Merge tag '1.21.5' into tetratefips-release-1.21

Istio release 1.21.5

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:release-1.21-4ef8661a6a388d403616444787141bb47a04ee39",
+  "image": "gcr.io/istio-testing/build-tools:release-1.21-c3faed1158524149e46b2af5567621ab6e43a8be",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.21-2024-06-02T19-03-50
+BASE_VERSION ?= 1.21-2024-06-27T19-02-39
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

common/.commonfiles.sha

@@ -1 +1 @@
-994ec08882325c03642242b65a43f77eb6615a4f
+06e135f7547513ec25ff68499fdf5f9dd03de583

common/scripts/setup_env.sh

@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=release-1.21-4ef8661a6a388d403616444787141bb47a04ee39
+  IMAGE_VERSION=release-1.21-c3faed1158524149e46b2af5567621ab6e43a8be
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools

go.mod

@@ -104,8 +104,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.14.2
-	istio.io/api v1.21.4-0.20240611230649-337ff9a6cea2
-	istio.io/client-go v1.21.4-0.20240611231558-63d10ab13ad0
+	istio.io/api v1.21.5-0.20240703104612-887d9c12c535
+	istio.io/client-go v1.21.5-0.20240703105210-92e449934315
 	k8s.io/api v0.29.0
 	k8s.io/apiextensions-apiserver v0.29.0
 	k8s.io/apimachinery v0.29.0

go.sum

@@ -1089,10 +1089,10 @@ helm.sh/helm/v3 v3.14.2/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-istio.io/api v1.21.4-0.20240611230649-337ff9a6cea2 h1:vStTheu7D9Xk9/oZI5uRl9r0Vqn01jOXKxSCwqvxQ0s=
-istio.io/api v1.21.4-0.20240611230649-337ff9a6cea2/go.mod h1:TFCMUCAHRjxBv1CsIsFCsYHPHi4axVI4vdIzVr8eFjY=
-istio.io/client-go v1.21.4-0.20240611231558-63d10ab13ad0 h1:vXjyWFDCB8eESFe6rL7MWKPBJF7uAZ3aZzWN4veoWR4=
-istio.io/client-go v1.21.4-0.20240611231558-63d10ab13ad0/go.mod h1:SOLAAx2S26noWzUYPxfzRUiDl/aqDPpYVu68g/qz4S4=
+istio.io/api v1.21.5-0.20240703104612-887d9c12c535 h1:Cj9NJ44PpCEkhA9uF36J4Fxb8wKIH3t+cJXXbiXbDDE=
+istio.io/api v1.21.5-0.20240703104612-887d9c12c535/go.mod h1:TFCMUCAHRjxBv1CsIsFCsYHPHi4axVI4vdIzVr8eFjY=
+istio.io/client-go v1.21.5-0.20240703105210-92e449934315 h1:m8as9n2Ua8TH96dJq2fBqbV5BD6AK7Bpm4bxb3cvTJI=
+istio.io/client-go v1.21.5-0.20240703105210-92e449934315/go.mod h1:eC6qqf6Fw/NRc4iSFfSnPMrDOhfaFhlgPiT6v6d3RzU=
 k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
 k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
 k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A=

istio.deps

@@ -4,13 +4,13 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "aff23c1d4e167fa8c7d23eb22d0cd79b6f197a83"
+    "lastStableSHA": "a6876b842f3858fbcf8f801259be2e93996be674"
   },
   {
     "_comment": "",
     "name": "ZTUNNEL_REPO_SHA",
     "repoName": "ztunnel",
     "file": "",
-    "lastStableSHA": "84e8e226070e951f97705376ee14e09cabd0d911"
+    "lastStableSHA": "2cc4386399991a64ed0449f87ffd6949fbf877d7"
   }
 ]

pilot/pkg/model/gateway.go

@@ -150,10 +150,10 @@ func RecordRejectedConfig(gatewayName string) {
 // use.
 const DisableGatewayPortTranslationLabel = "experimental.istio.io/disable-gateway-port-translation"
 
-// MergeGateways combines multiple gateways targeting the same workload into a single logical Gateway.
+// mergeGateways combines multiple gateways targeting the same workload into a single logical Gateway.
 // Note that today any Servers in the combined gateways listening on the same port must have the same protocol.
 // If servers with different protocols attempt to listen on the same port, one of the protocols will be chosen at random.
-func MergeGateways(gateways []gatewayWithInstances, proxy *Proxy, ps *PushContext) *MergedGateway {
+func mergeGateways(gateways []gatewayWithInstances, proxy *Proxy, ps *PushContext) *MergedGateway {
 	gatewayPorts := sets.New[uint32]()
 	nonPlainTextGatewayPortsBindMap := map[uint32]sets.String{}
 	mergedServers := make(map[ServerPort]*MergedServers)
@@ -168,12 +168,12 @@ func MergeGateways(gateways []gatewayWithInstances, proxy *Proxy, ps *PushContex
 	tlsHostsByPort := map[uint32]map[string]string{} // port -> host/bind map
 	autoPassthrough := false
 
-	log.Debugf("MergeGateways: merging %d gateways", len(gateways))
+	log.Debugf("mergeGateways: merging %d gateways", len(gateways))
 	for _, gwAndInstance := range gateways {
 		gatewayConfig := gwAndInstance.gateway
 		gatewayName := gatewayConfig.Namespace + "/" + gatewayConfig.Name // Format: %s/%s
 		gatewayCfg := gatewayConfig.Spec.(*networking.Gateway)
-		log.Debugf("MergeGateways: merging gateway %q :\n%v", gatewayName, gatewayCfg)
+		log.Debugf("mergeGateways: merging gateway %q :\n%v", gatewayName, gatewayCfg)
 		snames := sets.String{}
 		for _, s := range gatewayCfg.Servers {
 			if len(s.Name) > 0 {
@@ -190,7 +190,7 @@ func MergeGateways(gateways []gatewayWithInstances, proxy *Proxy, ps *PushContex
 			}
 			sanitizeServerHostNamespace(s, gatewayConfig.Namespace)
 			gatewayNameForServer[s] = gatewayName
-			log.Debugf("MergeGateways: gateway %q processing server %s :%v", gatewayName, s.Name, s.Hosts)
+			log.Debugf("mergeGateways: gateway %q processing server %s :%v", gatewayName, s.Name, s.Hosts)
 
 			cn := s.GetTls().GetCredentialName()
 			if cn != "" && proxy.VerifiedIdentity != nil {
@@ -357,7 +357,7 @@ func MergeGateways(gateways []gatewayWithInstances, proxy *Proxy, ps *PushContex
 					mergedServers[serverPort] = &MergedServers{Servers: []*networking.Server{s}, RouteName: routeName}
 					serverPorts = append(serverPorts, serverPort)
 				}
-				log.Debugf("MergeGateways: gateway %q merged server %v", gatewayName, s.Hosts)
+				log.Debugf("mergeGateways: gateway %q merged server %v", gatewayName, s.Hosts)
 			}
 		}
 	}

pilot/pkg/model/gateway_test.go

@@ -135,7 +135,7 @@ func TestMergeGateways(t *testing.T) {
 			for _, c := range tt.gwConfig {
 				instances = append(instances, gatewayWithInstances{c, true, nil})
 			}
-			mgw := MergeGateways(instances, &Proxy{}, nil)
+			mgw := mergeGateways(instances, &Proxy{}, nil)
 			if len(mgw.MergedServers) != tt.mergedServersNum {
 				t.Errorf("Incorrect number of merged servers. Expected: %v Got: %d", tt.mergedServersNum, len(mgw.MergedServers))
 			}
@@ -216,7 +216,7 @@ func TestGetAutoPassthroughSNIHosts(t *testing.T) {
 		},
 	}
 	instances := []gatewayWithInstances{{gateway: gateway, instances: gatewayServiceTargets}}
-	mgw := MergeGateways(instances, &Proxy{}, nil)
+	mgw := mergeGateways(instances, &Proxy{}, nil)
 	hosts := mgw.GetAutoPassthrughGatewaySNIHosts()
 	expectedHosts := sets.Set[string]{}
 	expectedHosts.InsertAll("a.apps.svc.cluster.local", "b.apps.svc.cluster.local")

pilot/pkg/model/push_context.go

@@ -2279,7 +2279,7 @@ func (ps *PushContext) mergeGateways(proxy *Proxy) *MergedGateway {
 		return nil
 	}
 
-	return MergeGateways(gatewayInstances, proxy, ps)
+	return mergeGateways(gatewayInstances, proxy, ps)
 }
 
 func (ps *PushContext) NetworkManager() *NetworkManager {

pilot/pkg/networking/core/v1alpha3/gateway.go

@@ -129,7 +129,7 @@ func (configgen *ConfigGeneratorImpl) buildGatewayListeners(builder *ListenerBui
 	// listener port -> host/bind
 	tlsHostsByPort := map[uint32]map[string]string{}
 	for _, port := range mergedGateway.ServerPorts {
-		// Skip ports we cannot bind to. Note that MergeGateways will already translate Service port to
+		// Skip ports we cannot bind to. Note that mergeGateways will already translate Service port to
 		// targetPort, which handles the common case of exposing ports like 80 and 443 but listening on
 		// higher numbered ports.
 		if builder.node.IsUnprivileged() && port.Number < 1024 {

pilot/pkg/serviceregistry/kube/controller/controller.go

@@ -788,9 +788,12 @@ func (c *Controller) collectWorkloadInstanceEndpoints(svc *model.Service) []*mod
 }
 
 // GetProxyServiceTargets returns service targets co-located with a given proxy
-// TODO: this code does not return k8s service instances when the proxy's IP is a workload entry
-// To tackle this, we need a ip2instance map like what we have in service entry.
 func (c *Controller) GetProxyServiceTargets(proxy *model.Proxy) []model.ServiceTarget {
+	if !c.isControllerForProxy(proxy) {
+		log.Errorf("proxy is in cluster %v, but controller is for cluster %v", proxy.Metadata.ClusterID, c.Cluster())
+		return nil
+	}
+
 	if len(proxy.IPAddresses) > 0 {
 		proxyIP := proxy.IPAddresses[0]
 		// look up for a WorkloadEntry; if there are multiple WorkloadEntry(s)
@@ -803,11 +806,6 @@ func (c *Controller) GetProxyServiceTargets(proxy *model.Proxy) []model.ServiceT
 		if pod != nil && !proxy.IsVM() {
 			// we don't want to use this block for our test "VM" which is actually a Pod.
 
-			if !c.isControllerForProxy(proxy) {
-				log.Errorf("proxy is in cluster %v, but controller is for cluster %v", proxy.Metadata.ClusterID, c.Cluster())
-				return nil
-			}
-
 			// 1. find proxy service by label selector, if not any, there may exist headless service without selector
 			// failover to 2
 			allServices := c.services.List(pod.Namespace, klabels.Everything())
@@ -834,12 +832,6 @@ func (c *Controller) GetProxyServiceTargets(proxy *model.Proxy) []model.ServiceT
 		return out
 	}
 
-	// TODO: This could not happen, remove?
-	if c.opts.Metrics != nil {
-		c.opts.Metrics.AddMetric(model.ProxyStatusNoService, proxy.ID, proxy.ID, "")
-	} else {
-		log.Infof("Missing metrics env, empty list of services for pod %s", proxy.ID)
-	}
 	return nil
 }
 
@@ -950,10 +942,6 @@ func (c *Controller) GetProxyServiceTargetsFromMetadata(proxy *model.Proxy) ([]m
 		return nil, nil
 	}
 
-	if !c.isControllerForProxy(proxy) {
-		return nil, fmt.Errorf("proxy is in cluster %v, but controller is for cluster %v", proxy.Metadata.ClusterID, c.Cluster())
-	}
-
 	// Create a pod with just the information needed to find the associated Services
 	dummyPod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{

pilot/pkg/xds/ads.go

@@ -662,7 +662,17 @@ func (s *DiscoveryServer) initializeProxy(con *Connection) error {
 }
 
 func (s *DiscoveryServer) computeProxyState(proxy *model.Proxy, request *model.PushRequest) {
-	proxy.SetServiceTargets(s.Env.ServiceDiscovery)
+	var shouldResetGateway, shouldResetSidecarScope bool
+	// 1. If request == nil(initiation phase) or request.ConfigsUpdated == nil(global push), set proxy serviceTargets.
+	// 2. otherwise only set when svc update, this is for the case that a service may select the proxy
+	if request == nil || len(request.ConfigsUpdated) == 0 ||
+		model.HasConfigsOfKind(request.ConfigsUpdated, kind.ServiceEntry) {
+		proxy.SetServiceTargets(s.Env.ServiceDiscovery)
+		// proxy.SetGatewaysForProxy depends on the serviceTargets,
+		// so when we reset serviceTargets, should reset gateway as well.
+		shouldResetGateway = true
+	}
+
 	// only recompute workload labels when
 	// 1. stream established and proxy first time initialization
 	// 2. proxy update
@@ -675,38 +685,35 @@ func (s *DiscoveryServer) computeProxyState(proxy *model.Proxy, request *model.P
 	// Saves compute cycles in networking code. Though this might be redundant sometimes, we still
 	// have to compute this because as part of a config change, a new Sidecar could become
 	// applicable to this proxy
-	var sidecar, gateway bool
 	push := proxy.LastPushContext
 	if request == nil {
-		sidecar = true
-		gateway = true
+		shouldResetSidecarScope = true
 	} else {
 		push = request.Push
 		if len(request.ConfigsUpdated) == 0 {
-			sidecar = true
-			gateway = true
+			shouldResetSidecarScope = true
 		}
 		for conf := range request.ConfigsUpdated {
 			switch conf.Kind {
 			case kind.ServiceEntry, kind.DestinationRule, kind.VirtualService, kind.Sidecar, kind.HTTPRoute, kind.TCPRoute:
-				sidecar = true
+				shouldResetSidecarScope = true
 			case kind.Gateway, kind.KubernetesGateway, kind.GatewayClass, kind.ReferenceGrant:
-				gateway = true
+				shouldResetGateway = true
 			case kind.Ingress:
-				sidecar = true
-				gateway = true
+				shouldResetSidecarScope = true
+				shouldResetGateway = true
 			}
-			if sidecar && gateway {
+			if shouldResetSidecarScope && shouldResetGateway {
 				break
 			}
 		}
 	}
 	// compute the sidecarscope for both proxy type whenever it changes.
-	if sidecar {
+	if shouldResetSidecarScope {
 		proxy.SetSidecarScope(push)
 	}
 	// only compute gateways for "router" type proxy.
-	if gateway && proxy.Type == model.Router {
+	if shouldResetGateway && proxy.Type == model.Router {
 		proxy.SetGatewaysForProxy(push)
 	}
 	proxy.LastPushContext = push

releasenotes/notes/51726.yaml

@@ -0,0 +1,8 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+issue:
+  - 51726
+releaseNotes:
+  - |
+    **Fixed** a bug where router's merged gateway was not immediately recomputed when a service was created or updated.

tests/integration/pilot/ingress_test.go

@@ -541,6 +541,92 @@ spec:
 					Check:   check.OK(),
 				})
 			})
+			t.NewSubTest("minimal-delay-create-gateway-svc").Run(func(t framework.TestContext) {
+				gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-minimal", Inject: inject})
+				_ = t.ConfigIstio().Eval(gatewayNs.Name(), templateParams, `apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: custom-gateway
+spec:
+  selector:
+    matchLabels:
+      istio: custom
+  template:
+    metadata:
+      annotations:
+        inject.istio.io/templates: gateway
+      labels:
+        istio: custom
+        {{ .injectLabel }}
+    spec:
+      {{- if ne .imagePullSecret "" }}
+      imagePullSecrets:
+      - name: {{ .imagePullSecret }}
+      {{- end }}
+      containers:
+      - name: istio-proxy
+        image: auto
+        imagePullPolicy: {{ .imagePullPolicy }}
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: app
+spec:
+  selector:
+    istio: custom
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "*"
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: app
+spec:
+  hosts:
+  - "*"
+  gateways:
+  - app
+  http:
+  - route:
+    - destination:
+        host: {{ .host }}
+        port:
+          number: 80
+`).Apply(apply.NoCleanup)
+				cs := t.Clusters().Default().(*kubecluster.Cluster)
+				retry.UntilSuccessOrFail(t, func() error {
+					_, err := kubetest.CheckPodsAreReady(kubetest.NewPodFetch(cs, gatewayNs.Name(), "istio=custom"))
+					return err
+				}, retry.Timeout(time.Minute*2))
+				// create gateway service after its pod get started
+				_ = t.ConfigIstio().Eval(gatewayNs.Name(), templateParams, `apiVersion: v1
+kind: Service
+metadata:
+  name: custom-gateway
+  labels:
+    istio: custom
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    name: http
+  selector:
+    istio: custom
+`).Apply(apply.NoCleanup)
+				apps.B[0].CallOrFail(t, echo.CallOptions{
+					Port:    echo.Port{ServicePort: 80},
+					Scheme:  scheme.HTTP,
+					Address: fmt.Sprintf("custom-gateway.%s.svc.cluster.local", gatewayNs.Name()),
+					Check:   check.OK(),
+				})
+			})
+
 			// TODO we could add istioctl as well, but the framework adds a bunch of stuff beyond just `istioctl install`
 			// that mess with certs, multicluster, etc
 			t.NewSubTest("helm").Run(func(t framework.TestContext) {