chore(chart-deps): update istiod to version 1.27.1

apps.yaml

@@ -132,7 +132,7 @@ appsInfo:
     integration: APL integrated ingress-nginx into an advanced ingress architecture.
   istio:
     title: Istio
-    appVersion: 1.26.3
+    appVersion: 1.27.1
     repo: https://github.com/istio/istio
     maintainers: Istio
     relatedLinks:

chart/chart-index/Chart.yaml

@@ -41,7 +41,7 @@ dependencies:
     version: 1.26.3
     repository: https://istio-release.storage.googleapis.com/charts
   - name: istiod
-    version: 1.26.3
+    version: 1.27.1
     repository: https://istio-release.storage.googleapis.com/charts
   - name: jaeger-operator
     version: 2.46.0

charts/istiod/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.26.3
+appVersion: 1.27.1
 description: Helm chart for istio control plane
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -9,4 +9,4 @@ keywords:
 name: istiod
 sources:
 - https://github.com/istio/istio
-version: 1.26.3
+version: 1.27.1

charts/istiod/files/gateway-injection-template.yaml

@@ -138,6 +138,10 @@ spec:
     - name: ISTIO_META_OWNER
       value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
     {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
     {{- if .Values.global.meshID }}
     - name: ISTIO_META_MESH_ID
       value: "{{ .Values.global.meshID }}"
@@ -181,6 +185,10 @@ spec:
     {{- end }}
     - mountPath: /var/lib/istio/data
       name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
     # SDS channel between istioagent and Envoy
     - mountPath: /etc/istio/proxy
       name: istio-envoy
@@ -195,7 +203,7 @@ spec:
     - name: istio-podinfo
       mountPath: /etc/istio/pod
   volumes:
-  - emptyDir: {}
+  - emptyDir:
     name: workload-socket
   - emptyDir: {}
     name: credential-socket
@@ -207,6 +215,11 @@ spec:
   - emptyDir: {}
     name: workload-certs
   {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
   # SDS channel between istioagent and Envoy
   - emptyDir:
       medium: Memory
@@ -239,7 +252,7 @@ spec:
           path: root-cert.pem
   {{- else }}
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
   {{- end }}
   {{- end }}
   {{- if .Values.global.mountMtlsCerts }}

charts/istiod/files/grpc-agent.yaml

@@ -290,7 +290,7 @@ spec:
           path: root-cert.pem
   {{- else }}
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
   {{- end }}
   {{- end }}
   {{- if .Values.global.mountMtlsCerts }}

charts/istiod/files/injection-template.yaml

@@ -24,8 +24,9 @@
     {{- end }}
   {{- end }}
 {{- end }}
-{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }}
 {{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
 {{- $containers := list }}
 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
 metadata:
@@ -140,6 +141,9 @@ spec:
     {{ else if .Values.global.proxy_init.forceApplyIptables -}}
     - "--force-apply"
     {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
     {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
   {{- if .ProxyConfig.ProxyMetadata }}
     env:
@@ -376,20 +380,20 @@ spec:
       {{- else }}
       allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
       capabilities:
-        {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+        {{ if or $tproxy $capNetBindService -}}
         add:
-        {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+        {{ if $tproxy -}}
         - NET_ADMIN
         {{- end }}
-        {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
+        {{ if $capNetBindService -}}
         - NET_BIND_SERVICE
         {{- end }}
         {{- end }}
         drop:
         - ALL
       privileged: {{ .Values.global.proxy.privileged }}
       readOnlyRootFilesystem: true
-      {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+      {{ if or $tproxy $capNetBindService -}}
       runAsNonRoot: false
       runAsUser: 0
       runAsGroup: 1337
@@ -417,6 +421,8 @@ spec:
     {{- if eq .Values.global.pilotCertProvider "istiod" }}
     - mountPath: /var/run/secrets/istio
       name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
     {{- end }}
     - mountPath: /var/lib/istio/data
       name: istio-data
@@ -498,9 +504,13 @@ spec:
           path: root-cert.pem
   {{- else }}
     configMap:
-      name: istio-ca-root-cert
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
   {{- end }}
   {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
   {{- if .Values.global.mountMtlsCerts }}
   # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
   - name: istio-certs

charts/istiod/files/kube-gateway.yaml

@@ -303,11 +303,11 @@ spec:
         projected:
           sources:
           - clusterTrustBundle:
-              name: istio.io:istiod-ca:root-cert
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
               path: root-cert.pem
       {{- else }}
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
       {{- end }}
       {{- end }}
       {{- if .Values.global.imagePullSecrets }}

charts/istiod/files/profile-ambient.yaml

@@ -7,6 +7,13 @@ meshConfig:
   defaultConfig:
     proxyMetadata:
       ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
 global:
   variant: distroless
 pilot:

charts/istiod/files/profile-compatibility-version-1.24.yaml

@@ -6,6 +6,8 @@ pilot:
   env:
     # 1.24 behavioral changes
     PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
 ambient:
   dnsCapture: false
   reconcileIptablesOnStartup: false

charts/istiod/files/profile-compatibility-version-1.25.yaml

@@ -2,6 +2,10 @@
 # The original version of this file is located at /manifests/helm-profiles directory.
 # If you want to make a change in this file, edit the original one and run "make gen".
 
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
 ambient:
   # 1.26 behavioral changes
   shareHostNetworkNamespace: true

charts/istiod/files/profile-compatibility-version-1.26.yaml

@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"

charts/istiod/files/waypoint.yaml

@@ -32,7 +32,7 @@ metadata:
       .InfrastructureLabels
       (strdict
         "gateway.networking.k8s.io/gateway-name" .Name
-        "gateway.istio.io/managed" "istio.io-mesh-controller"
+        "gateway.istio.io/managed" .ControllerLabel
       ) | nindent 4 }}
   ownerReferences:
   - apiVersion: gateway.networking.k8s.io/v1beta1
@@ -65,7 +65,7 @@ spec:
           .InfrastructureLabels
           (strdict
             "gateway.networking.k8s.io/gateway-name" .Name
-            "gateway.istio.io/managed" "istio.io-mesh-controller"
+            "gateway.istio.io/managed" .ControllerLabel
           ) | nindent 8}}
     spec:
       {{- if .Values.global.waypoint.affinity }}
@@ -292,11 +292,11 @@ spec:
         projected:
           sources:
           - clusterTrustBundle:
-              name: istio.io:istiod-ca:root-cert
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
               path: root-cert.pem
       {{- else }}
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
       {{- end }}
       {{- if .Values.global.imagePullSecrets }}
       imagePullSecrets:

charts/istiod/templates/autoscale.yaml

@@ -1,5 +1,5 @@
 # Not created if istiod is running remotely
-{{- if not .Values.istiodRemote.enabled }}
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
 {{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler

charts/istiod/templates/clusterrole.yaml

@@ -1,5 +1,5 @@
 # Created if this is not a remote istiod, OR if it is and is also a config cluster
-{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
 {{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -144,6 +144,7 @@ rules:
   - apiGroups: ["gateway.networking.x-k8s.io"]
     resources:
     - xbackendtrafficpolicies/status
+    - xlistenersets/status
     verbs: ["update", "patch"]
   - apiGroups: ["gateway.networking.k8s.io"]
     resources:
@@ -160,6 +161,12 @@ rules:
   - apiGroups: ["gateway.networking.k8s.io"]
     resources: ["gatewayclasses"]
     verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
 
   # Needed for multicluster secret reading, possibly ingress certs in the future
   - apiGroups: [""]

charts/istiod/templates/clusterrolebinding.yaml

@@ -1,5 +1,5 @@
 # Created if this is not a remote istiod, OR if it is and is also a config cluster
-{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }}
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

charts/istiod/templates/configmap-jwks.yaml

@@ -1,5 +1,5 @@
 # Not created if istiod is running remotely
-{{- if not .Values.istiodRemote.enabled }}
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
 {{- if .Values.jwksResolverExtraRootCA }}
 apiVersion: v1
 kind: ConfigMap

charts/istiod/templates/configmap.yaml

@@ -62,7 +62,12 @@
       {{- end }}
       {{- end }}
       {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
       discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
       {{- else }}
       discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
       {{- end }}

charts/istiod/templates/deployment.yaml

@@ -1,5 +1,5 @@
 # Not created if istiod is running remotely
-{{- if not .Values.istiodRemote.enabled }}
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -17,6 +17,10 @@ metadata:
 {{- range $key, $val := .Values.deploymentLabels }}
     {{ $key }}: "{{ $val }}"
 {{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
 spec:
 {{- if not .Values.autoscaleEnabled }}
 {{- if .Values.replicaCount }}
@@ -193,6 +197,10 @@ spec:
 {{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
           - name: EXTERNAL_ISTIOD
             value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
 {{- end }}
           - name: PILOT_ENABLE_ANALYSIS
             value: "{{ .Values.global.istiod.enableAnalysis }}"
@@ -284,12 +292,12 @@ spec:
         projected:
           sources:
           - clusterTrustBundle:
-              name: istio.io:istiod-ca:root-cert
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
               path: root-cert.pem
               optional: true
   {{- else }}
         configMap:
-          name: istio-ca-root-cert
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
           defaultMode: 420
           optional: true
   {{- end }}

charts/istiod/templates/mutatingwebhook.yaml

@@ -2,7 +2,7 @@
 {{- /* Core defines the common configuration used by all webhook segments */}}
 {{/* Copy just what we need to avoid expensive deepCopy */}}
 {{- $whv := dict
- "revision" .Values.revision
+"revision" .Values.revision
   "injectionPath" .Values.istiodRemote.injectionPath
   "injectionURL" .Values.istiodRemote.injectionURL
   "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy