From a5060f5fa1abef0e3775dc2b3e0c85176a56bc67 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Sat, 14 Sep 2024 12:27:13 -0400 Subject: [PATCH 01/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53141) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 29b0a0489380..5536d9ce8e44 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "94ed360d6e7afb84546716e194b4c2fcc601e651" + "lastStableSHA": "7225951a625870f86bd5fef66cd6d365d94e3246" }, { "_comment": "", From 895a6da399303e5eb29eac40340d541fbda35c4a Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Sun, 15 Sep 2024 12:31:14 -0400 Subject: [PATCH 02/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53148) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 5536d9ce8e44..018749d6e936 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "7225951a625870f86bd5fef66cd6d365d94e3246" + "lastStableSHA": "c6d1f57d2a97f4a037546eb47e05f9de98a3fdc2" }, { "_comment": "", From 343b27ae2014c5158c58065aead9e5cfd56b9ae4 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 16 Sep 2024 12:28:15 -0400 Subject: [PATCH 03/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53156) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 018749d6e936..1111b5977e5e 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "c6d1f57d2a97f4a037546eb47e05f9de98a3fdc2" + "lastStableSHA": "c675d7807804a8638f24cd46916ba8b3c1073627" }, { "_comment": "", From b1e6a6498fb82d6d6ba8ccec004c2d97ff29f080 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 17 Sep 2024 11:47:16 -0400 Subject: [PATCH 04/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53172) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 1111b5977e5e..851897b07356 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "c675d7807804a8638f24cd46916ba8b3c1073627" + "lastStableSHA": "970d9dd048283339ed87fde486c011c546236b99" }, { "_comment": "", From 846a4ad3c82483a5240d96f502e4315d5bfc302a Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 17 Sep 2024 15:41:17 -0400 Subject: [PATCH 05/33] Update BASE_VERSION to 1.23-2024-09-17T19-01-11 (#53178) --- Makefile.core.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index ab107d312a3c..0029d98187e7 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -49,7 +49,7 @@ endif export VERSION # Base version of Istio image to use -BASE_VERSION ?= 1.23-2024-09-04T19-02-13 +BASE_VERSION ?= 1.23-2024-09-17T19-01-11 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release export GO111MODULE ?= on From 37616c5b4fa0f367cf11a4803dcf1e331e257f72 Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Wed, 18 Sep 2024 12:22:17 +0530 Subject: [PATCH 06/33] Fix TestCustomGateway integration tests on OCP (#52974) (#53149) * Fix TestCustomGateway integration tests on OCP The test case was not configuring the platform details in the Helm values, because of which the test was failing. This PR fixes it. Fixes: https://github.com/istio/istio/issues/52973 Signed-off-by: Sridhar Gaddam * Remove TestCustomGateway/helm as it uses unsupported chart TestCustomGateway/helm uses manifests/charts/gateways/istio-ingress which is no longer supported. This PR removes it. Signed-off-by: Sridhar Gaddam * Use string append instead of appendToFile Signed-off-by: Sridhar Gaddam --------- Signed-off-by: Sridhar Gaddam (cherry picked from commit 04f15fe786f97f9a95861860bee0c8f89d5e3c66) --- tests/integration/pilot/ingress_test.go | 81 ++----------------------- 1 file changed, 6 insertions(+), 75 deletions(-) diff --git a/tests/integration/pilot/ingress_test.go b/tests/integration/pilot/ingress_test.go index 86023a9a9b98..633bc04425ee 100644 --- a/tests/integration/pilot/ingress_test.go +++ b/tests/integration/pilot/ingress_test.go @@ -637,79 +637,6 @@ spec: }) }) - // TODO we could add istioctl as well, but the framework adds a bunch of stuff beyond just `istioctl install` - // that mess with certs, multicluster, etc - t.NewSubTest("helm").Run(func(t framework.TestContext) { - gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-helm", Inject: inject}) - d := filepath.Join(t.TempDir(), "gateway-values.yaml") - rev := "" - if t.Settings().Revisions.Default() != "" { - rev = t.Settings().Revisions.Default() - } - os.WriteFile(d, []byte(fmt.Sprintf(` -revision: %v -gateways: - istio-ingressgateway: - name: custom-gateway-helm - injectionTemplate: gateway - type: ClusterIP # LoadBalancer is slow and not necessary for this tests - autoscaleMax: 1 - resources: - requests: - cpu: 10m - memory: 40Mi - labels: - istio: custom-gateway-helm -`, rev)), 0o644) - cs := t.Clusters().Default().(*kubecluster.Cluster) - h := helm.New(cs.Filename()) - // Install ingress gateway chart - if err := h.InstallChart("ingress", filepath.Join(env.IstioSrc, "manifests/charts/gateways/istio-ingress"), gatewayNs.Name(), - d, helmtest.Timeout); err != nil { - t.Fatal(err) - } - retry.UntilSuccessOrFail(t, func() error { - _, err := kubetest.CheckPodsAreReady(kubetest.NewPodFetch(cs, gatewayNs.Name(), "istio=custom-gateway-helm")) - return err - }, retry.Timeout(time.Minute*2), retry.Delay(time.Millisecond*500)) - _ = t.ConfigIstio().YAML(gatewayNs.Name(), fmt.Sprintf(`apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: app -spec: - selector: - istio: custom-gateway-helm - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: app -spec: - hosts: - - "*" - gateways: - - app - http: - - route: - - destination: - host: %s - port: - number: 80 -`, apps.A.Config().ClusterLocalFQDN())).Apply(apply.NoCleanup) - apps.B[0].CallOrFail(t, echo.CallOptions{ - Port: echo.Port{ServicePort: 80}, - Scheme: scheme.HTTP, - Address: fmt.Sprintf("custom-gateway-helm.%s.svc.cluster.local", gatewayNs.Name()), - Check: check.OK(), - }) - }) t.NewSubTest("helm-simple").Run(func(t framework.TestContext) { gatewayNs := namespace.NewOrFail(t, t, namespace.Config{Prefix: "custom-gateway-helm", Inject: inject}) d := filepath.Join(t.TempDir(), "gateway-values.yaml") @@ -717,7 +644,7 @@ spec: if t.Settings().Revisions.Default() != "" { rev = t.Settings().Revisions.Default() } - os.WriteFile(d, []byte(fmt.Sprintf(` + gatewayValues := fmt.Sprintf(` revision: %q service: type: ClusterIP # LoadBalancer is slow and not necessary for this tests @@ -727,7 +654,11 @@ resources: requests: cpu: 10m memory: 40Mi -`, rev)), 0o644) +`, rev) + if t.Settings().OpenShift { + gatewayValues += "\nplatform: openshift" + } + os.WriteFile(d, []byte(gatewayValues), 0o644) cs := t.Clusters().Default().(*kubecluster.Cluster) h := helm.New(cs.Filename()) // Install ingress gateway chart From 50e2054c608911790d834eba8ceb355b55fbf798 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Wed, 18 Sep 2024 11:47:17 -0400 Subject: [PATCH 07/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53190) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 851897b07356..c4dadcba81fe 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "970d9dd048283339ed87fde486c011c546236b99" + "lastStableSHA": "f3977567fbbd9b7cc6de0c118dbc15359d9550f9" }, { "_comment": "", From 59bde21e84281442b97e42f6f5554a1cd4ef71a4 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Wed, 18 Sep 2024 18:02:17 -0400 Subject: [PATCH 08/33] Automator: update ztunnel@release-1.23 in istio/istio@release-1.23 (#53197) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index c4dadcba81fe..4129fd06572c 100644 --- a/istio.deps +++ b/istio.deps @@ -11,6 +11,6 @@ "name": "ZTUNNEL_REPO_SHA", "repoName": "ztunnel", "file": "", - "lastStableSHA": "3ead5b81415936e1d3d7f4e81b0d87178817b289" + "lastStableSHA": "85a36c522464981168022a17ac1d427f6a27dead" } ] From 9a1bc3267877baeca56465ad151bb68991fa9ccb Mon Sep 17 00:00:00 2001 From: Manuel Menegazzo <65919883+m3nax@users.noreply.github.com> Date: Thu, 19 Sep 2024 04:37:17 +0200 Subject: [PATCH 09/33] [release-1.23] Backport to 1.23 the metrics port definition for istio-cni (#53184) * Update daemonset.yaml * Added release notes --- .../charts/istio-cni/templates/daemonset.yaml | 4 ++++ releasenotes/notes/53184.yaml | 16 ++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 releasenotes/notes/53184.yaml diff --git a/manifests/charts/istio-cni/templates/daemonset.yaml b/manifests/charts/istio-cni/templates/daemonset.yaml index 9b667c40eb9a..cf0dab5ca18a 100644 --- a/manifests/charts/istio-cni/templates/daemonset.yaml +++ b/manifests/charts/istio-cni/templates/daemonset.yaml @@ -76,6 +76,10 @@ spec: {{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} {{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz diff --git a/releasenotes/notes/53184.yaml b/releasenotes/notes/53184.yaml new file mode 100644 index 000000000000..f21e3fefe425 --- /dev/null +++ b/releasenotes/notes/53184.yaml @@ -0,0 +1,16 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: telemetry + +# issue is a list of GitHub issues resolved in this note. +issue: [] + +docs: [] + +releaseNotes: +- | + **Fixed** Added the metrics port in the daemonset containers spec of the istio-cni chart. + +upgradeNotes: [] + +securityNotes: [] \ No newline at end of file From 3c046e6025fb2b264f1fc88e9254a5e9ee364d4c Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Thu, 19 Sep 2024 11:51:18 -0400 Subject: [PATCH 10/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53203) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 4129fd06572c..500d3bd6af5d 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "f3977567fbbd9b7cc6de0c118dbc15359d9550f9" + "lastStableSHA": "0f7a5cde9b109ac567f3febba1a7317ec5cff758" }, { "_comment": "", From 974f3a28e86d17404b38eadba36eb0ad3b6a26bf Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 20 Sep 2024 20:23:23 -0400 Subject: [PATCH 11/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53221) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 500d3bd6af5d..2f9df84f0883 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "0f7a5cde9b109ac567f3febba1a7317ec5cff758" + "lastStableSHA": "2fcbaa22448941cd89118370dcc15286d24dd702" }, { "_comment": "", From 19c429f02f584c5e6d0dcca70201fc45a86efe93 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Sat, 21 Sep 2024 11:51:20 -0400 Subject: [PATCH 12/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53236) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 2f9df84f0883..5750bd74d677 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "2fcbaa22448941cd89118370dcc15286d24dd702" + "lastStableSHA": "c41c5b86d9b2efe0623f20603c50df51e60466e9" }, { "_comment": "", From 37e0515b8b0317573d4e697bcc291dccea5ba7ad Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 24 Sep 2024 11:50:24 -0400 Subject: [PATCH 13/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53263) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 5750bd74d677..232470c0a6c0 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "c41c5b86d9b2efe0623f20603c50df51e60466e9" + "lastStableSHA": "6696f81f5be773d066b177ee45c12c80d408ac82" }, { "_comment": "", From b71891b471022ba71c2721593766181bfa23c841 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Thu, 26 Sep 2024 03:48:24 -0400 Subject: [PATCH 14/33] Fix httpbin sample's command (#53299) Signed-off-by: Daniel Hawton Co-authored-by: Daniel Hawton --- samples/httpbin/httpbin-vault.yaml | 2 ++ samples/httpbin/httpbin.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/samples/httpbin/httpbin-vault.yaml b/samples/httpbin/httpbin-vault.yaml index 0e5bb87e41e5..89cf73ff346e 100644 --- a/samples/httpbin/httpbin-vault.yaml +++ b/samples/httpbin/httpbin-vault.yaml @@ -53,6 +53,8 @@ spec: name: httpbin # Same as found in Dockerfile's CMD but using an unprivileged port command: + - pipenv + - run - gunicorn - -b - 0.0.0.0:8080 diff --git a/samples/httpbin/httpbin.yaml b/samples/httpbin/httpbin.yaml index cb64cf33b639..f0061801ef23 100644 --- a/samples/httpbin/httpbin.yaml +++ b/samples/httpbin/httpbin.yaml @@ -58,6 +58,8 @@ spec: name: httpbin # Same as found in Dockerfile's CMD but using an unprivileged port command: + - pipenv + - run - gunicorn - -b - 0.0.0.0:8080 From 90e70e6d08944cd13064111719eb91fe872753b6 Mon Sep 17 00:00:00 2001 From: "Jackie Maertens (Elliott)" <64559656+jaellio@users.noreply.github.com> Date: Thu, 26 Sep 2024 11:53:24 -0700 Subject: [PATCH 15/33] [release-1.23] cherry-pick 1.23 patch commits (#53254) * Explicitly set internal addresses in Http Connection Manager when PILOT_SIDECAR_USE_REMOTE_ADDRESS is set to true for the sidecar. Signed-off-by: Jackie Elliott * Add unit test for setting runtimeValues in envoy config Signed-off-by: Jackie Elliott * Make gen on explicit internal address golden Signed-off-by: Jackie Elliott * Use httpOpts instead of features useRemoteAddress to ensure it is only set for outbound sidecars Signed-off-by: Jackie Elliott --------- Signed-off-by: Jackie Elliott --- pilot/pkg/networking/core/listener_builder.go | 5 +- .../networking/core/listener_builder_test.go | 69 +++ pkg/bootstrap/instance_test.go | 3 + .../explicit_internal_address.proxycfg | 12 + .../explicit_internal_address_golden.json | 433 ++++++++++++++++++ 5 files changed, 521 insertions(+), 1 deletion(-) create mode 100644 pkg/bootstrap/testdata/explicit_internal_address.proxycfg create mode 100644 pkg/bootstrap/testdata/explicit_internal_address_golden.json diff --git a/pilot/pkg/networking/core/listener_builder.go b/pilot/pkg/networking/core/listener_builder.go index 33735da106b3..4176eca04279 100644 --- a/pilot/pkg/networking/core/listener_builder.go +++ b/pilot/pkg/networking/core/listener_builder.go @@ -421,7 +421,10 @@ func (lb *ListenerBuilder) buildHTTPConnectionManager(httpOpts *httpListenerOpts connectionManager.HttpFilters = filters connectionManager.RequestIdExtension = requestidextension.BuildUUIDRequestIDExtension(reqIDExtensionCtx) - if features.EnableHCMInternalNetworks && lb.push.Networks != nil { + // If UseRemoteAddress is set, we must set the internal address config in preparation for envoy + // internal addresses defaulting to empty set. Currently, the internal addresses defaulted to + // all private IPs but this will change in the future. + if (features.EnableHCMInternalNetworks || httpOpts.useRemoteAddress) && lb.push.Networks != nil { for _, internalnetwork := range lb.push.Networks.Networks { iac := &hcm.HttpConnectionManager_InternalAddressConfig{} for _, ne := range internalnetwork.Endpoints { diff --git a/pilot/pkg/networking/core/listener_builder_test.go b/pilot/pkg/networking/core/listener_builder_test.go index 06f98da5b921..b5b58ad40413 100644 --- a/pilot/pkg/networking/core/listener_builder_test.go +++ b/pilot/pkg/networking/core/listener_builder_test.go @@ -844,6 +844,75 @@ func TestHCMInternalAddressConfig(t *testing.T) { } } +func TestUseRemoteAddressInternalAddressConfig(t *testing.T) { + cg := NewConfigGenTest(t, TestOptions{}) + sidecarProxy := cg.SetupProxy(&model.Proxy{ConfigNamespace: "not-default"}) + push := cg.PushContext() + cases := []struct { + name string + networks *meshconfig.MeshNetworks + expectedconfig *hcm.HttpConnectionManager_InternalAddressConfig + }{ + { + name: "nil networks", + expectedconfig: nil, + }, + { + name: "empty networks", + networks: &meshconfig.MeshNetworks{}, + expectedconfig: nil, + }, + { + name: "networks populated", + networks: &meshconfig.MeshNetworks{ + Networks: map[string]*meshconfig.Network{ + "default": { + Endpoints: []*meshconfig.Network_NetworkEndpoints{ + { + Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{ + FromCidr: "192.168.0.0/16", + }, + }, + { + Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{ + FromCidr: "172.16.0.0/12", + }, + }, + }, + }, + }, + }, + expectedconfig: &hcm.HttpConnectionManager_InternalAddressConfig{ + CidrRanges: []*core.CidrRange{ + { + AddressPrefix: "192.168.0.0", + PrefixLen: &wrapperspb.UInt32Value{Value: 16}, + }, + { + AddressPrefix: "172.16.0.0", + PrefixLen: &wrapperspb.UInt32Value{Value: 12}, + }, + }, + }, + }, + } + for _, tt := range cases { + t.Run(tt.name, func(t *testing.T) { + push.Networks = tt.networks + lb := &ListenerBuilder{ + push: push, + node: sidecarProxy, + authzCustomBuilder: &authz.Builder{}, + authzBuilder: &authz.Builder{}, + } + httpConnManager := lb.buildHTTPConnectionManager(&httpListenerOpts{useRemoteAddress: true}) + if !reflect.DeepEqual(tt.expectedconfig, httpConnManager.InternalAddressConfig) { + t.Errorf("unexpected internal address config, expected: %v, got :%v", tt.expectedconfig, httpConnManager.InternalAddressConfig) + } + }) + } +} + func TestAdditionalAddressesForIPv6(t *testing.T) { test.SetForTest(t, &features.EnableAdditionalIpv4OutboundListenerForIpv6Only, true) cg := NewConfigGenTest(t, TestOptions{Services: testServices}) diff --git a/pkg/bootstrap/instance_test.go b/pkg/bootstrap/instance_test.go index 5488316cc8bb..5094470df40b 100644 --- a/pkg/bootstrap/instance_test.go +++ b/pkg/bootstrap/instance_test.go @@ -108,6 +108,9 @@ func TestGolden(t *testing.T) { { base: "default", }, + { + base: "explicit_internal_address", + }, { base: "legacy_stats_tags_regex", envVars: map[string]string{ diff --git a/pkg/bootstrap/testdata/explicit_internal_address.proxycfg b/pkg/bootstrap/testdata/explicit_internal_address.proxycfg new file mode 100644 index 000000000000..f8f7a21a59c4 --- /dev/null +++ b/pkg/bootstrap/testdata/explicit_internal_address.proxycfg @@ -0,0 +1,12 @@ +config_path: "/etc/istio/proxy" +binary_path: "/usr/local/bin/envoy" +service_cluster: "istio-proxy" +drain_duration: {seconds: 2} +discovery_address: "istio-pilot:15010" +proxy_admin_port: 15000 +control_plane_auth_policy: NONE +runtime_values: [{ key: "envoy.reloadable_features.explicit_internal_address_config" value: "true" }] + +# +# This matches the default configuration hardcoded in model.DefaultProxyConfig +# Flags may override this configuration, as specified by the injector configs. diff --git a/pkg/bootstrap/testdata/explicit_internal_address_golden.json b/pkg/bootstrap/testdata/explicit_internal_address_golden.json new file mode 100644 index 000000000000..b3a34590d7f1 --- /dev/null +++ b/pkg/bootstrap/testdata/explicit_internal_address_golden.json @@ -0,0 +1,433 @@ +{ + "application_log_config": { + "log_format": { + "text_format": "%Y-%m-%dT%T.%fZ\t%l\tenvoy %n %g:%#\t%v\tthread=%t" + } + }, + "node": { + "id": "sidecar~1.2.3.4~foo~bar", + "cluster": "istio-proxy", + "locality": { + }, + "metadata": {"ENVOY_PROMETHEUS_PORT":15090,"ENVOY_STATUS_PORT":15021,"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","ISTIO_VERSION":"binary-1.0","OUTLIER_LOG_PATH":"/dev/stdout","PILOT_SAN":["spiffe://cluster.local/ns/istio-system/sa/istio-pilot-service-account"],"PROXY_CONFIG":{"binaryPath":"/usr/local/bin/envoy","configPath":"/tmp/bootstrap/explicit_internal_address","customConfigFile":"envoy_bootstrap.json","discoveryAddress":"istio-pilot:15010","drainDuration":"2s","proxyAdminPort":15000,"runtimeValues":{"envoy.reloadable_features.explicit_internal_address_config":"true"},"serviceCluster":"istio-proxy","statusPort":15020}} + }, + "layered_runtime": { + "layers": [ + { + "name": "global config", + "static_layer": {"envoy.deprecated_features:envoy.config.listener.v3.Listener.hidden_envoy_deprecated_use_original_dst":true,"envoy.reloadable_features.explicit_internal_address_config":true,"envoy.reloadable_features.http_reject_path_with_fragment":false,"overload.global_downstream_max_connections":"2147483647","re2.max_program_size.error_level":"32768"} + }, + { + "name": "admin", + "admin_layer": {} + } + ] + }, + "bootstrap_extensions": [ + { + "name": "envoy.bootstrap.internal_listener", + "typed_config": { + "@type":"type.googleapis.com/udpa.type.v1.TypedStruct", + "type_url": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener", + "value": { + "buffer_size_kb": 64 + } + } + } + ], + "stats_config": { + "use_all_default_tags": false, + "stats_tags": [ + { + "tag_name": "cluster_name", + "regex": "^cluster(\\.(.+);)" + }, + { + "tag_name": "http_conn_manager_prefix", + "regex": "^http\\.(((?:[_.[:digit:]\\w]*|[_\\[\\]aAbBcCdDeEfF[:digit:]\\w\\:]*));\\.)" + }, + { + "tag_name": "tcp_prefix", + "regex": "^tcp\\.((.*?)\\.)\\w+?$" + }, + { + "regex": "_rq(_(\\d{3}))$", + "tag_name": "response_code" + }, + { + "tag_name": "response_code_class", + "regex": "_rq(_(\\dxx))$" + }, + { + "tag_name": "http_conn_manager_listener_prefix", + "regex": "^listener(?=\\.).*?\\.http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "listener_address", + "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "mongo_prefix", + "regex": "^mongo\\.(.+?)\\.(collection|cmd|cx_|op_|delays_|decoding_)(.*?)$" + }, + { + "regex": "(cache\\.(.+?)\\.)", + "tag_name": "cache" + }, + { + "regex": "(component\\.(.+?)\\.)", + "tag_name": "component" + }, + { + "regex": "(tag\\.(.+?);\\.)", + "tag_name": "tag" + }, + { + "regex": "(wasm_filter\\.(.+?)\\.)", + "tag_name": "wasm_filter" + }, + { + "tag_name": "authz_enforce_result", + "regex": "rbac(\\.(allowed|denied))" + }, + { + "tag_name": "authz_dry_run_action", + "regex": "(\\.istio_dry_run_(allow|deny)_)" + }, + { + "tag_name": "authz_dry_run_result", + "regex": "(\\.shadow_(allowed|denied))" + } + ], + "stats_matcher": { + "inclusion_list": { + "patterns": [ + { + "prefix": "reporter=" + }, + { + "prefix": "cluster_manager" + }, + { + "prefix": "listener_manager" + }, + { + "prefix": "server" + }, + { + "prefix": "cluster.xds-grpc" + }, + { + "prefix": "wasm" + }, + { + "suffix": "rbac.allowed" + }, + { + "suffix": "rbac.denied" + }, + { + "suffix": "shadow_allowed" + }, + { + "suffix": "shadow_denied" + }, + { + "safe_regex": {"regex":"vhost\\..*\\.route\\..*"} + }, + { + "prefix": "component" + }, + { + "prefix": "istio" + } + ] + } + } + }, + "admin": { + "access_log": [ + { + "name": "envoy.access_loggers.file", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog", + "path": "/dev/null" + } + } + ], + "profile_path": "/var/lib/istio/data/envoy.prof", + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 15000 + } + } + }, + "dynamic_resources": { + "lds_config": { + "ads": {}, + "initial_fetch_timeout": "0s", + "resource_api_version": "V3" + }, + "cds_config": { + "ads": {}, + "initial_fetch_timeout": "0s", + "resource_api_version": "V3" + }, + "ads_config": { + "api_type": "DELTA_GRPC", + "set_node_on_first_message_only": true, + "transport_api_version": "V3", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "xds-grpc" + } + } + ] + } + }, + "static_resources": { + "clusters": [ + { + "name": "prometheus_stats", + "alt_stat_name": "prometheus_stats;", + "type": "STATIC", + "connect_timeout": "0.250s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "prometheus_stats", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "socket_address": { + "protocol": "TCP", + "address": "127.0.0.1", + "port_value": 15000 + } + } + } + }] + }] + } + }, + { + "name": "agent", + "alt_stat_name": "agent;", + "type": "STATIC", + "connect_timeout": "0.250s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "agent", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "socket_address": { + "protocol": "TCP", + "address": "127.0.0.1", + "port_value": 15020 + } + } + } + }] + }] + } + }, + { + "name": "sds-grpc", + "alt_stat_name": "sds-grpc;", + "type": "STATIC", + "typed_extension_protocol_options": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "explicit_http_config": { + "http2_protocol_options": {} + } + } + }, + "connect_timeout": "1s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "sds-grpc", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "pipe": { + "path": "./var/run/secrets/workload-spiffe-uds/socket" + } + } + } + }] + }] + } + }, + { + "name": "xds-grpc", + "alt_stat_name": "xds-grpc;", + "type" : "STATIC", + "connect_timeout": "1s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "xds-grpc", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "pipe": { + "path": "/tmp/XDS" + } + } + } + }] + }] + }, + "circuit_breakers": { + "thresholds": [ + { + "priority": "DEFAULT", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + }, + { + "priority": "HIGH", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + } + ] + }, + "upstream_connection_options": { + "tcp_keepalive": { + "keepalive_time": 300 + } + }, + "max_requests_per_connection": 1, + "typed_extension_protocol_options": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "explicit_http_config": { + "http2_protocol_options": {} + } + } + } + } + + + ], + "listeners":[ + { + "address": { + "socket_address": { + "protocol": "TCP", + "address": "0.0.0.0", + + "port_value": 15090 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "codec_type": "AUTO", + "stat_prefix": "stats", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/stats/prometheus" + }, + "route": { + "cluster": "prometheus_stats" + } + } + ] + } + ] + }, + "http_filters": [ + { + "name": "envoy.filters.http.router", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + }] + } + } + ] + } + ] + }, + { + "address": { + "socket_address": { + "protocol": "TCP", + "address": "0.0.0.0", + "port_value": 15021 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "codec_type": "AUTO", + "stat_prefix": "agent", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/healthz/ready" + }, + "route": { + "cluster": "agent" + } + } + ] + } + ] + }, + "http_filters": [{ + "name": "envoy.filters.http.router", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + }] + } + } + ] + } + ] + } + ] + } + + + , + "cluster_manager": { + "outlier_detection": { + "event_log_path": "/dev/stdout" + } + } + +} From e5527129a83042252e457df81c55fa1375a72727 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 27 Sep 2024 11:49:24 -0400 Subject: [PATCH 16/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53327) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 232470c0a6c0..7ac515cf90b8 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "6696f81f5be773d066b177ee45c12c80d408ac82" + "lastStableSHA": "133e3db102f940786eadd2bad26a62109108d8c2" }, { "_comment": "", From 99fa9ba4812bae62305f9d85d72efe72c2aece4d Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 27 Sep 2024 16:33:25 -0400 Subject: [PATCH 17/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53334) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 7ac515cf90b8..1ed792bf6394 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "133e3db102f940786eadd2bad26a62109108d8c2" + "lastStableSHA": "f0dd9ad5667bf401dbd55806769d3567839e3173" }, { "_comment": "", From 7f85daeabcb204b03aa4680759ebf117629c7834 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 30 Sep 2024 11:44:28 -0400 Subject: [PATCH 18/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53355) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 1ed792bf6394..56fa6344f281 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "f0dd9ad5667bf401dbd55806769d3567839e3173" + "lastStableSHA": "c80629ee9be4dfecb0c557109804f486e6a99d83" }, { "_comment": "", From 85144d647c4dd5a1c48340f2a2581798f592b4c7 Mon Sep 17 00:00:00 2001 From: John Howard Date: Tue, 1 Oct 2024 11:38:29 -0700 Subject: [PATCH 19/33] 1.23: bump to docker 26.1.5 (#53377) Not sure why https://github.com/istio/istio/pull/52577 was to 26.1.4 not 26.1.5. Probably a mistake... --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index a61ed9ba511f..f272ff1df246 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/containernetworking/plugins v1.5.0 github.com/coreos/go-oidc/v3 v3.10.0 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc - github.com/docker/cli v26.1.4+incompatible + github.com/docker/cli v26.1.5+incompatible github.com/envoyproxy/go-control-plane v0.12.1-0.20240719165848-f888b4f71207 github.com/evanphx/json-patch/v5 v5.9.0 github.com/fatih/color v1.17.0 @@ -135,7 +135,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v26.1.4+incompatible // indirect + github.com/docker/docker v26.1.5+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.1 // indirect github.com/emicklei/go-restful/v3 v3.12.0 // indirect github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect diff --git a/go.sum b/go.sum index fd6320327765..6aa52067beaa 100644 --- a/go.sum +++ b/go.sum @@ -137,13 +137,13 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etly github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8= -github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v26.1.5+incompatible h1:NxXGSdz2N+Ibdaw330TDO3d/6/f7MvHuiMbuFaIQDTk= +github.com/docker/cli v26.1.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU= -github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g= +github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo= github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= From 6d6e8aaa75732b294b6513854ff5e03fccc8e5fb Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 4 Oct 2024 11:38:00 -0400 Subject: [PATCH 20/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53392) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 56fa6344f281..0179f1b2a0c5 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "c80629ee9be4dfecb0c557109804f486e6a99d83" + "lastStableSHA": "106e7c1a414e147c7c5abaa19f9298eabb4212c5" }, { "_comment": "", From a5e5c23b5334d59469d543629c17e9280885a120 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 7 Oct 2024 11:30:22 -0400 Subject: [PATCH 21/33] Automator: update common-files@release-1.23 in istio/istio@release-1.23 (#53459) --- .devcontainer/devcontainer.json | 2 +- common/.commonfiles.sha | 2 +- common/scripts/setup_env.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index c1ff78b6d08d..9cb797e361f9 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:release-1.23-d82829888b6f4a2b2b2644fe481d72ced2e402aa", + "image": "gcr.io/istio-testing/build-tools:release-1.23-d2ac9017a4c8dfb928bbfddd064833427afc0524", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index 707827c206f8..3d9b53729a43 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -e6bbccc51a140216fb669986e89602881002553d +037289f69e8291490f4c780762ecb07986d9998a diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index ac6f72b016a7..3b317b0e663d 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=release-1.23-d82829888b6f4a2b2b2644fe481d72ced2e402aa + IMAGE_VERSION=release-1.23-d2ac9017a4c8dfb928bbfddd064833427afc0524 fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools From 8fc10767014ba21faf09d831e55c60bde08af6a8 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 7 Oct 2024 12:17:41 -0400 Subject: [PATCH 22/33] Automator: update istio/client-go@release-1.23 dependency in istio/istio@release-1.23 (#53460) --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index f272ff1df246..8c2bd70ce9f9 100644 --- a/go.mod +++ b/go.mod @@ -98,8 +98,8 @@ require ( gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.15.1 - istio.io/api v1.23.1-0.20240906150629-ba126bb830f0 - istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43 + istio.io/api v1.23.3-0.20241007150425-eb56b2cffca7 + istio.io/client-go v1.23.3-0.20241007150824-1455e2e0ee0a k8s.io/api v0.30.1 k8s.io/apiextensions-apiserver v0.30.1 k8s.io/apimachinery v0.30.1 diff --git a/go.sum b/go.sum index 6aa52067beaa..85cc85f40c8a 100644 --- a/go.sum +++ b/go.sum @@ -1009,10 +1009,10 @@ helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -istio.io/api v1.23.1-0.20240906150629-ba126bb830f0 h1:utRdmZryJWw71X1flREUJFLk56QCl2JdVuP3xsvDcMI= -istio.io/api v1.23.1-0.20240906150629-ba126bb830f0/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM= -istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43 h1:/HbrtBiDEiTsQRrzkdcfNgKr+GUp/JFWc5U3ZL/QUmk= -istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43/go.mod h1:E08wpMtUulJk2tlWOCUVakjy1bKFxUNm22tM1R1QY0Y= +istio.io/api v1.23.3-0.20241007150425-eb56b2cffca7 h1:c8RwLi4qSqCn36t5B2WFkwRDY+qPZ1XhlLMEIoJDCcs= +istio.io/api v1.23.3-0.20241007150425-eb56b2cffca7/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM= +istio.io/client-go v1.23.3-0.20241007150824-1455e2e0ee0a h1:MZyree5xnOHalv93KgXLX9hb3EINj8EgLp7ztjWObos= +istio.io/client-go v1.23.3-0.20241007150824-1455e2e0ee0a/go.mod h1:Lfa3anzx7/kCOpcAciR+JiRMj/SYuzDcbXQDjkThnLg= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= From 65854cb481445e855c4019d9ff4d15d00b9f2cfc Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 7 Oct 2024 12:17:48 -0400 Subject: [PATCH 23/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53461) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 0179f1b2a0c5..a92bb08117f9 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "106e7c1a414e147c7c5abaa19f9298eabb4212c5" + "lastStableSHA": "af72f09013bbba2084db267bb903dc169510bb20" }, { "_comment": "", From 8864033efea2794077391e0d6b498f006ed66afe Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 7 Oct 2024 18:06:42 -0400 Subject: [PATCH 24/33] Automator: update ztunnel@release-1.23 in istio/istio@release-1.23 (#53465) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index a92bb08117f9..af18aba31132 100644 --- a/istio.deps +++ b/istio.deps @@ -11,6 +11,6 @@ "name": "ZTUNNEL_REPO_SHA", "repoName": "ztunnel", "file": "", - "lastStableSHA": "85a36c522464981168022a17ac1d427f6a27dead" + "lastStableSHA": "906d9c34eb40703fe07a9d14e1bd09da2e370f61" } ] From a4c7cfcccee0691c3c5ea33e7bc031f93c61e2fa Mon Sep 17 00:00:00 2001 From: Manuel Menegazzo <65919883+m3nax@users.noreply.github.com> Date: Tue, 8 Oct 2024 14:54:43 +0200 Subject: [PATCH 25/33] Added metrics port to kube-gateway.yaml manifest (#53351) (#53383) * Added metrics port to kube-gateway.yaml manifest * Update traffic-params.yaml.7.template.gen.yaml * Added releasenotes * Updated gen.yaml * Removed line ending * Regenerated manifest with make copy-templates update-golden * Added metrics port to test data * Updated testdata manifests * Removed port definition from waypoint testdata --------- Signed-off-by: Manuel Menegazzo Signed-off-by: Manuel Menegazzo --- .../istio-discovery/files/kube-gateway.yaml | 3 +++ .../gateway/testdata/deployment/cluster-ip.yaml | 3 +++ .../testdata/deployment/custom-class.yaml | 3 +++ .../infrastructure-labels-annotations.yaml | 3 +++ .../kube-gateway-ambient-redirect-infra.yaml | 3 +++ .../kube-gateway-ambient-redirect.yaml | 3 +++ .../gateway/testdata/deployment/manual-ip.yaml | 3 +++ .../gateway/testdata/deployment/manual-sa.yaml | 3 +++ .../testdata/deployment/multinetwork.yaml | 3 +++ .../testdata/deployment/proxy-config-crd.yaml | 3 +++ .../kube/gateway/testdata/deployment/simple.yaml | 3 +++ .../custom-template.yaml.40.template.gen.yaml | 3 +++ .../testdata/inputs/default.template.gen.yaml | 3 +++ .../enable-core-dump.yaml.5.template.gen.yaml | 3 +++ ...-cncf-networks-json.yaml.16.template.gen.yaml | 3 +++ ...sting-cncf-networks.yaml.15.template.gen.yaml | 3 +++ ...o-image-pull-secret.yaml.11.template.gen.yaml | 3 +++ ...ft-custom-injection.yaml.48.template.gen.yaml | 3 +++ .../hello-openshift.yaml.47.template.gen.yaml | 3 +++ ...ication-ProxyConfig.yaml.20.template.gen.yaml | 3 +++ .../hello-probes.yaml.18.template.gen.yaml | 3 +++ .../inputs/hello.yaml.0.template.gen.yaml | 3 +++ .../inputs/hello.yaml.1.template.gen.yaml | 3 +++ .../inputs/hello.yaml.10.template.gen.yaml | 3 +++ .../inputs/hello.yaml.12.template.gen.yaml | 3 +++ .../inputs/hello.yaml.13.template.gen.yaml | 3 +++ .../inputs/hello.yaml.14.template.gen.yaml | 3 +++ .../inputs/hello.yaml.17.template.gen.yaml | 3 +++ .../inputs/hello.yaml.3.template.gen.yaml | 3 +++ .../inputs/hello.yaml.4.template.gen.yaml | 3 +++ .../kubevirtInterfaces.yaml.9.template.gen.yaml | 3 +++ .../merge-probers.yaml.43.template.gen.yaml | 3 +++ ...roxy-override-runas.yaml.34.template.gen.yaml | 3 +++ .../status_params.yaml.8.template.gen.yaml | 3 +++ .../traffic-params.yaml.7.template.gen.yaml | 3 +++ releasenotes/notes/53351.yaml | 16 ++++++++++++++++ 36 files changed, 121 insertions(+) create mode 100644 releasenotes/notes/53351.yaml diff --git a/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml b/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml index f4d363323b68..976568854e1a 100644 --- a/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml +++ b/manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml @@ -104,6 +104,9 @@ spec: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/cluster-ip.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/cluster-ip.yaml index 0c9279a36e68..e7a618e5c19b 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/cluster-ip.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/cluster-ip.yaml @@ -134,6 +134,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/custom-class.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/custom-class.yaml index 88f7c05d3349..7d8d53a69e1c 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/custom-class.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/custom-class.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/infrastructure-labels-annotations.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/infrastructure-labels-annotations.yaml index 6659c44a15f4..df10b4750f18 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/infrastructure-labels-annotations.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/infrastructure-labels-annotations.yaml @@ -137,6 +137,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect-infra.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect-infra.yaml index edf860c90b24..a95f8d7daffd 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect-infra.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect-infra.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect.yaml index edf860c90b24..a95f8d7daffd 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/manual-ip.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/manual-ip.yaml index 52102caf3d9f..dc1171b45153 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/manual-ip.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/manual-ip.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/manual-sa.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/manual-sa.yaml index d3339d13386e..533430da8942 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/manual-sa.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/manual-sa.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/multinetwork.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/multinetwork.yaml index 41a1612cef68..90e79ca67a87 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/multinetwork.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/multinetwork.yaml @@ -138,6 +138,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/proxy-config-crd.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/proxy-config-crd.yaml index 1be186f0416d..b2e8c4423222 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/proxy-config-crd.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/proxy-config-crd.yaml @@ -131,6 +131,9 @@ spec: image: test/proxyv2:test-distroless name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pilot/pkg/config/kube/gateway/testdata/deployment/simple.yaml b/pilot/pkg/config/kube/gateway/testdata/deployment/simple.yaml index 38ae13d94808..fb11ff36cb6e 100644 --- a/pilot/pkg/config/kube/gateway/testdata/deployment/simple.yaml +++ b/pilot/pkg/config/kube/gateway/testdata/deployment/simple.yaml @@ -137,6 +137,9 @@ spec: image: test/proxyv2:test name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml b/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml index 4a4abdeb1793..70008defb4ce 100644 --- a/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/default.template.gen.yaml b/pkg/kube/inject/testdata/inputs/default.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/default.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/default.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml b/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml b/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/proxy-override-runas.yaml.34.template.gen.yaml b/pkg/kube/inject/testdata/inputs/proxy-override-runas.yaml.34.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/proxy-override-runas.yaml.34.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/proxy-override-runas.yaml.34.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml b/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/status_params.yaml.8.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml b/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml index 04385da8aa0b..0e040c08c868 100644 --- a/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml +++ b/pkg/kube/inject/testdata/inputs/traffic-params.yaml.7.template.gen.yaml @@ -1602,6 +1602,9 @@ templates: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP diff --git a/releasenotes/notes/53351.yaml b/releasenotes/notes/53351.yaml new file mode 100644 index 000000000000..b4ff9aaf788f --- /dev/null +++ b/releasenotes/notes/53351.yaml @@ -0,0 +1,16 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: telemetry + +# issue is a list of GitHub issues resolved in this note. +issue: [] + +docs: [] + +releaseNotes: +- | + **Fixed** Added the metrics port in the kube-gateway containers spec of the istio-discovery chart. + +upgradeNotes: [] + +securityNotes: [] \ No newline at end of file From 8f5faa724866d24555dcb0cce98bcf779847928d Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Thu, 10 Oct 2024 11:45:47 -0400 Subject: [PATCH 26/33] Fix kube-virt-related rules cleanup in legacy istio-clean-iptables (#53492) Co-authored-by: Leonardo Sarra --- releasenotes/notes/48368.yaml | 8 +++ tools/istio-clean-iptables/pkg/cmd/cleanup.go | 71 +++++++++++++++++++ .../pkg/cmd/cleanup_test.go | 14 ++++ .../ipnets-with-kube-virt-interfaces.golden | 54 ++++++++++++++ .../cmd/testdata/kube-virt-interfaces.golden | 56 +++++++++++++++ .../istio-clean-iptables/pkg/config/config.go | 4 ++ 6 files changed, 207 insertions(+) create mode 100644 releasenotes/notes/48368.yaml create mode 100644 tools/istio-clean-iptables/pkg/cmd/testdata/ipnets-with-kube-virt-interfaces.golden create mode 100644 tools/istio-clean-iptables/pkg/cmd/testdata/kube-virt-interfaces.golden diff --git a/releasenotes/notes/48368.yaml b/releasenotes/notes/48368.yaml new file mode 100644 index 000000000000..59d87018a303 --- /dev/null +++ b/releasenotes/notes/48368.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: installation +issue: +- 48368 +releaseNotes: + - | + **Fixed** kube-virt-related rules not being removed by istio-clean-iptables tool. diff --git a/tools/istio-clean-iptables/pkg/cmd/cleanup.go b/tools/istio-clean-iptables/pkg/cmd/cleanup.go index 5a3c1a9c4ab5..680233b64064 100644 --- a/tools/istio-clean-iptables/pkg/cmd/cleanup.go +++ b/tools/istio-clean-iptables/pkg/cmd/cleanup.go @@ -15,6 +15,10 @@ package cmd import ( + "fmt" + "net/netip" + "os" + "istio.io/istio/tools/istio-clean-iptables/pkg/config" "istio.io/istio/tools/istio-iptables/pkg/builder" common "istio.io/istio/tools/istio-iptables/pkg/capture" @@ -37,6 +41,42 @@ type IptablesCleaner struct { ipt6V *dep.IptablesVersion } +type NetworkRange struct { + IsWildcard bool + CIDRs []netip.Prefix + HasLoopBackIP bool +} + +func separateV4V6(cidrList string) (NetworkRange, NetworkRange, error) { + if cidrList == "*" { + return NetworkRange{IsWildcard: true}, NetworkRange{IsWildcard: true}, nil + } + ipv6Ranges := NetworkRange{} + ipv4Ranges := NetworkRange{} + for _, ipRange := range types.Split(cidrList) { + ipp, err := netip.ParsePrefix(ipRange) + if err != nil { + _, err = fmt.Fprintf(os.Stderr, "Ignoring error for bug compatibility with istio-iptables: %s\n", err.Error()) + if err != nil { + return ipv4Ranges, ipv6Ranges, err + } + continue + } + if ipp.Addr().Is4() { + ipv4Ranges.CIDRs = append(ipv4Ranges.CIDRs, ipp) + if ipp.Addr().IsLoopback() { + ipv4Ranges.HasLoopBackIP = true + } + } else { + ipv6Ranges.CIDRs = append(ipv6Ranges.CIDRs, ipp) + if ipp.Addr().IsLoopback() { + ipv6Ranges.HasLoopBackIP = true + } + } + } + return ipv4Ranges, ipv6Ranges, nil +} + func NewIptablesCleaner(cfg *config.Config, iptV, ipt6V *dep.IptablesVersion, ext dep.Dependencies) *IptablesCleaner { return &IptablesCleaner{ ext: ext, @@ -85,6 +125,35 @@ func removeOldChains(cfg *config.Config, ext dep.Dependencies, iptV *dep.Iptable flushAndDeleteChains(ext, iptV, constants.NAT, chains) } +func cleanupKubeVirt(cfg *config.Config, ext dep.Dependencies, iptV *dep.IptablesVersion, iptV6 *dep.IptablesVersion) { + cleanupFunc := func(iptVer *dep.IptablesVersion, rangeInclude NetworkRange) { + if rangeInclude.IsWildcard { + // Wildcard specified. Redirect all remaining outbound traffic to Envoy. + for _, internalInterface := range types.Split(cfg.KubeVirtInterfaces) { + DeleteRule(ext, iptVer, constants.PREROUTING, constants.NAT, "-i", internalInterface, "-j", constants.ISTIOREDIRECT) + } + } else if len(rangeInclude.CIDRs) > 0 { + // User has specified a non-empty list of cidrs to be redirected to Envoy. + for _, cidr := range rangeInclude.CIDRs { + for _, internalInterface := range types.Split(cfg.KubeVirtInterfaces) { + DeleteRule(ext, iptVer, constants.PREROUTING, constants.PREROUTING, constants.NAT, "-i", internalInterface, + "-d", cidr.String(), "-j", constants.ISTIOREDIRECT) + } + } + } + // cleanup short circuit + for _, internalInterface := range types.Split(cfg.KubeVirtInterfaces) { + DeleteRule(ext, iptVer, constants.PREROUTING, constants.NAT, "-i", internalInterface, "-j", constants.RETURN) + } + } + + ipv4RangesInclude, ipv6RangesInclude, err := separateV4V6(cfg.OutboundIPRangesInclude) + if err == nil { + cleanupFunc(iptV, ipv4RangesInclude) + cleanupFunc(iptV6, ipv6RangesInclude) + } +} + // cleanupDNSUDP removes any IPv4/v6 UDP rules. // TODO BML drop `HandleDSNUDP` and friends, no real need to tread UDP rules specially // or create unique abstractions for them @@ -116,6 +185,8 @@ func (c *IptablesCleaner) Run() { }() // clean v4/v6 + // cleanup kube-virt-related jumps + cleanupKubeVirt(c.cfg, c.ext, c.iptV, c.ipt6V) // Remove chains (run once per v4/v6) removeOldChains(c.cfg, c.ext, c.iptV) removeOldChains(c.cfg, c.ext, c.ipt6V) diff --git a/tools/istio-clean-iptables/pkg/cmd/cleanup_test.go b/tools/istio-clean-iptables/pkg/cmd/cleanup_test.go index 8544c8d46cef..73f20542978d 100644 --- a/tools/istio-clean-iptables/pkg/cmd/cleanup_test.go +++ b/tools/istio-clean-iptables/pkg/cmd/cleanup_test.go @@ -74,6 +74,20 @@ func TestIptables(t *testing.T) { cfg.OwnerGroupsExclude = "888,ftp" }, }, + { + "ipnets-with-kube-virt-interfaces", + func(cfg *config.Config) { + cfg.KubeVirtInterfaces = "eth1,eth2" + cfg.OutboundIPRangesInclude = "10.0.0.0/8" + }, + }, + { + "kube-virt-interfaces", + func(cfg *config.Config) { + cfg.KubeVirtInterfaces = "eth1,eth2" + cfg.OutboundIPRangesInclude = "*" + }, + }, { "inbound-interception-mode", func(cfg *config.Config) { diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/ipnets-with-kube-virt-interfaces.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/ipnets-with-kube-virt-interfaces.golden new file mode 100644 index 000000000000..1ca3ff0fdc11 --- /dev/null +++ b/tools/istio-clean-iptables/pkg/cmd/testdata/ipnets-with-kube-virt-interfaces.golden @@ -0,0 +1,54 @@ +iptables -t PREROUTING -D PREROUTING nat -i eth1 -d 10.0.0.0/8 -j ISTIO_REDIRECT +iptables -t PREROUTING -D PREROUTING nat -i eth2 -d 10.0.0.0/8 -j ISTIO_REDIRECT +iptables -t PREROUTING -D nat -i eth1 -j RETURN +iptables -t PREROUTING -D nat -i eth2 -j RETURN +ip6tables -t PREROUTING -D nat -i eth1 -j RETURN +ip6tables -t PREROUTING -D nat -i eth2 -j RETURN +iptables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND +iptables -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND +iptables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +iptables -t nat -F ISTIO_INBOUND +iptables -t nat -X ISTIO_INBOUND +iptables -t mangle -F ISTIO_INBOUND +iptables -t mangle -X ISTIO_INBOUND +iptables -t mangle -F ISTIO_DIVERT +iptables -t mangle -X ISTIO_DIVERT +iptables -t mangle -F ISTIO_TPROXY +iptables -t mangle -X ISTIO_TPROXY +iptables -t nat -F ISTIO_REDIRECT +iptables -t nat -X ISTIO_REDIRECT +iptables -t nat -F ISTIO_IN_REDIRECT +iptables -t nat -X ISTIO_IN_REDIRECT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +ip6tables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND +ip6tables -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND +ip6tables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT +ip6tables -t nat -F ISTIO_OUTPUT +ip6tables -t nat -X ISTIO_OUTPUT +ip6tables -t nat -F ISTIO_INBOUND +ip6tables -t nat -X ISTIO_INBOUND +ip6tables -t mangle -F ISTIO_INBOUND +ip6tables -t mangle -X ISTIO_INBOUND +ip6tables -t mangle -F ISTIO_DIVERT +ip6tables -t mangle -X ISTIO_DIVERT +ip6tables -t mangle -F ISTIO_TPROXY +ip6tables -t mangle -X ISTIO_TPROXY +ip6tables -t nat -F ISTIO_REDIRECT +ip6tables -t nat -X ISTIO_REDIRECT +ip6tables -t nat -F ISTIO_IN_REDIRECT +ip6tables -t nat -X ISTIO_IN_REDIRECT +ip6tables -t nat -F ISTIO_OUTPUT +ip6tables -t nat -X ISTIO_OUTPUT +iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT +iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT +ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT +ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT +iptables -t raw -F ISTIO_OUTPUT +iptables -t raw -X ISTIO_OUTPUT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +iptables-save +ip6tables-save \ No newline at end of file diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/kube-virt-interfaces.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/kube-virt-interfaces.golden new file mode 100644 index 000000000000..0215b6efc82e --- /dev/null +++ b/tools/istio-clean-iptables/pkg/cmd/testdata/kube-virt-interfaces.golden @@ -0,0 +1,56 @@ +iptables -t PREROUTING -D nat -i eth1 -j ISTIO_REDIRECT +iptables -t PREROUTING -D nat -i eth2 -j ISTIO_REDIRECT +iptables -t PREROUTING -D nat -i eth1 -j RETURN +iptables -t PREROUTING -D nat -i eth2 -j RETURN +ip6tables -t PREROUTING -D nat -i eth1 -j ISTIO_REDIRECT +ip6tables -t PREROUTING -D nat -i eth2 -j ISTIO_REDIRECT +ip6tables -t PREROUTING -D nat -i eth1 -j RETURN +ip6tables -t PREROUTING -D nat -i eth2 -j RETURN +iptables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND +iptables -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND +iptables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +iptables -t nat -F ISTIO_INBOUND +iptables -t nat -X ISTIO_INBOUND +iptables -t mangle -F ISTIO_INBOUND +iptables -t mangle -X ISTIO_INBOUND +iptables -t mangle -F ISTIO_DIVERT +iptables -t mangle -X ISTIO_DIVERT +iptables -t mangle -F ISTIO_TPROXY +iptables -t mangle -X ISTIO_TPROXY +iptables -t nat -F ISTIO_REDIRECT +iptables -t nat -X ISTIO_REDIRECT +iptables -t nat -F ISTIO_IN_REDIRECT +iptables -t nat -X ISTIO_IN_REDIRECT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +ip6tables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND +ip6tables -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND +ip6tables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT +ip6tables -t nat -F ISTIO_OUTPUT +ip6tables -t nat -X ISTIO_OUTPUT +ip6tables -t nat -F ISTIO_INBOUND +ip6tables -t nat -X ISTIO_INBOUND +ip6tables -t mangle -F ISTIO_INBOUND +ip6tables -t mangle -X ISTIO_INBOUND +ip6tables -t mangle -F ISTIO_DIVERT +ip6tables -t mangle -X ISTIO_DIVERT +ip6tables -t mangle -F ISTIO_TPROXY +ip6tables -t mangle -X ISTIO_TPROXY +ip6tables -t nat -F ISTIO_REDIRECT +ip6tables -t nat -X ISTIO_REDIRECT +ip6tables -t nat -F ISTIO_IN_REDIRECT +ip6tables -t nat -X ISTIO_IN_REDIRECT +ip6tables -t nat -F ISTIO_OUTPUT +ip6tables -t nat -X ISTIO_OUTPUT +iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT +iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT +ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT +ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT +iptables -t raw -F ISTIO_OUTPUT +iptables -t raw -X ISTIO_OUTPUT +iptables -t nat -F ISTIO_OUTPUT +iptables -t nat -X ISTIO_OUTPUT +iptables-save +ip6tables-save \ No newline at end of file diff --git a/tools/istio-clean-iptables/pkg/config/config.go b/tools/istio-clean-iptables/pkg/config/config.go index f11c8606b23e..192aaa68d9be 100644 --- a/tools/istio-clean-iptables/pkg/config/config.go +++ b/tools/istio-clean-iptables/pkg/config/config.go @@ -49,6 +49,8 @@ type Config struct { OwnerGroupsExclude string `json:"OUTBOUND_OWNER_GROUPS_EXCLUDE"` InboundInterceptionMode string `json:"INBOUND_INTERCEPTION_MODE"` InboundTProxyMark string `json:"INBOUND_TPROXY_MARK"` + OutboundIPRangesInclude string `json:"OUTBOUND_IPRANGES_INCLUDE"` + KubeVirtInterfaces string `json:"KUBE_VIRT_INTERFACES"` } func (c *Config) String() string { @@ -69,6 +71,8 @@ func (c *Config) Print() { fmt.Printf("DNS_SERVERS=%s,%s\n", c.DNSServersV4, c.DNSServersV6) fmt.Printf("OUTBOUND_OWNER_GROUPS_INCLUDE=%s\n", c.OwnerGroupsInclude) fmt.Printf("OUTBOUND_OWNER_GROUPS_EXCLUDE=%s\n", c.OwnerGroupsExclude) + fmt.Printf("OUTBOUND_IP_RANGES_INCLUDE=%s\n", c.OutboundIPRangesInclude) + fmt.Printf("KUBE_VIRT_INTERFACES=%s\n", c.KubeVirtInterfaces) fmt.Println("") } From 7726ebb87c32d5b04008f8672afdba39a1371257 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Thu, 10 Oct 2024 12:30:45 -0400 Subject: [PATCH 27/33] Fix TestTunnelingOutboundTraffic failure on OCP (#53049) Fixes: https://github.com/istio/istio/issues/53008 Signed-off-by: Sridhar Gaddam Co-authored-by: Sridhar Gaddam --- .../pilot/testdata/external-forward-proxy-deployment.yaml | 2 ++ tests/integration/pilot/tunneling_test.go | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/integration/pilot/testdata/external-forward-proxy-deployment.yaml b/tests/integration/pilot/testdata/external-forward-proxy-deployment.yaml index 97ac361be8dc..d27c9d892f2c 100644 --- a/tests/integration/pilot/testdata/external-forward-proxy-deployment.yaml +++ b/tests/integration/pilot/testdata/external-forward-proxy-deployment.yaml @@ -12,10 +12,12 @@ spec: labels: app: external-forward-proxy spec: + {{ if not .OpenShift }} securityContext: runAsUser: 65534 runAsGroup: 65534 fsGroup: 65534 + {{ end }} containers: - name: external-forward-proxy image: envoyproxy/envoy:v1.21.0 diff --git a/tests/integration/pilot/tunneling_test.go b/tests/integration/pilot/tunneling_test.go index a50d601a27dc..4db0190e5f8e 100644 --- a/tests/integration/pilot/tunneling_test.go +++ b/tests/integration/pilot/tunneling_test.go @@ -112,7 +112,9 @@ func TestTunnelingOutboundTraffic(t *testing.T) { externalNs := apps.External.Namespace.Name() applyForwardProxyConfigMaps(ctx, externalNs) - ctx.ConfigIstio().File(externalNs, "testdata/external-forward-proxy-deployment.yaml").ApplyOrFail(ctx) + ctx.ConfigIstio().EvalFile(externalNs, map[string]any{ + "OpenShift": ctx.Settings().OpenShift, + }, "testdata/external-forward-proxy-deployment.yaml").ApplyOrFail(ctx) applyForwardProxyService(ctx, externalNs) externalForwardProxyIPs, err := i.PodIPsFor(ctx.Clusters().Default(), externalNs, "app=external-forward-proxy") if err != nil { From 645df2c1e74ff869e180abf42ddcfe4a9bd24f27 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Thu, 10 Oct 2024 12:30:53 -0400 Subject: [PATCH 28/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53498) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index af18aba31132..2bd97c2c5a16 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "af72f09013bbba2084db267bb903dc169510bb20" + "lastStableSHA": "1afd9e25f6549a96807d51984b9e513b73308440" }, { "_comment": "", From d915d95f7e47df9583bc4edb04134efc9a8159ff Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 11 Oct 2024 15:07:59 -0400 Subject: [PATCH 29/33] bookinfo: bump details lock and actually use it (#53514) * Bump to fix a CVE * Actually use the lockfile Co-authored-by: John Howard --- samples/bookinfo/src/details/Dockerfile | 2 +- samples/bookinfo/src/details/Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/samples/bookinfo/src/details/Dockerfile b/samples/bookinfo/src/details/Dockerfile index 25d784c44666..20acf9e73a9e 100644 --- a/samples/bookinfo/src/details/Dockerfile +++ b/samples/bookinfo/src/details/Dockerfile @@ -15,7 +15,7 @@ FROM ruby:3.3.0-slim WORKDIR /opt/microservices -COPY Gemfile /opt/microservices/ +COPY Gemfile Gemfile.lock /opt/microservices/ RUN bundle install COPY details.rb /opt/microservices/ diff --git a/samples/bookinfo/src/details/Gemfile.lock b/samples/bookinfo/src/details/Gemfile.lock index c6fc5ba24bea..c8c5704d22ee 100644 --- a/samples/bookinfo/src/details/Gemfile.lock +++ b/samples/bookinfo/src/details/Gemfile.lock @@ -1,7 +1,7 @@ GEM remote: https://rubygems.org/ specs: - webrick (1.8.1) + webrick (1.8.2) PLATFORMS aarch64-linux @@ -12,4 +12,4 @@ DEPENDENCIES webrick (~> 1.7) BUNDLED WITH - 2.5.10 + 2.5.3 From 424517b0cfa0268dea01a09c3946d1a0426376aa Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 15 Oct 2024 11:47:28 -0400 Subject: [PATCH 30/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53541) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 2bd97c2c5a16..9bc7b490bef7 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "1afd9e25f6549a96807d51984b9e513b73308440" + "lastStableSHA": "1c820a1845b3f255d5292bfe57971a70e425bf5e" }, { "_comment": "", From 5851980003dd31a143ac0e1c4aebff150a2326e2 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 15 Oct 2024 13:53:50 -0400 Subject: [PATCH 31/33] [release-1.23] allow sni hosts with outbound_ in vs, when bound to gw (#52564) * allow sni hosts with outbound_ in vs, when bound to gw * use ValidateWildcardDomain * use constant for outbound_ * incorporate comments * add more tests, update comments * outbound.com should be a valid domain * fix comment --------- Co-authored-by: nirvanagit --- pkg/config/validation/agent/validation.go | 49 ++++++++++++- .../validation/agent/validation_test.go | 73 +++++++++++++++++++ pkg/config/validation/validation.go | 45 +++++++++--- pkg/config/validation/validation_test.go | 20 +++++ 4 files changed, 177 insertions(+), 10 deletions(-) diff --git a/pkg/config/validation/agent/validation.go b/pkg/config/validation/agent/validation.go index ea21c4ff7384..2e52061c65cd 100644 --- a/pkg/config/validation/agent/validation.go +++ b/pkg/config/validation/agent/validation.go @@ -19,6 +19,7 @@ import ( "fmt" "net" "net/netip" + "regexp" "strconv" "strings" "time" @@ -43,7 +44,9 @@ const ( // nolint: revive connectTimeoutMax = time.Hour // nolint: revive - connectTimeoutMin = time.Millisecond + connectTimeoutMin = time.Millisecond + outboundHostPrefix = "outbound" + outboundHostNameFormat = "outbound_._._." ) var scope = log.RegisterScope("validation", "CRD validation debugging") @@ -673,6 +676,50 @@ func ValidateWildcardDomain(domain string) error { return nil } +// ValidateWildcardDomainForVirtualServiceBoundToGateway checks that a domain is a valid FQDN, but also allows wildcard prefixes. +// If it is an SNI domain, then it does a special validation where it allows a +// which matches outbound_._._. format +func ValidateWildcardDomainForVirtualServiceBoundToGateway(sni bool, domain string) error { + if err := CheckDNS1123Preconditions(domain); err != nil { + return err + } + + // check if its an auto generated domain, with outbound_ as a prefix. + if sni && strings.HasPrefix(domain, outboundHostPrefix+"_") { + // example of a valid domain: outbound_.80_._.e2e.foobar.mesh + trafficDirectionSuffix, port, hostname, err := parseAutoGeneratedSNIDomain(domain) + if err != nil { + return err + } + if trafficDirectionSuffix != outboundHostPrefix { + return fmt.Errorf("domain name %q invalid (label %q invalid)", domain, trafficDirectionSuffix) + } + match, _ := regexp.MatchString("([0-9].*)", port) + if !match { + return fmt.Errorf("domain name %q invalid (label %q invalid). should follow %s format", domain, port, outboundHostNameFormat) + } + match, _ = regexp.MatchString("([a-zA-Z].*)", hostname) + if !match { + return fmt.Errorf("domain name %q invalid (label %q invalid). should follow %s format", domain, hostname, outboundHostNameFormat) + } + return nil + } + return ValidateWildcardDomain(domain) +} + +// parseAutoGeneratedSNIDomain parses auto generated sni domains +// which are generated when using AUTO_PASSTHROUGH mode in envoy +func parseAutoGeneratedSNIDomain(domain string) (string, string, string, error) { + parts := strings.Split(domain, "_") + if len(parts) < 4 { + return "", "", "", fmt.Errorf("domain name %s invalid, should follow '%s' format", domain, outboundHostNameFormat) + } + trafficDirectionPrefix := parts[0] + port := strings.Trim(parts[1], ".") + hostname := strings.Trim(parts[3], ".") + return trafficDirectionPrefix, port, hostname, nil +} + // validate the trust domain format func ValidateTrustDomain(domain string) error { if len(domain) == 0 { diff --git a/pkg/config/validation/agent/validation_test.go b/pkg/config/validation/agent/validation_test.go index cee31bd50507..6c29432012d8 100644 --- a/pkg/config/validation/agent/validation_test.go +++ b/pkg/config/validation/agent/validation_test.go @@ -876,6 +876,79 @@ func TestValidateWildcardDomain(t *testing.T) { } } +func TestValidateWildcardDomainForVirtualServiceBoundToGateway(t *testing.T) { + tests := []struct { + name string + in string + sni bool + out string + }{ + {"empty", "", false, "empty"}, + {"too long", strings.Repeat("x", 256), false, "too long"}, + {"happy", strings.Repeat("x", 63), false, ""}, + {"wildcard", "*", false, ""}, + {"wildcard multi-segment", "*.bar.com", false, ""}, + {"wildcard single segment", "*foo", false, ""}, + {"wildcard prefix", "*foo.bar.com", false, ""}, + {"wildcard prefix dash", "*-foo.bar.com", false, ""}, + {"bad wildcard", "foo.*.com", false, "invalid"}, + {"bad wildcard", "foo*.bar.com", false, "invalid"}, + {"IP address", "1.1.1.1", false, "invalid"}, + {"SNI domain", "outbound_.80_._.e2e.foobar.mesh", true, ""}, + {"happy", "outbound.com", true, ""}, + {"invalid SNI domain", "neverbound_.80_._.e2e.foobar.mesh", true, "invalid"}, + {"invalid SNI domain", "outbound_.thisIsNotAPort_._.e2e.foobar.mesh", true, "invalid"}, + {"invalid SNI domain", "outbound_.80_._", true, "invalid"}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := ValidateWildcardDomainForVirtualServiceBoundToGateway(tt.sni, tt.in) + if err == nil && tt.out != "" { + t.Fatalf("ValidateWildcardDomain(%v) = nil, wanted %q", tt.in, tt.out) + } else if err != nil && tt.out == "" { + t.Fatalf("ValidateWildcardDomain(%v) = %v, wanted nil", tt.in, err) + } else if err != nil && !strings.Contains(err.Error(), tt.out) { + t.Fatalf("ValidateWildcardDomain(%v) = %v, wanted %q", tt.in, err, tt.out) + } + }) + } +} + +func TestParseAutoGeneratedSNIDomain(t *testing.T) { + tests := []struct { + name string + in string + trafficDirectionSuffix string + port string + hostname string + err string + }{ + {"invalid", "foobar.com", "", "", "", "domain name foobar.com invalid, should follow '" + outboundHostNameFormat + "' format"}, + {"valid", "outbound_.80_._.e2e.foobar.mesh", "outbound", "80", "e2e.foobar.mesh", ""}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + trafficDirectionSuffix, port, hostname, err := parseAutoGeneratedSNIDomain(tt.in) + if err == nil && tt.err != "" { + t.Fatalf("parseOutboundSNIDomain(%v) = nil, wanted %q", tt.in, tt.err) + } else if err != nil && tt.err == "" { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted nil", tt.in, err) + } else if err != nil && !strings.Contains(err.Error(), tt.err) { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted %q", tt.in, err, tt.err) + } + if trafficDirectionSuffix != tt.trafficDirectionSuffix { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted %q", tt.in, trafficDirectionSuffix, tt.trafficDirectionSuffix) + } + if port != tt.port { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted %q", tt.in, port, tt.port) + } + if hostname != tt.hostname { + t.Fatalf("parseOutboundSNIDomain(%v) = %v, wanted %q", tt.in, hostname, tt.hostname) + } + }) + } +} + func TestValidateTrustDomain(t *testing.T) { tests := []struct { name string diff --git a/pkg/config/validation/validation.go b/pkg/config/validation/validation.go index 8830500777a2..fe0750c36094 100644 --- a/pkg/config/validation/validation.go +++ b/pkg/config/validation/validation.go @@ -1611,13 +1611,8 @@ var ValidateVirtualService = RegisterValidateFunc("ValidateVirtualService", appliesToMesh = true } else { errs = AppendValidation(errs, validateGatewayNames(virtualService.Gateways, gatewaySemantics)) - for _, gatewayName := range virtualService.Gateways { - if gatewayName == constants.IstioMeshGateway { - appliesToMesh = true - } else { - appliesToGateway = true - } - } + appliesToGateway = isGateway(virtualService) + appliesToMesh = !appliesToGateway } if !appliesToGateway { @@ -1639,7 +1634,13 @@ var ValidateVirtualService = RegisterValidateFunc("ValidateVirtualService", allHostsValid := true for _, virtualHost := range virtualService.Hosts { - if err := agent.ValidateWildcardDomain(virtualHost); err != nil { + var err error + if appliesToGateway { + err = agent.ValidateWildcardDomainForVirtualServiceBoundToGateway(isSniHost(virtualService), virtualHost) + } else { + err = agent.ValidateWildcardDomain(virtualHost) + } + if err != nil { if !netutil.IsValidIPAddress(virtualHost) { errs = AppendValidation(errs, err) allHostsValid = false @@ -1716,6 +1717,26 @@ func assignExactOrPrefix(exact, prefix string) string { return "" } +func isSniHost(context *networking.VirtualService) bool { + for _, tls := range context.Tls { + for _, match := range tls.Match { + if len(match.SniHosts) > 0 { + return true + } + } + } + return false +} + +func isGateway(context *networking.VirtualService) bool { + for _, gatewayName := range context.Gateways { + if gatewayName == constants.IstioMeshGateway { + return false + } + } + return true +} + // genMatchHTTPRoutes build the match rules into struct OverlappingMatchValidationForHTTPRoute // based on particular HTTPMatchRequest, according to comments on https://github.com/istio/istio/pull/32701 // only support Match's port, method, authority, headers, query params and nonheaders for now. @@ -2084,7 +2105,13 @@ func validateTLSMatch(match *networking.TLSMatchAttributes, context *networking. } func validateSniHost(sniHost string, context *networking.VirtualService) (errs Validation) { - if err := agent.ValidateWildcardDomain(sniHost); err != nil { + var err error + if isGateway(context) { + err = agent.ValidateWildcardDomainForVirtualServiceBoundToGateway(true, sniHost) + } else { + err = agent.ValidateWildcardDomain(sniHost) + } + if err != nil { // Could also be an IP if netutil.IsValidIPAddress(sniHost) { errs = AppendValidation(errs, WrapWarning(fmt.Errorf("using an IP address (%q) goes against SNI spec and most clients do not support this", sniHost))) diff --git a/pkg/config/validation/validation_test.go b/pkg/config/validation/validation_test.go index 2da62a28a840..d06b2cae05ee 100644 --- a/pkg/config/validation/validation_test.go +++ b/pkg/config/validation/validation_test.go @@ -2023,6 +2023,26 @@ func TestValidateVirtualService(t *testing.T) { }}, }}, }, valid: true}, + {name: "allow sni based domains", in: &networking.VirtualService{ + Hosts: []string{"outbound_.15010_._.istiod.istio-system.svc.cluster.local"}, + Gateways: []string{"ns1/gateway"}, + Tls: []*networking.TLSRoute{ + { + Match: []*networking.TLSMatchAttributes{ + { + SniHosts: []string{"outbound_.15010_._.istiod.istio-system.svc.cluster.local"}, + }, + }, + Route: []*networking.RouteDestination{ + { + Destination: &networking.Destination{ + Host: "istio.istio-system.svc.cluster.local", + }, + }, + }, + }, + }, + }, valid: true}, {name: "duplicate hosts", in: &networking.VirtualService{ Hosts: []string{"*.foo.bar", "*.bar"}, Http: []*networking.HTTPRoute{{ From 802f289c82176de47f265585433c119d4a619a33 Mon Sep 17 00:00:00 2001 From: John Clark Date: Fri, 18 Oct 2024 07:20:52 +0100 Subject: [PATCH 32/33] Support clusterLocal host exclusions for multi-cluster (#52367) (#53443) * Support clusterLocal exclusions * Support clusterLocal exclusions * Support clusterLocal exclusions - fix release * Add explicit clusterLocal: false if not found * Add additional test cases --------- Signed-off-by: clarkjohnd --- pilot/pkg/model/cluster_local.go | 52 +++++++----- pilot/pkg/model/cluster_local_test.go | 117 ++++++++++++++++++++++++++ releasenotes/notes/52367.yaml | 7 ++ 3 files changed, 153 insertions(+), 23 deletions(-) create mode 100644 releasenotes/notes/52367.yaml diff --git a/pilot/pkg/model/cluster_local.go b/pilot/pkg/model/cluster_local.go index b31f05768217..b149ba6433ae 100644 --- a/pilot/pkg/model/cluster_local.go +++ b/pilot/pkg/model/cluster_local.go @@ -19,7 +19,6 @@ import ( "sync" "istio.io/istio/pkg/config/host" - "istio.io/istio/pkg/util/sets" ) var ( @@ -27,18 +26,22 @@ var ( defaultClusterLocalServices = []string{"kubernetes.default.svc"} ) -// ClusterLocalHosts is a map of host names or wildcard patterns which should only -// be made accessible from within the same cluster. +// ClusterLocalHosts is a map of host names or wildcard patterns which indicate +// whether a host be made accessible from within the same cluster or not. type ClusterLocalHosts struct { - specific sets.Set[host.Name] - wildcard sets.Set[host.Name] + specific map[host.Name]bool + wildcard map[host.Name]bool } // IsClusterLocal indicates whether the given host should be treated as a // cluster-local destination. func (c ClusterLocalHosts) IsClusterLocal(h host.Name) bool { - _, _, ok := MostSpecificHostMatch(h, c.specific, c.wildcard) - return ok + _, local, ok := MostSpecificHostMatch(h, c.specific, c.wildcard) + // Explicitly set clusterLocal to false if host is not found in clusterLocal settings + if !ok { + local = false + } + return local } // ClusterLocalProvider provides the cluster-local hosts. @@ -98,22 +101,15 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) { // Collect the cluster-local hosts. hosts := ClusterLocalHosts{ - specific: make(map[host.Name]struct{}, 0), - wildcard: make(map[host.Name]struct{}, 0), + specific: make(map[host.Name]bool), + wildcard: make(map[host.Name]bool), } + for _, serviceSettings := range e.Mesh().ServiceSettings { - if serviceSettings.GetSettings().GetClusterLocal() { - for _, h := range serviceSettings.GetHosts() { - hostname := host.Name(h) - if hostname.IsWildCarded() { - hosts.wildcard.Insert(hostname) - } else { - hosts.specific.Insert(hostname) - } - } - } else { - // Remove defaults if specified to be non-cluster-local. - for _, h := range serviceSettings.GetHosts() { + isClusterLocal := serviceSettings.GetSettings().GetClusterLocal() + for _, h := range serviceSettings.GetHosts() { + // If clusterLocal false, check to see if we should remove a default clusterLocal host. + if !isClusterLocal { for i, defaultClusterLocalHost := range defaultClusterLocalHosts { if len(defaultClusterLocalHost) > 0 { if h == string(defaultClusterLocalHost) || @@ -126,15 +122,25 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) { } } } + + // Add hosts with their clusterLocal setting to sets. + for _, h := range serviceSettings.GetHosts() { + hostname := host.Name(h) + if hostname.IsWildCarded() { + hosts.wildcard[hostname] = isClusterLocal + } else { + hosts.specific[hostname] = isClusterLocal + } + } } // Add any remaining defaults to the end of the list. for _, defaultClusterLocalHost := range defaultClusterLocalHosts { if len(defaultClusterLocalHost) > 0 { if defaultClusterLocalHost.IsWildCarded() { - hosts.wildcard.Insert(defaultClusterLocalHost) + hosts.wildcard[defaultClusterLocalHost] = true } else { - hosts.specific.Insert(defaultClusterLocalHost) + hosts.specific[defaultClusterLocalHost] = true } } } diff --git a/pilot/pkg/model/cluster_local_test.go b/pilot/pkg/model/cluster_local_test.go index 456e164b856c..ad76dbda3e8a 100644 --- a/pilot/pkg/model/cluster_local_test.go +++ b/pilot/pkg/model/cluster_local_test.go @@ -142,6 +142,123 @@ func TestIsClusterLocal(t *testing.T) { host: "s.ns3.svc.cluster.local", expected: false, }, + { + name: "global", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*", + }, + }, + }, + }, + host: "s.ns1.svc.cluster.local", + expected: true, + }, + { + name: "global with exclusion wildcard", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*", + }, + }, + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: false, + }, + Hosts: []string{ + "*.ns1.svc.cluster.local", + }, + }, + }, + }, + host: "s.ns1.svc.cluster.local", + expected: false, + }, + { + name: "global with exclusion specific", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*", + }, + }, + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: false, + }, + Hosts: []string{ + "service.ns1.svc.cluster.local", + }, + }, + }, + }, + host: "service.ns1.svc.cluster.local", + expected: false, + }, + { + name: "subdomain local with global", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*.cluster.local", + }, + }, + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: false, + }, + Hosts: []string{ + "*", + }, + }, + }, + }, + host: "echo.test.svc.cluster.local", + expected: true, + }, + { + name: "other domain non-local global", + m: &meshconfig.MeshConfig{ + ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{ + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: true, + }, + Hosts: []string{ + "*.cluster.local", + }, + }, + { + Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{ + ClusterLocal: false, + }, + Hosts: []string{ + "*", + }, + }, + }, + }, + host: "otherdomain", + expected: false, + }, } for _, c := range cases { diff --git a/releasenotes/notes/52367.yaml b/releasenotes/notes/52367.yaml new file mode 100644 index 000000000000..6b6bacc4ee5b --- /dev/null +++ b/releasenotes/notes/52367.yaml @@ -0,0 +1,7 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +issue: [] +releaseNotes: +- | + **Fixed** Support clusterLocal host exclusions for multi-cluster. From 33af1b65afe2780bc2bc7c94ccd8a6f6281215e4 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Sat, 19 Oct 2024 11:48:53 -0400 Subject: [PATCH 33/33] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53585) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 9bc7b490bef7..7a0a62118b09 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "1c820a1845b3f255d5292bfe57971a70e425bf5e" + "lastStableSHA": "cbd889517ed13455bf2d88facc5685d958eb54a6" }, { "_comment": "",