diff --git a/apps.yaml b/apps.yaml index b7a8184c64..c281678f2a 100644 --- a/apps.yaml +++ b/apps.yaml @@ -132,7 +132,7 @@ appsInfo: integration: APL integrated ingress-nginx into an advanced ingress architecture. istio: title: Istio - appVersion: 1.26.3 + appVersion: 1.27.1 repo: https://github.com/istio/istio maintainers: Istio relatedLinks: diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 381514f092..8df2c958a2 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -41,7 +41,7 @@ dependencies: version: 1.26.3 repository: https://istio-release.storage.googleapis.com/charts - name: istiod - version: 1.26.3 + version: 1.27.1 repository: https://istio-release.storage.googleapis.com/charts - name: jaeger-operator version: 2.46.0 diff --git a/charts/istiod/Chart.yaml b/charts/istiod/Chart.yaml index 2e6749b0d8..6c2be4955f 100644 --- a/charts/istiod/Chart.yaml +++ b/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.26.3 +appVersion: 1.27.1 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.26.3 +version: 1.27.1 diff --git a/charts/istiod/files/gateway-injection-template.yaml b/charts/istiod/files/gateway-injection-template.yaml index 7d23f15f95..bc15ee3c31 100644 --- a/charts/istiod/files/gateway-injection-template.yaml +++ b/charts/istiod/files/gateway-injection-template.yaml @@ -138,6 +138,10 @@ spec: - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" @@ -181,6 +185,10 @@ spec: {{- end }} - mountPath: /var/lib/istio/data name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy @@ -195,7 +203,7 @@ spec: - name: istio-podinfo mountPath: /etc/istio/pod volumes: - - emptyDir: {} + - emptyDir: name: workload-socket - emptyDir: {} name: credential-socket @@ -207,6 +215,11 @@ spec: - emptyDir: {} name: workload-certs {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} # SDS channel between istioagent and Envoy - emptyDir: medium: Memory @@ -239,7 +252,7 @@ spec: path: root-cert.pem {{- else }} configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} diff --git a/charts/istiod/files/grpc-agent.yaml b/charts/istiod/files/grpc-agent.yaml index dda3aeaa91..6e3102e4c8 100644 --- a/charts/istiod/files/grpc-agent.yaml +++ b/charts/istiod/files/grpc-agent.yaml @@ -290,7 +290,7 @@ spec: path: root-cert.pem {{- else }} configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.mountMtlsCerts }} diff --git a/charts/istiod/files/injection-template.yaml b/charts/istiod/files/injection-template.yaml index 657e5ee09c..9705cfe5df 100644 --- a/charts/istiod/files/injection-template.yaml +++ b/charts/istiod/files/injection-template.yaml @@ -24,8 +24,9 @@ {{- end }} {{- end }} {{- end }} -{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} {{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} +{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: @@ -140,6 +141,9 @@ spec: {{ else if .Values.global.proxy_init.forceApplyIptables -}} - "--force-apply" {{ end -}} + {{ if .Values.global.nativeNftables -}} + - "--native-nftables" + {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: @@ -376,12 +380,12 @@ spec: {{- else }} allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + {{ if or $tproxy $capNetBindService -}} add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + {{ if $tproxy -}} - NET_ADMIN {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + {{ if $capNetBindService -}} - NET_BIND_SERVICE {{- end }} {{- end }} @@ -389,7 +393,7 @@ spec: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: true - {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + {{ if or $tproxy $capNetBindService -}} runAsNonRoot: false runAsUser: 0 runAsGroup: 1337 @@ -417,6 +421,8 @@ spec: {{- if eq .Values.global.pilotCertProvider "istiod" }} - mountPath: /var/run/secrets/istio name: istiod-ca-cert + - mountPath: /var/run/secrets/istio/crl + name: istio-ca-crl {{- end }} - mountPath: /var/lib/istio/data name: istio-data @@ -498,9 +504,13 @@ spec: path: root-cert.pem {{- else }} configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} + - name: istio-ca-crl + configMap: + name: istio-ca-crl + optional: true {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs diff --git a/charts/istiod/files/kube-gateway.yaml b/charts/istiod/files/kube-gateway.yaml index 447ecae839..616fb42c71 100644 --- a/charts/istiod/files/kube-gateway.yaml +++ b/charts/istiod/files/kube-gateway.yaml @@ -303,11 +303,11 @@ spec: projected: sources: - clusterTrustBundle: - name: istio.io:istiod-ca:root-cert + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- end }} {{- if .Values.global.imagePullSecrets }} diff --git a/charts/istiod/files/profile-ambient.yaml b/charts/istiod/files/profile-ambient.yaml index 2805fe46bf..495fbcd434 100644 --- a/charts/istiod/files/profile-ambient.yaml +++ b/charts/istiod/files/profile-ambient.yaml @@ -7,6 +7,13 @@ meshConfig: defaultConfig: proxyMetadata: ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL global: variant: distroless pilot: diff --git a/charts/istiod/files/profile-compatibility-version-1.23.yaml b/charts/istiod/files/profile-compatibility-version-1.23.yaml deleted file mode 100644 index dac910ff5b..0000000000 --- a/charts/istiod/files/profile-compatibility-version-1.23.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" - PILOT_UNIFIED_SIDECAR_SCOPE: "false" - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.24 behaviour changes - ENABLE_DEFERRED_STATS_CREATION: "false" - BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" - -ambient: - # Not present in <1.24, defaults to `true` in 1.25+ - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/charts/istiod/files/profile-compatibility-version-1.24.yaml b/charts/istiod/files/profile-compatibility-version-1.24.yaml index b211c82666..4f3dbef7ea 100644 --- a/charts/istiod/files/profile-compatibility-version-1.24.yaml +++ b/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -6,6 +6,8 @@ pilot: env: # 1.24 behavioral changes PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" ambient: dnsCapture: false reconcileIptablesOnStartup: false diff --git a/charts/istiod/files/profile-compatibility-version-1.25.yaml b/charts/istiod/files/profile-compatibility-version-1.25.yaml index eb8827cd50..b2f45948c2 100644 --- a/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ b/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -2,6 +2,10 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" ambient: # 1.26 behavioral changes shareHostNetworkNamespace: true diff --git a/charts/istiod/files/profile-compatibility-version-1.26.yaml b/charts/istiod/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/charts/istiod/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/charts/istiod/files/waypoint.yaml b/charts/istiod/files/waypoint.yaml index 421cabeae7..3e6a2f5dc1 100644 --- a/charts/istiod/files/waypoint.yaml +++ b/charts/istiod/files/waypoint.yaml @@ -32,7 +32,7 @@ metadata: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" + "gateway.istio.io/managed" .ControllerLabel ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 @@ -65,7 +65,7 @@ spec: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" + "gateway.istio.io/managed" .ControllerLabel ) | nindent 8}} spec: {{- if .Values.global.waypoint.affinity }} @@ -292,11 +292,11 @@ spec: projected: sources: - clusterTrustBundle: - name: istio.io:istiod-ca:root-cert + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem {{- else }} configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: diff --git a/charts/istiod/templates/autoscale.yaml b/charts/istiod/templates/autoscale.yaml index 363a834f2b..185f8169db 100644 --- a/charts/istiod/templates/autoscale.yaml +++ b/charts/istiod/templates/autoscale.yaml @@ -1,5 +1,5 @@ # Not created if istiod is running remotely -{{- if not .Values.istiodRemote.enabled }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} {{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler diff --git a/charts/istiod/templates/clusterrole.yaml b/charts/istiod/templates/clusterrole.yaml index d4d79d00fa..d9c86f43fa 100644 --- a/charts/istiod/templates/clusterrole.yaml +++ b/charts/istiod/templates/clusterrole.yaml @@ -1,5 +1,5 @@ # Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} {{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -144,6 +144,7 @@ rules: - apiGroups: ["gateway.networking.x-k8s.io"] resources: - xbackendtrafficpolicies/status + - xlistenersets/status verbs: ["update", "patch"] - apiGroups: ["gateway.networking.k8s.io"] resources: @@ -160,6 +161,12 @@ rules: - apiGroups: ["gateway.networking.k8s.io"] resources: ["gatewayclasses"] verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] diff --git a/charts/istiod/templates/clusterrolebinding.yaml b/charts/istiod/templates/clusterrolebinding.yaml index 10781b4079..1b8fa4d079 100644 --- a/charts/istiod/templates/clusterrolebinding.yaml +++ b/charts/istiod/templates/clusterrolebinding.yaml @@ -1,5 +1,5 @@ # Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/istiod/templates/configmap-jwks.yaml b/charts/istiod/templates/configmap-jwks.yaml index 6d4ce6c738..02d7b3de5b 100644 --- a/charts/istiod/templates/configmap-jwks.yaml +++ b/charts/istiod/templates/configmap-jwks.yaml @@ -1,5 +1,5 @@ # Not created if istiod is running remotely -{{- if not .Values.istiodRemote.enabled }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} {{- if .Values.jwksResolverExtraRootCA }} apiVersion: v1 kind: ConfigMap diff --git a/charts/istiod/templates/configmap.yaml b/charts/istiod/templates/configmap.yaml index 5b73699f65..9969e2b211 100644 --- a/charts/istiod/templates/configmap.yaml +++ b/charts/istiod/templates/configmap.yaml @@ -62,7 +62,12 @@ {{- end }} {{- end }} {{- if .Values.global.remotePilotAddress }} + {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} {{- else }} discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 {{- end }} diff --git a/charts/istiod/templates/deployment.yaml b/charts/istiod/templates/deployment.yaml index 408eae7682..56148ed692 100644 --- a/charts/istiod/templates/deployment.yaml +++ b/charts/istiod/templates/deployment.yaml @@ -1,5 +1,5 @@ # Not created if istiod is running remotely -{{- if not .Values.istiodRemote.enabled }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} apiVersion: apps/v1 kind: Deployment metadata: @@ -17,6 +17,10 @@ metadata: {{- range $key, $val := .Values.deploymentLabels }} {{ $key }}: "{{ $val }}" {{- end }} + {{- if .Values.deploymentAnnotations }} + annotations: +{{ toYaml .Values.deploymentAnnotations | indent 4 }} + {{- end }} spec: {{- if not .Values.autoscaleEnabled }} {{- if .Values.replicaCount }} @@ -193,6 +197,10 @@ spec: {{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - name: EXTERNAL_ISTIOD value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" {{- end }} - name: PILOT_ENABLE_ANALYSIS value: "{{ .Values.global.istiod.enableAnalysis }}" @@ -284,12 +292,12 @@ spec: projected: sources: - clusterTrustBundle: - name: istio.io:istiod-ca:root-cert + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} path: root-cert.pem optional: true {{- else }} configMap: - name: istio-ca-root-cert + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} defaultMode: 420 optional: true {{- end }} diff --git a/charts/istiod/templates/mutatingwebhook.yaml b/charts/istiod/templates/mutatingwebhook.yaml index c1428bf60b..11dac53b23 100644 --- a/charts/istiod/templates/mutatingwebhook.yaml +++ b/charts/istiod/templates/mutatingwebhook.yaml @@ -2,7 +2,7 @@ {{- /* Core defines the common configuration used by all webhook segments */}} {{/* Copy just what we need to avoid expensive deepCopy */}} {{- $whv := dict - "revision" .Values.revision +"revision" .Values.revision "injectionPath" .Values.istiodRemote.injectionPath "injectionURL" .Values.istiodRemote.injectionURL "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy diff --git a/charts/istiod/templates/poddisruptionbudget.yaml b/charts/istiod/templates/poddisruptionbudget.yaml index 8ba27dc0b8..974d988a6e 100644 --- a/charts/istiod/templates/poddisruptionbudget.yaml +++ b/charts/istiod/templates/poddisruptionbudget.yaml @@ -1,5 +1,5 @@ # Not created if istiod is running remotely -{{- if not .Values.istiodRemote.enabled }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} {{- if .Values.global.defaultPodDisruptionBudget.enabled }} apiVersion: policy/v1 kind: PodDisruptionBudget @@ -16,7 +16,14 @@ metadata: app.kubernetes.io/name: "istiod" {{- include "istio.labels" . | nindent 4 }} spec: - minAvailable: 1 + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} selector: matchLabels: app: istiod diff --git a/charts/istiod/templates/reader-clusterrole.yaml b/charts/istiod/templates/reader-clusterrole.yaml index 4707c7e9f0..dbaa805035 100644 --- a/charts/istiod/templates/reader-clusterrole.yaml +++ b/charts/istiod/templates/reader-clusterrole.yaml @@ -20,9 +20,7 @@ rules: resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: [""] - # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod - # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list" ] diff --git a/charts/istiod/templates/remote-istiod-endpoints.yaml b/charts/istiod/templates/remote-istiod-endpoints.yaml index a6de571da5..f13b8ce9a9 100644 --- a/charts/istiod/templates/remote-istiod-endpoints.yaml +++ b/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -1,11 +1,16 @@ -# This file is only used for remote `istiod` installs. -{{- if .Values.istiodRemote.enabled }} +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} # if the remotePilotAddress is an IP addr {{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} apiVersion: v1 kind: Endpoints metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # This file is only used for remote `istiod` installs. + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: "istiod" diff --git a/charts/istiod/templates/remote-istiod-service.yaml b/charts/istiod/templates/remote-istiod-service.yaml index d3f872f74b..0a48b9918b 100644 --- a/charts/istiod/templates/remote-istiod-service.yaml +++ b/charts/istiod/templates/remote-istiod-service.yaml @@ -1,11 +1,17 @@ -# This file is only used for remote `istiod` installs. -{{- if .Values.global.remotePilotAddress }} +# This file is only used for remote +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} apiVersion: v1 kind: Service metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} namespace: {{ .Release.Namespace }} labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} app.kubernetes.io/name: "istiod" {{ include "istio.labels" . | nindent 4 }} spec: diff --git a/charts/istiod/templates/revision-tags.yaml b/charts/istiod/templates/revision-tags.yaml index 059a6abcc9..4604a90cb2 100644 --- a/charts/istiod/templates/revision-tags.yaml +++ b/charts/istiod/templates/revision-tags.yaml @@ -3,10 +3,11 @@ # is inherently created from a specific revision # TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. {{- $whv := dict - "revision" .Values.revision +"revision" .Values.revision "injectionPath" .Values.istiodRemote.injectionPath "injectionURL" .Values.istiodRemote.injectionURL "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle "namespace" .Release.Namespace }} {{- define "core" }} {{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign diff --git a/charts/istiod/templates/role.yaml b/charts/istiod/templates/role.yaml index 10d89e8d1b..bbcfbe4356 100644 --- a/charts/istiod/templates/role.yaml +++ b/charts/istiod/templates/role.yaml @@ -1,5 +1,5 @@ # Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/istiod/templates/rolebinding.yaml b/charts/istiod/templates/rolebinding.yaml index a42f4ec442..0c66b38a7d 100644 --- a/charts/istiod/templates/rolebinding.yaml +++ b/charts/istiod/templates/rolebinding.yaml @@ -1,5 +1,5 @@ # Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/istiod/templates/service.yaml b/charts/istiod/templates/service.yaml index 8829f0f436..4e0e1984a2 100644 --- a/charts/istiod/templates/service.yaml +++ b/charts/istiod/templates/service.yaml @@ -1,5 +1,5 @@ # Not created if istiod is running remotely -{{- if not .Values.istiodRemote.enabled }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} apiVersion: v1 kind: Service metadata: @@ -51,5 +51,8 @@ spec: - {{ . }} {{- end }} {{- end }} + {{- if .Values.trafficDistribution }} + trafficDistribution: {{ .Values.trafficDistribution }} + {{- end }} --- {{- end }} diff --git a/charts/istiod/templates/serviceaccount.yaml b/charts/istiod/templates/serviceaccount.yaml index a673a4d078..8b4a0c0faf 100644 --- a/charts/istiod/templates/serviceaccount.yaml +++ b/charts/istiod/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ # Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} apiVersion: v1 kind: ServiceAccount {{- if .Values.global.imagePullSecrets }} diff --git a/charts/istiod/templates/validatingadmissionpolicy.yaml b/charts/istiod/templates/validatingadmissionpolicy.yaml index d36eef68eb..8562a52d59 100644 --- a/charts/istiod/templates/validatingadmissionpolicy.yaml +++ b/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -1,5 +1,5 @@ # Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} {{- if .Values.experimental.stableValidationPolicy }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy diff --git a/charts/istiod/templates/validatingwebhookconfiguration.yaml b/charts/istiod/templates/validatingwebhookconfiguration.yaml index fb28836a0f..b49bf7fafd 100644 --- a/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ b/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -1,5 +1,5 @@ # Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} {{- if .Values.global.configValidation }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration diff --git a/charts/istiod/values.yaml b/charts/istiod/values.yaml index 4c15805c6b..ea9ad7ce9b 100644 --- a/charts/istiod/values.yaml +++ b/charts/istiod/values.yaml @@ -86,6 +86,9 @@ _internal_defaults_do_not_set: # Additional labels to apply to the deployment. deploymentLabels: {} + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + ## Mesh config settings # Install the mesh config map, generated from values.yaml. @@ -174,6 +177,11 @@ _internal_defaults_do_not_set: # and istiod itself will NOT be installed in this cluster - only the support resources necessary # to utilize a remote instance. enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + # Sidecar injector mutating webhook configuration clientConfig.url value. # For example: https://$remotePilotAddress:15017/inject # The host should not refer to a service running in the cluster; use a service reference by specifying @@ -246,7 +254,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.26.3 + tag: 1.27.1 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" @@ -270,6 +278,9 @@ _internal_defaults_do_not_set: # To output all istio components logs in json format by adding --log_as_json argument to each container argument logAsJson: false + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: # The control plane has different scopes depending on component, but can configure default log level across all components # If empty, default scope and level will be used as configured in code @@ -468,11 +479,6 @@ _internal_defaults_do_not_set: mountMtlsCerts: false multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection # to properly label proxies clusterName: "" @@ -551,3 +557,13 @@ _internal_defaults_do_not_set: # type: ClusterIP # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: ""