8dd82e37b1cb3461 Mon Sep 17 00:00:00 2001 From: openshift-service-mesh-bot <165402251+openshift-service-mesh-bot@users.noreply.github.com> Date: Sun, 13 Oct 2024 07:35:26 +0200 Subject: [PATCH 61/68] Automator: Update dependencies in istio-ecosystem/sail-operator@main (#416) Signed-off-by: openshift-service-mesh-bot --- .../sailoperator.clusterserviceversion.yaml | 20 +++++++++---------- chart/values.yaml | 2 +- go.mod | 2 +- go.sum | 4 ++-- resources/latest/charts/base/Chart.yaml | 4 ++-- resources/latest/charts/cni/Chart.yaml | 4 ++-- resources/latest/charts/cni/values.yaml | 2 +- resources/latest/charts/gateway/Chart.yaml | 4 ++-- resources/latest/charts/istiod/Chart.yaml | 4 ++-- resources/latest/charts/istiod/values.yaml | 2 +- resources/latest/charts/ztunnel/Chart.yaml | 4 ++-- resources/latest/charts/ztunnel/values.yaml | 2 +- versions.yaml | 14 ++++++------- 13 files changed, 34 insertions(+), 34 deletions(-) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 32aeb00c1..483493b67 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-12T05:18:57Z" + createdAt: "2024-10-13T05:20:21Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -374,7 +374,7 @@ spec: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (a53849ef) + - latest (e3b7c36c) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -767,13 +767,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + - image: gcr.io/istio-testing/install-cni:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + - image: gcr.io/istio-testing/pilot:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/chart/values.yaml b/chart/values.yaml index 785c06958..47c9713e3 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -21,7 +21,7 @@ csv: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (a53849ef) + - latest (e3b7c36c) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/go.mod b/go.mod index f43016077..e6465dc85 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd - istio.io/istio v0.0.0-20241012000449-a53849ef4734 + istio.io/istio v0.0.0-20241013024925-e3b7c36c24a0 k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 diff --git a/go.sum b/go.sum index 7ec802631..398bc3338 100644 --- a/go.sum +++ b/go.sum @@ -493,8 +493,8 @@ istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381 h1:ZgYTwI0GqRLuany0gL istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd h1:rghOYcynTAXYGRJXkZjxAogTbNQE+ROTWPaGTcd84bM= istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd/go.mod h1:oECxINJDBsN7AtQjcZVBQqQ73FHeYw6D3ihspfN7PDs= -istio.io/istio v0.0.0-20241012000449-a53849ef4734 h1:MAqw2g72/EyyZey+CYD4G1CNf77ljUuI5n1ushpOAR8= -istio.io/istio v0.0.0-20241012000449-a53849ef4734/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= +istio.io/istio v0.0.0-20241013024925-e3b7c36c24a0 h1:ComuULtR/m4OSUNqedc0mtjwQyv+yrf0tIhfMTXLRT4= +istio.io/istio v0.0.0-20241013024925-e3b7c36c24a0/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 985cf5b56..5ae6db26a 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index e9ddea890..755e5665c 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index 0f04c3fd7..59ae974e7 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -112,7 +112,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + tag: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index d5ca64be5..58b92289f 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index ac161076c..f32570f20 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index e2aea83bb..7798b152f 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + tag: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index 5955f3f17..f59255b61 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce +version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index f28b7c2ee..1a0d99911 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + tag: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index c8894a70e..379a14a26 100644 --- a/versions.yaml +++ b/versions.yaml @@ -43,13 +43,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a repo: https://github.com/istio/istio branch: master - commit: a53849ef473456ec1c6c178d94ca57bc4aa024ce + commit: e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/base-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/cni-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/gateway-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/istiod-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/ztunnel-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/base-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/cni-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/gateway-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/istiod-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/ztunnel-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz From 5af04cbe91a81868f2a49b0a31ce8c6b6a27c018 Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Mon, 14 Oct 2024 11:36:27 +0530 Subject: [PATCH 62/68] Skip control plane tests for dualStack job (#414) The control plane test suite currently takes around 10 minutes, while the dualStack tests take about 3 minutes. The value of running control plane tests in their current form on a dualStack cluster appears minimal, as these tests do not validate any datapath use cases. Therefore, let's skip the control plane tests for now. Signed-off-by: Sridhar Gaddam --- tests/e2e/controlplane/control_plane_suite_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/e2e/controlplane/control_plane_suite_test.go b/tests/e2e/controlplane/control_plane_suite_test.go index 298a3b152..a1b573984 100644 --- a/tests/e2e/controlplane/control_plane_suite_test.go +++ b/tests/e2e/controlplane/control_plane_suite_test.go @@ -42,13 +42,14 @@ var ( expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io") bookinfoNamespace = env.Get("BOOKINFO_NAMESPACE", "bookinfo") multicluster = env.GetBool("MULTICLUSTER", false) + ipFamily = env.Get("IP_FAMILY", "ipv4") k kubectl.Kubectl ) func TestInstall(t *testing.T) { - if multicluster { - t.Skip("Skipping test for multicluster") + if ipFamily == "dual" || multicluster { + t.Skip("Skipping the control plane tests") } RegisterFailHandler(Fail) setup() From 0dd4827c933e2536f6bddddf5069ace7ea0c7727 Mon Sep 17 00:00:00 2001 From: Brian Mangoenpawiro Date: Mon, 14 Oct 2024 13:29:27 +0200 Subject: [PATCH 63/68] Test coverage workflow (#387) * Add test coverage workflow Signed-off-by: bmangoen * Add codecov config file Signed-off-by: bmangoen --------- Signed-off-by: bmangoen --- .github/codecov.yml | 4 ++++ .github/workflows/coverage.yaml | 21 +++++++++++++++++++++ Makefile.core.mk | 5 ++++- 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 .github/codecov.yml create mode 100644 .github/workflows/coverage.yaml diff --git a/.github/codecov.yml b/.github/codecov.yml new file mode 100644 index 000000000..73f4c0aae --- /dev/null +++ b/.github/codecov.yml @@ -0,0 +1,4 @@ +ignore: + - "api" + - "hack" + - "tests" \ No newline at end of file diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml new file mode 100644 index 000000000..d81d346a2 --- /dev/null +++ b/.github/workflows/coverage.yaml @@ -0,0 +1,21 @@ +name: Code coverage workflow + +on: [push, pull_request] + +jobs: + coverage: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run coverage + run: | + make test.unit \ + -e COVERAGE=true + + - name: Upload to Codecov + uses: codecov/codecov-action@v4 + with: + file: out/coverage.out + token: ${{ secrets.CODECOV_TOKEN }} + fail_ci_if_error: true \ No newline at end of file diff --git a/Makefile.core.mk b/Makefile.core.mk index eb6c82bd6..0728de182 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -71,7 +71,7 @@ ENVTEST_K8S_VERSION ?= 1.29.0 # Set DOCKER_BUILD_FLAGS to specify flags to pass to 'docker build', default to empty. Example: --platform=linux/arm64 DOCKER_BUILD_FLAGS ?= "--platform=$(TARGET_OS)/$(TARGET_ARCH)" -GOTEST_FLAGS := $(if $(VERBOSE),-v) +GOTEST_FLAGS := $(if $(VERBOSE),-v) $(if $(COVERAGE),-coverprofile=$(REPO_ROOT)/out/coverage.out) GINKGO_FLAGS := $(if $(VERBOSE),-v) $(if $(CI),--no-color) # CHANNELS define the bundle channels used in the bundle. @@ -153,6 +153,9 @@ test: test.unit test.integration ## Run both unit tests and integration test. .PHONY: test.unit test.unit: envtest ## Run unit tests. +ifdef COVERAGE + if [ ! -d "$(REPO_ROOT)/out" ]; then mkdir $(REPO_ROOT)/out; fi +endif KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" \ go test $(GOTEST_FLAGS) ./... From 55817bc2f7ff574aa6403719a486f4d868928c0d Mon Sep 17 00:00:00 2001 From: Brian Mangoenpawiro Date: Mon, 14 Oct 2024 13:50:27 +0200 Subject: [PATCH 64/68] Generate asciidoc API reference (#397) * Generate asciidoc API reference Signed-off-by: bmangoen * Replace tabs to spaces for asciidoc Signed-off-by: bmangoen --------- Signed-off-by: bmangoen --- Makefile.core.mk | 9 +-- .../templates/asciidoctor/gv_details.tpl | 19 ++++++ .../templates/asciidoctor/gv_list.tpl | 16 +++++ hack/api-docs/templates/asciidoctor/type.tpl | 58 +++++++++++++++++++ .../templates/asciidoctor/type_members.tpl | 8 +++ 5 files changed, 106 insertions(+), 4 deletions(-) create mode 100644 hack/api-docs/templates/asciidoctor/gv_details.tpl create mode 100644 hack/api-docs/templates/asciidoctor/gv_list.tpl create mode 100644 hack/api-docs/templates/asciidoctor/type.tpl create mode 100644 hack/api-docs/templates/asciidoctor/type_members.tpl diff --git a/Makefile.core.mk b/Makefile.core.mk index 0728de182..8b7c54634 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -401,7 +401,8 @@ gen-check: gen restore-manifest-dates check-clean-repo ## Verify that changes in CRD_PATH := ./api OUTPUT_DOCS_PATH := ./docs/api-reference CONFIG_API_DOCS_GEN_PATH := ./hack/api-docs/config.yaml -TEMPLATES_DIR := ./hack/api-docs/templates/markdown +DOCS_RENDERER := markdown +TEMPLATES_DIR := ./hack/api-docs/templates/$(DOCS_RENDERER) gen-api-docs: ## Generate API documentation. Known issues: go fmt does not properly handle tabs and add new line empty. Workaround is applied to the generated markdown files. The crd-ref-docs tool add br tags to the generated markdown files. Workaround is applied to the generated markdown files. @echo "Generating API documentation..." @@ -411,12 +412,12 @@ gen-api-docs: ## Generate API documentation. Known issues: go fmt does not prope --source-path=$(CRD_PATH) \ --templates-dir=$(TEMPLATES_DIR) \ --config=$(CONFIG_API_DOCS_GEN_PATH) \ - --renderer=markdown \ + --renderer=$(DOCS_RENDERER) \ --output-path=$(OUTPUT_DOCS_PATH) \ --output-mode=group @find $(OUTPUT_DOCS_PATH) -type f -name "*.md" -exec sed -i 's/
/ /g' {} \; - @find $(OUTPUT_DOCS_PATH) -type f -name "*.md" -exec sed -i 's/\t/ /g' {} \; - @find $(OUTPUT_DOCS_PATH) -type f -name "*.md" -exec sed -i '/^```/,/^```/ {/./!d;}' {} \; + @find $(OUTPUT_DOCS_PATH) -type f \( -name "*.md" -o -name "*.asciidoc" \) -exec sed -i 's/\t/ /g' {} \; + @find $(OUTPUT_DOCS_PATH) -type f \( -name "*.md" -o -name "*.asciidoc" \) -exec sed -i '/^```/,/^```/ {/./!d;}' {} \; @echo "API reference documentation generated at $(OUTPUT_DOCS_PATH)" .PHONY: restore-manifest-dates diff --git a/hack/api-docs/templates/asciidoctor/gv_details.tpl b/hack/api-docs/templates/asciidoctor/gv_details.tpl new file mode 100644 index 000000000..ebb8912b4 --- /dev/null +++ b/hack/api-docs/templates/asciidoctor/gv_details.tpl @@ -0,0 +1,19 @@ +{{- define "gvDetails" -}} +{{- $gv := . -}} +[id="{{ asciidocGroupVersionID $gv | asciidocRenderAnchorID }}"] +=== {{ $gv.GroupVersionString }} + +{{ $gv.Doc }} + +{{- if $gv.Kinds }} +.Resource Types +{{- range $gv.SortedKinds }} +- {{ $gv.TypeForKind . | asciidocRenderTypeLink }} +{{- end }} +{{ end }} + +{{ range $gv.SortedTypes }} +{{ template "type" . }} +{{ end }} + +{{- end -}} \ No newline at end of file diff --git a/hack/api-docs/templates/asciidoctor/gv_list.tpl b/hack/api-docs/templates/asciidoctor/gv_list.tpl new file mode 100644 index 000000000..7417e4399 --- /dev/null +++ b/hack/api-docs/templates/asciidoctor/gv_list.tpl @@ -0,0 +1,16 @@ +{{- define "gvList" -}} +{{- $groupVersions := . -}} + +[id="{p}-api-reference"] +== API Reference + +.Packages +{{- range $groupVersions }} +- {{ asciidocRenderGVLink . }} +{{- end }} + +{{ range $groupVersions }} +{{ template "gvDetails" . }} +{{ end }} + +{{- end -}} \ No newline at end of file diff --git a/hack/api-docs/templates/asciidoctor/type.tpl b/hack/api-docs/templates/asciidoctor/type.tpl new file mode 100644 index 000000000..5b9489963 --- /dev/null +++ b/hack/api-docs/templates/asciidoctor/type.tpl @@ -0,0 +1,58 @@ +{{- define "type" -}} +{{- $type := . -}} +{{- if asciidocShouldRenderType $type -}} +{{- if not $type.Markers.hidefromdoc -}} + +[id="{{ asciidocTypeID $type | asciidocRenderAnchorID }}"] +==== {{ $type.Name }} + +{{ if $type.IsAlias }}_Underlying type:_ _{{ asciidocRenderTypeLink $type.UnderlyingType }}_{{ end }} + +{{ $type.Doc }} + +{{ if $type.Validation -}} +.Validation: +{{- range $type.Validation }} +- {{ . }} +{{- end }} +{{- end }} + +{{ if $type.References -}} +.Appears In: +**** +{{- range $type.SortedReferences }} +- {{ asciidocRenderTypeLink . }} +{{- end }} +**** +{{- end }} + +{{ if $type.Members -}} +[cols="20a,50a,15a,15a", options="header"] +|=== +| Field | Description | Default | Validation +{{ if $type.GVK -}} +| *`apiVersion`* __string__ | `{{ $type.GVK.Group }}/{{ $type.GVK.Version }}` | | +| *`kind`* __string__ | `{{ $type.GVK.Kind }}` | | +{{ end -}} + +{{ range $type.Members -}} +{{ with .Markers.hidefromdoc -}} +{{ else -}} +| *`{{ .Name }}`* __{{ asciidocRenderType .Type }}__ | {{ template "type_members" . }} | {{ .Default }} | {{ range .Validation -}} {{ asciidocRenderValidation . }} +{{ end }} +{{ end }} +{{ end -}} +|=== +{{ end -}} + +{{ if $type.EnumValues -}} +|=== +| Field | Description | +{{ range $type.EnumValues -}} +| `{{ .Name }}` | {{ asciidocRenderFieldDoc .Doc }} + +{{ end -}} +|=== +{{ end -}} + +{{- end -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/hack/api-docs/templates/asciidoctor/type_members.tpl b/hack/api-docs/templates/asciidoctor/type_members.tpl new file mode 100644 index 000000000..754d209d6 --- /dev/null +++ b/hack/api-docs/templates/asciidoctor/type_members.tpl @@ -0,0 +1,8 @@ +{{- define "type_members" -}} +{{- $field := . -}} +{{- if eq $field.Name "metadata" -}} +Refer to Kubernetes API documentation for fields of `metadata`. +{{ else -}} +{{ asciidocRenderFieldDoc $field.Doc }} +{{- end -}} +{{- end -}} \ No newline at end of file From e1c447df7d259f02c7ab51a779545a03e77420f9 Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Mon, 14 Oct 2024 14:50:34 +0300 Subject: [PATCH 65/68] Add debug info to multicluster e2e tests (#417) In case multicluster e2e test fails, we should be debug information regarding the failure. Signed-off-by: Maxim Babushkin --- .../multicluster/multicluster_multiprimary_test.go | 11 +++++++++++ .../multicluster/multicluster_primaryremote_test.go | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go index 74603a0c7..e6274d0c0 100644 --- a/tests/e2e/multicluster/multicluster_multiprimary_test.go +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -40,6 +40,7 @@ import ( var _ = Describe("Multicluster deployment models", Ordered, func() { SetDefaultEventuallyTimeout(180 * time.Second) SetDefaultEventuallyPollingInterval(time.Second) + debugInfoLogged := false BeforeAll(func(ctx SpecContext) { if !skipDeploy { @@ -251,6 +252,11 @@ spec: }) AfterAll(func(ctx SpecContext) { + if CurrentSpecReport().Failed() { + common.LogDebugInfo() + debugInfoLogged = true + } + // Delete namespaces to ensure clean up for new tests iteration Expect(k1.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") Expect(k2.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") @@ -270,6 +276,11 @@ spec: }) AfterAll(func(ctx SpecContext) { + if CurrentSpecReport().Failed() && !debugInfoLogged { + common.LogDebugInfo() + debugInfoLogged = true + } + // Delete the Sail Operator from both clusters Expect(k1.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") Expect(k2.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index 95865f4f0..1ebfc799e 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -40,6 +40,7 @@ import ( var _ = Describe("Multicluster deployment models", Ordered, func() { SetDefaultEventuallyTimeout(180 * time.Second) SetDefaultEventuallyPollingInterval(time.Second) + debugInfoLogged := false BeforeAll(func(ctx SpecContext) { if !skipDeploy { @@ -293,6 +294,11 @@ spec: }) AfterAll(func(ctx SpecContext) { + if CurrentSpecReport().Failed() { + common.LogDebugInfo() + debugInfoLogged = true + } + // Delete namespaces to ensure clean up for new tests iteration Expect(k1.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") Expect(k2.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") @@ -312,6 +318,11 @@ spec: }) AfterAll(func(ctx SpecContext) { + if CurrentSpecReport().Failed() && !debugInfoLogged { + common.LogDebugInfo() + debugInfoLogged = true + } + // Delete the Sail Operator from both clusters Expect(k1.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") Expect(k2.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") From 927eaaa3438512c5e7e9e2cb2dde74e9778e7476 Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Mon, 14 Oct 2024 16:42:27 +0300 Subject: [PATCH 66/68] Fix typo in helm-artifacts-publish ENV var command (#419) Signed-off-by: Maxim Babushkin --- Makefile.core.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index 8b7c54634..9007df9ae 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -603,7 +603,7 @@ bundle-publish-nightly: bundle-nightly bundle-publish helm-artifacts-publish: helm ## Publish Helm artifacts to be available for "Helm repo add" @export GIT_USER=$(GITHUB_USER); \ export GITHUB_TOKEN=$(GITHUB_TOKEN); \ - export OPERATOR_VERSION=${OPERATOR_VERSION}; \ + export OPERATOR_VERSION=$(OPERATOR_VERSION); \ ./hack/helm-artifacts.sh .PHONY: opm $(OPM) From e6155da6be78f7167103c6327966d194653c2320 Mon Sep 17 00:00:00 2001 From: openshift-service-mesh-bot <165402251+openshift-service-mesh-bot@users.noreply.github.com> Date: Tue, 15 Oct 2024 07:18:28 +0200 Subject: [PATCH 67/68] Automator: Update dependencies in istio-ecosystem/sail-operator@main (#421) Signed-off-by: openshift-service-mesh-bot --- Makefile.core.mk | 2 +- .../sailoperator.clusterserviceversion.yaml | 20 +++++++++---------- chart/values.yaml | 2 +- go.mod | 2 +- go.sum | 4 ++-- resources/latest/charts/base/Chart.yaml | 4 ++-- resources/latest/charts/cni/Chart.yaml | 4 ++-- .../charts/cni/templates/daemonset.yaml | 4 ++++ resources/latest/charts/cni/values.yaml | 2 +- resources/latest/charts/gateway/Chart.yaml | 4 ++-- resources/latest/charts/istiod/Chart.yaml | 4 ++-- resources/latest/charts/istiod/values.yaml | 2 +- resources/latest/charts/ztunnel/Chart.yaml | 4 ++-- resources/latest/charts/ztunnel/values.yaml | 2 +- versions.yaml | 14 ++++++------- 15 files changed, 39 insertions(+), 35 deletions(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index 9007df9ae..52c4b5dce 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -472,7 +472,7 @@ OPERATOR_SDK_VERSION ?= v1.37.0 HELM_VERSION ?= v3.16.2 CONTROLLER_TOOLS_VERSION ?= v0.16.4 OPM_VERSION ?= v1.47.0 -GITLEAKS_VERSION ?= v8.20.1 +GITLEAKS_VERSION ?= v8.21.0 ISTIOCTL_VERSION ?= 1.23.0 # GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 483493b67..be364f9c9 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-13T05:20:21Z" + createdAt: "2024-10-15T05:04:53Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -374,7 +374,7 @@ spec: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (e3b7c36c) + - latest (358edc01) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -767,13 +767,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + - image: gcr.io/istio-testing/install-cni:1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + - image: gcr.io/istio-testing/pilot:1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/chart/values.yaml b/chart/values.yaml index 47c9713e3..6b7cd39ec 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -21,7 +21,7 @@ csv: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (e3b7c36c) + - latest (358edc01) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/go.mod b/go.mod index e6465dc85..149e20cff 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd - istio.io/istio v0.0.0-20241013024925-e3b7c36c24a0 + istio.io/istio v0.0.0-20241015000627-358edc01a5ab k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 diff --git a/go.sum b/go.sum index 398bc3338..b1d744f0b 100644 --- a/go.sum +++ b/go.sum @@ -493,8 +493,8 @@ istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381 h1:ZgYTwI0GqRLuany0gL istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd h1:rghOYcynTAXYGRJXkZjxAogTbNQE+ROTWPaGTcd84bM= istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd/go.mod h1:oECxINJDBsN7AtQjcZVBQqQ73FHeYw6D3ihspfN7PDs= -istio.io/istio v0.0.0-20241013024925-e3b7c36c24a0 h1:ComuULtR/m4OSUNqedc0mtjwQyv+yrf0tIhfMTXLRT4= -istio.io/istio v0.0.0-20241013024925-e3b7c36c24a0/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= +istio.io/istio v0.0.0-20241015000627-358edc01a5ab h1:ASlKPnedbweaDwTCV2MkU35LECx+jJAALl36uRo04Vk= +istio.io/istio v0.0.0-20241015000627-358edc01a5ab/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 5ae6db26a..7dedcf2da 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +appVersion: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +version: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 755e5665c..facd79f88 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +appVersion: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +version: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 diff --git a/resources/latest/charts/cni/templates/daemonset.yaml b/resources/latest/charts/cni/templates/daemonset.yaml index 35cae7cb1..659ba26f3 100644 --- a/resources/latest/charts/cni/templates/daemonset.yaml +++ b/resources/latest/charts/cni/templates/daemonset.yaml @@ -111,6 +111,10 @@ spec: # network namespaces in `/proc` to obtain descriptors for entering pod network # namespaces. There does not appear to be a more granular capability for this. - SYS_ADMIN +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 14 }} +{{- end }} {{- if .Values.seccompProfile }} seccompProfile: {{ toYaml .Values.seccompProfile | trim | indent 14 }} diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index 59ae974e7..117be557b 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -112,7 +112,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + tag: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index 58b92289f..464a101ba 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +appVersion: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +version: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index f32570f20..3609ffcc6 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +appVersion: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +version: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index 7798b152f..8f575aba1 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + tag: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index f59255b61..16693702b 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +appVersion: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a +version: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index 1a0d99911..660ac629a 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + tag: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index 379a14a26..9f0e9e41f 100644 --- a/versions.yaml +++ b/versions.yaml @@ -43,13 +43,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + version: 1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1 repo: https://github.com/istio/istio branch: master - commit: e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a + commit: 358edc01a5abb53259ad1637a63d7562b040a6f1 charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/base-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/cni-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/gateway-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/istiod-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a/helm/ztunnel-1.24-alpha.e3b7c36c24a0b9047adb25906c4eaf8d1e8e752a.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1/helm/base-1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1/helm/cni-1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1/helm/gateway-1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1/helm/istiod-1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1/helm/ztunnel-1.24-alpha.358edc01a5abb53259ad1637a63d7562b040a6f1.tgz From d4593003ec934ab4ee2def4baee983ce67d51217 Mon Sep 17 00:00:00 2001 From: Daniel Grimm Date: Tue, 15 Oct 2024 17:51:28 +0200 Subject: [PATCH 68/68] Make spec.namespace fields immutable (#418) * Make spec.namespace fields immutable Moving a control plane around has consequences beyond just the templates installed by helm, as the control plane namespace has its own semantics within Istio: it is often the place where you can put Istio configs that serve as defaults. By making the field immutable, we avoid strange side- effects that might occur when moving a control plane to another namespace. Signed-off-by: Daniel Grimm * Add docs Signed-off-by: Daniel Grimm --------- Signed-off-by: Daniel Grimm --- api/v1alpha1/istio_types.go | 3 ++- api/v1alpha1/istiorevision_types.go | 1 + bundle/manifests/sailoperator.clusterserviceversion.yaml | 3 ++- bundle/manifests/sailoperator.io_istiorevisions.yaml | 3 +++ bundle/manifests/sailoperator.io_istios.yaml | 4 ++++ chart/crds/sailoperator.io_istiorevisions.yaml | 3 +++ chart/crds/sailoperator.io_istios.yaml | 4 ++++ docs/README.md | 2 +- docs/api-reference/sailoperator.io.md | 2 +- tests/integration/api/istio_test.go | 8 ++++++++ 10 files changed, 29 insertions(+), 4 deletions(-) diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go index f4e492a2e..fee392773 100644 --- a/api/v1alpha1/istio_types.go +++ b/api/v1alpha1/istio_types.go @@ -57,9 +57,10 @@ type IstioSpec struct { // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` - // Namespace to which the Istio components should be installed. + // Namespace to which the Istio components should be installed. Note that this field is immutable. // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"} // +kubebuilder:default=istio-system + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable" Namespace string `json:"namespace"` // Defines the values to be passed to the Helm charts when installing Istio. diff --git a/api/v1alpha1/istiorevision_types.go b/api/v1alpha1/istiorevision_types.go index 289d2f067..4c3347e47 100644 --- a/api/v1alpha1/istiorevision_types.go +++ b/api/v1alpha1/istiorevision_types.go @@ -42,6 +42,7 @@ type IstioRevisionSpec struct { // Namespace to which the Istio components should be installed. // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"} + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable" Namespace string `json:"namespace"` // Defines the values to be passed to the Helm charts when installing Istio. diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index be364f9c9..cd0ba32b0 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-15T05:04:53Z" + createdAt: "2024-10-15T06:09:50Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -273,6 +273,7 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Namespace to which the Istio components should be installed. + Note that this field is immutable. displayName: Namespace path: namespace x-descriptors: diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index 0ef057f39..65dda4561 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -75,6 +75,9 @@ spec: namespace: description: Namespace to which the Istio components should be installed. type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf type: default: Local description: Type indicates whether this revision represents a local diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 17edac4d8..c82363824 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -86,7 +86,11 @@ spec: namespace: default: istio-system description: Namespace to which the Istio components should be installed. + Note that this field is immutable. type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf profile: description: |- The built-in installation configuration profile to use. diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index 066d23473..ec6836947 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -75,6 +75,9 @@ spec: namespace: description: Namespace to which the Istio components should be installed. type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf type: default: Local description: Type indicates whether this revision represents a local diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index fa5b227ee..39ab1b09a 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -86,7 +86,11 @@ spec: namespace: default: istio-system description: Namespace to which the Istio components should be installed. + Note that this field is immutable. type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf profile: description: |- The built-in installation configuration profile to use. diff --git a/docs/README.md b/docs/README.md index 25f05f8bd..fb9e24714 100644 --- a/docs/README.md +++ b/docs/README.md @@ -56,7 +56,7 @@ Sail Operator manages the lifecycle of your Istio control planes. Instead of cre ## Concepts ### Istio resource -The `Istio` resource is used to manage your Istio control planes. It is a cluster-wide resource, as the Istio control plane operates in and requires access to the entire cluster. To select a namespace to run the control plane pods in, you can use the `spec.namespace` field. You can access all helm chart options through the `values` field in the `spec`: +The `Istio` resource is used to manage your Istio control planes. It is a cluster-wide resource, as the Istio control plane operates in and requires access to the entire cluster. To select a namespace to run the control plane pods in, you can use the `spec.namespace` field. Note that this field is immutable, though: in order to move a control plane to another namespace, you have to remove the Istio resource and recreate it with a different `spec.namespace`. You can access all helm chart options through the `values` field in the `spec`: ```yaml apiVersion: sailoperator.io/v1alpha1 diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index 5e7ba430e..76c1f46fb 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -909,7 +909,7 @@ _Appears in:_ | `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the Istio CR is updated. | \{ type:InPlace \} | | | `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | -| `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | | +| `namespace` _string_ | Namespace to which the Istio components should be installed. Note that this field is immutable. | istio-system | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | diff --git a/tests/integration/api/istio_test.go b/tests/integration/api/istio_test.go index 7345b8b34..f4113ed0d 100644 --- a/tests/integration/api/istio_test.go +++ b/tests/integration/api/istio_test.go @@ -272,6 +272,14 @@ var _ = Describe("Istio resource", Ordered, func() { deleteAllIstiosAndRevisions(ctx) }) + When("namespace is updated", func() { + It("throws a validation error as the field is immutable", func() { + Expect(k8sClient.Get(ctx, istioKey, istio)).To(Succeed()) + istio.Spec.Namespace = workloadNamespace + Expect(k8sClient.Update(ctx, istio)).To(MatchError(ContainSubstring("immutable"))) + }) + }) + When("version is updated", func() { BeforeAll(func() { Expect(k8sClient.Get(ctx, istioKey, istio)).To(Succeed())