Merge tag '1.23.2' into tetrate-release-1.23

Istio release 1.23.2
tetratelabs · Sep 21, 2024 · 8cccad1 · 8cccad1
2 parents 5e4a0d3 + da0b3f2
commit 8cccad1
Show file tree

Hide file tree

Showing 10 changed files with 534 additions and 13 deletions.
diff --git a/go.mod b/go.mod
@@ -98,8 +98,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.15.1
-	istio.io/api v1.23.1-0.20240821135524-978ac3b543c0
-	istio.io/client-go v1.23.1-0.20240821140023-42f73330498c
+	istio.io/api v1.23.1-0.20240906150629-ba126bb830f0
+	istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43
 	k8s.io/api v0.30.1
 	k8s.io/apiextensions-apiserver v0.30.1
 	k8s.io/apimachinery v0.30.1

diff --git a/go.sum b/go.sum
@@ -1009,10 +1009,10 @@ helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-istio.io/api v1.23.1-0.20240821135524-978ac3b543c0 h1:WO2cBln4Hjm+M8S8wExj+g/eZ46cFaqoJSLgdTwKWOk=
-istio.io/api v1.23.1-0.20240821135524-978ac3b543c0/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM=
-istio.io/client-go v1.23.1-0.20240821140023-42f73330498c h1:EfBRgH6Oyi4pR1+SPzQn60u+PZ6uMdtchUCv3IjG3/Y=
-istio.io/client-go v1.23.1-0.20240821140023-42f73330498c/go.mod h1:+fxu+O2GkITM3HEREUWdobvRXqI/UhAAI7hfxqqpRh0=
+istio.io/api v1.23.1-0.20240906150629-ba126bb830f0 h1:utRdmZryJWw71X1flREUJFLk56QCl2JdVuP3xsvDcMI=
+istio.io/api v1.23.1-0.20240906150629-ba126bb830f0/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM=
+istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43 h1:/HbrtBiDEiTsQRrzkdcfNgKr+GUp/JFWc5U3ZL/QUmk=
+istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43/go.mod h1:E08wpMtUulJk2tlWOCUVakjy1bKFxUNm22tM1R1QY0Y=
 k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
 k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
 k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY=

diff --git a/istio.deps b/istio.deps
@@ -4,13 +4,13 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "9da6ab5663bca846996adcb4414dc6bf7bf0d3eb"
+    "lastStableSHA": "6c72b2179f5a58988b920a55b0be8346de3f7b35"
   },
   {
     "_comment": "",
     "name": "ZTUNNEL_REPO_SHA",
     "repoName": "ztunnel",
     "file": "",
-    "lastStableSHA": "245ecc111ba1cbe9bd2923f24be609e656a191ad"
+    "lastStableSHA": "3ead5b81415936e1d3d7f4e81b0d87178817b289"
   }
 ]
diff --git a/pilot/pkg/networking/core/listener_builder.go b/pilot/pkg/networking/core/listener_builder.go
@@ -421,7 +421,10 @@ func (lb *ListenerBuilder) buildHTTPConnectionManager(httpOpts *httpListenerOpts
 	connectionManager.HttpFilters = filters
 	connectionManager.RequestIdExtension = requestidextension.BuildUUIDRequestIDExtension(reqIDExtensionCtx)
 
-	if features.EnableHCMInternalNetworks && lb.push.Networks != nil {
+	// If UseRemoteAddress is set, we must set the internal address config in preparation for envoy
+	// internal addresses defaulting to empty set. Currently, the internal addresses defaulted to
+	// all private IPs but this will change in the future.
+	if (features.EnableHCMInternalNetworks || httpOpts.useRemoteAddress) && lb.push.Networks != nil {
 		for _, internalnetwork := range lb.push.Networks.Networks {
 			iac := &hcm.HttpConnectionManager_InternalAddressConfig{}
 			for _, ne := range internalnetwork.Endpoints {

diff --git a/pilot/pkg/networking/core/listener_builder_test.go b/pilot/pkg/networking/core/listener_builder_test.go
@@ -844,6 +844,75 @@ func TestHCMInternalAddressConfig(t *testing.T) {
 	}
 }
 
+func TestUseRemoteAddressInternalAddressConfig(t *testing.T) {
+	cg := NewConfigGenTest(t, TestOptions{})
+	sidecarProxy := cg.SetupProxy(&model.Proxy{ConfigNamespace: "not-default"})
+	push := cg.PushContext()
+	cases := []struct {
+		name           string
+		networks       *meshconfig.MeshNetworks
+		expectedconfig *hcm.HttpConnectionManager_InternalAddressConfig
+	}{
+		{
+			name:           "nil networks",
+			expectedconfig: nil,
+		},
+		{
+			name:           "empty networks",
+			networks:       &meshconfig.MeshNetworks{},
+			expectedconfig: nil,
+		},
+		{
+			name: "networks populated",
+			networks: &meshconfig.MeshNetworks{
+				Networks: map[string]*meshconfig.Network{
+					"default": {
+						Endpoints: []*meshconfig.Network_NetworkEndpoints{
+							{
+								Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{
+									FromCidr: "192.168.0.0/16",
+								},
+							},
+							{
+								Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{
+									FromCidr: "172.16.0.0/12",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedconfig: &hcm.HttpConnectionManager_InternalAddressConfig{
+				CidrRanges: []*core.CidrRange{
+					{
+						AddressPrefix: "192.168.0.0",
+						PrefixLen:     &wrapperspb.UInt32Value{Value: 16},
+					},
+					{
+						AddressPrefix: "172.16.0.0",
+						PrefixLen:     &wrapperspb.UInt32Value{Value: 12},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			push.Networks = tt.networks
+			lb := &ListenerBuilder{
+				push:               push,
+				node:               sidecarProxy,
+				authzCustomBuilder: &authz.Builder{},
+				authzBuilder:       &authz.Builder{},
+			}
+			httpConnManager := lb.buildHTTPConnectionManager(&httpListenerOpts{useRemoteAddress: true})
+			if !reflect.DeepEqual(tt.expectedconfig, httpConnManager.InternalAddressConfig) {
+				t.Errorf("unexpected internal address config, expected: %v, got :%v", tt.expectedconfig, httpConnManager.InternalAddressConfig)
+			}
+		})
+	}
+}
+
 func TestAdditionalAddressesForIPv6(t *testing.T) {
 	test.SetForTest(t, &features.EnableAdditionalIpv4OutboundListenerForIpv6Only, true)
 	cg := NewConfigGenTest(t, TestOptions{Services: testServices})

diff --git a/pkg/bootstrap/instance_test.go b/pkg/bootstrap/instance_test.go
@@ -108,6 +108,9 @@ func TestGolden(t *testing.T) {
 		{
 			base: "default",
 		},
+		{
+			base: "explicit_internal_address",
+		},
 		{
 			base: "legacy_stats_tags_regex",
 			envVars: map[string]string{

diff --git a/pkg/bootstrap/testdata/explicit_internal_address.proxycfg b/pkg/bootstrap/testdata/explicit_internal_address.proxycfg
@@ -0,0 +1,12 @@
+config_path:               "/etc/istio/proxy"
+binary_path:               "/usr/local/bin/envoy"
+service_cluster:           "istio-proxy"
+drain_duration:            {seconds: 2}
+discovery_address:         "istio-pilot:15010"
+proxy_admin_port:          15000
+control_plane_auth_policy: NONE
+runtime_values:            [{ key: "envoy.reloadable_features.explicit_internal_address_config" value: "true" }]
+
+#
+# This matches the default configuration hardcoded in model.DefaultProxyConfig
+# Flags may override this configuration, as specified by the injector configs.