chore(chart-deps): update istiod to version 1.27.0

apps.yaml

@@ -132,7 +132,7 @@ appsInfo:
     integration: APL integrated ingress-nginx into an advanced ingress architecture.
   istio:
     title: Istio
-    appVersion: 1.26.1
+    appVersion: 1.27.0
     repo: https://github.com/istio/istio
     maintainers: Istio
     relatedLinks:

chart/chart-index/Chart.yaml

@@ -41,7 +41,7 @@ dependencies:
     version: 1.26.1
     repository: https://istio-release.storage.googleapis.com/charts
   - name: istiod
-    version: 1.26.1
+    version: 1.27.0
     repository: https://istio-release.storage.googleapis.com/charts
   - name: jaeger-operator
     version: 2.46.0

charts/istiod/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.26.1
+appVersion: 1.27.0
 description: Helm chart for istio control plane
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ keywords:
 name: istiod
 sources:
 - https://github.com/istio/istio
-version: 1.26.1
+version: 1.27.0

charts/istiod/files/gateway-injection-template.yaml

@@ -138,6 +138,10 @@ spec:
     - name: ISTIO_META_OWNER
       value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
     {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
     {{- if .Values.global.meshID }}
     - name: ISTIO_META_MESH_ID
       value: "{{ .Values.global.meshID }}"
@@ -181,6 +185,10 @@ spec:
     {{- end }}
     - mountPath: /var/lib/istio/data
       name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
     # SDS channel between istioagent and Envoy
     - mountPath: /etc/istio/proxy
       name: istio-envoy
@@ -195,7 +203,7 @@ spec:
     - name: istio-podinfo
       mountPath: /etc/istio/pod
   volumes:
-  - emptyDir: {}
+  - emptyDir:
     name: workload-socket
   - emptyDir: {}
     name: credential-socket
@@ -207,6 +215,11 @@ spec:
   - emptyDir: {}
     name: workload-certs
   {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
   # SDS channel between istioagent and Envoy
   - emptyDir:
       medium: Memory
@@ -235,11 +248,11 @@ spec:
     projected:
       sources:
       - clusterTrustBundle:
-        name: istio.io:istiod-ca:root-cert
-        path: root-cert.pem
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
   {{- else }}
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
   {{- end }}
   {{- end }}
   {{- if .Values.global.mountMtlsCerts }}

charts/istiod/files/grpc-agent.yaml

@@ -286,11 +286,11 @@ spec:
     projected:
       sources:
       - clusterTrustBundle:
-        name: istio.io:istiod-ca:root-cert
-        path: root-cert.pem
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
   {{- else }}
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
   {{- end }}
   {{- end }}
   {{- if .Values.global.mountMtlsCerts }}

charts/istiod/files/injection-template.yaml

@@ -24,7 +24,9 @@
     {{- end }}
   {{- end }}
 {{- end }}
-{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
 {{- $containers := list }}
 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
 metadata:
@@ -94,7 +96,7 @@ spec:
     - "-z"
     - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
     - "-u"
-    - {{ .ProxyUID | default "1337" | quote }}
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
     - "-m"
     - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
     - "-i"
@@ -139,6 +141,9 @@ spec:
     {{ else if .Values.global.proxy_init.forceApplyIptables -}}
     - "--force-apply"
     {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
     {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
   {{- if .ProxyConfig.ProxyMetadata }}
     env:
@@ -167,8 +172,8 @@ spec:
       runAsUser: 0
     {{- else }}
       readOnlyRootFilesystem: true
-      runAsGroup: {{ .ProxyGID | default "1337" }}
-      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
       runAsNonRoot: true
     {{- end }}
   {{ end -}}
@@ -375,26 +380,27 @@ spec:
       {{- else }}
       allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
       capabilities:
-        {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+        {{ if or $tproxy $capNetBindService -}}
         add:
-        {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+        {{ if $tproxy -}}
         - NET_ADMIN
         {{- end }}
-        {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
+        {{ if $capNetBindService -}}
         - NET_BIND_SERVICE
         {{- end }}
         {{- end }}
         drop:
         - ALL
       privileged: {{ .Values.global.proxy.privileged }}
       readOnlyRootFilesystem: true
-      runAsGroup: {{ .ProxyGID | default "1337" }}
-      {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+      {{ if or $tproxy $capNetBindService -}}
       runAsNonRoot: false
       runAsUser: 0
+      runAsGroup: 1337
       {{- else -}}
       runAsNonRoot: true
       runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
       {{- end }}
       {{- end }}
     resources:
@@ -415,6 +421,8 @@ spec:
     {{- if eq .Values.global.pilotCertProvider "istiod" }}
     - mountPath: /var/run/secrets/istio
       name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
     {{- end }}
     - mountPath: /var/lib/istio/data
       name: istio-data
@@ -492,13 +500,17 @@ spec:
     projected:
       sources:
       - clusterTrustBundle:
-        name: istio.io:istiod-ca:root-cert
-        path: root-cert.pem
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
   {{- else }}
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
   {{- end }}
   {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
   {{- if .Values.global.mountMtlsCerts }}
   # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
   - name: istio-certs

charts/istiod/files/kube-gateway.yaml

@@ -303,11 +303,11 @@ spec:
         projected:
           sources:
           - clusterTrustBundle:
-              name: istio.io:istiod-ca:root-cert
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
               path: root-cert.pem
       {{- else }}
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
       {{- end }}
       {{- end }}
       {{- if .Values.global.imagePullSecrets }}

charts/istiod/files/profile-ambient.yaml

@@ -7,6 +7,13 @@ meshConfig:
   defaultConfig:
     proxyMetadata:
       ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
 global:
   variant: distroless
 pilot:

charts/istiod/files/profile-compatibility-version-1.24.yaml

@@ -6,6 +6,8 @@ pilot:
   env:
     # 1.24 behavioral changes
     PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
 ambient:
   dnsCapture: false
   reconcileIptablesOnStartup: false

charts/istiod/files/profile-compatibility-version-1.25.yaml

@@ -2,6 +2,10 @@
 # The original version of this file is located at /manifests/helm-profiles directory.
 # If you want to make a change in this file, edit the original one and run "make gen".
 
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
 ambient:
   # 1.26 behavioral changes
   shareHostNetworkNamespace: true

charts/istiod/files/profile-compatibility-version-1.26.yaml

@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"

charts/istiod/files/waypoint.yaml

@@ -32,7 +32,7 @@ metadata:
       .InfrastructureLabels
       (strdict
         "gateway.networking.k8s.io/gateway-name" .Name
-        "gateway.istio.io/managed" "istio.io-mesh-controller"
+        "gateway.istio.io/managed" .ControllerLabel
       ) | nindent 4 }}
   ownerReferences:
   - apiVersion: gateway.networking.k8s.io/v1beta1
@@ -65,7 +65,7 @@ spec:
           .InfrastructureLabels
           (strdict
             "gateway.networking.k8s.io/gateway-name" .Name
-            "gateway.istio.io/managed" "istio.io-mesh-controller"
+            "gateway.istio.io/managed" .ControllerLabel
           ) | nindent 8}}
     spec:
       {{- if .Values.global.waypoint.affinity }}
@@ -292,11 +292,11 @@ spec:
         projected:
           sources:
           - clusterTrustBundle:
-              name: istio.io:istiod-ca:root-cert
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
               path: root-cert.pem
       {{- else }}
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
       {{- end }}
       {{- if .Values.global.imagePullSecrets }}
       imagePullSecrets:

charts/istiod/templates/autoscale.yaml

@@ -1,5 +1,5 @@
 # Not created if istiod is running remotely
-{{- if not .Values.istiodRemote.enabled }}
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
 {{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler

charts/istiod/templates/clusterrole.yaml

@@ -1,5 +1,5 @@
 # Created if this is not a remote istiod, OR if it is and is also a config cluster
-{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
 {{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -120,7 +120,7 @@ rules:
 {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
   - apiGroups: ["certificates.k8s.io"]
     resources: ["clustertrustbundles"]
-    verbs: ["update", "create", "delete"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
   - apiGroups: ["certificates.k8s.io"]
     resources: ["signers"]
     resourceNames: ["istio.io/istiod-ca"]
@@ -144,6 +144,7 @@ rules:
   - apiGroups: ["gateway.networking.x-k8s.io"]
     resources:
     - xbackendtrafficpolicies/status
+    - xlistenersets/status
     verbs: ["update", "patch"]
   - apiGroups: ["gateway.networking.k8s.io"]
     resources:
@@ -160,6 +161,12 @@ rules:
   - apiGroups: ["gateway.networking.k8s.io"]
     resources: ["gatewayclasses"]
     verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
 
   # Needed for multicluster secret reading, possibly ingress certs in the future
   - apiGroups: [""]

charts/istiod/templates/clusterrolebinding.yaml

@@ -1,5 +1,5 @@
 # Created if this is not a remote istiod, OR if it is and is also a config cluster
-{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

charts/istiod/templates/configmap-jwks.yaml

@@ -1,5 +1,5 @@
 # Not created if istiod is running remotely
-{{- if not .Values.istiodRemote.enabled }}
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
 {{- if .Values.jwksResolverExtraRootCA }}
 apiVersion: v1
 kind: ConfigMap

charts/istiod/templates/configmap.yaml

@@ -62,7 +62,12 @@
       {{- end }}
       {{- end }}
       {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
       discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
       {{- else }}
       discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
       {{- end }}