Merge tag '1.22.1' into tetrate-release-1.22

Istio release 1.22.1

Makefile.core.mk

@@ -362,6 +362,8 @@ copy-templates:
 	cp manifests/charts/istio-control/istio-discovery/templates/configmap.yaml manifests/charts/istiod-remote/templates
 	cp manifests/charts/istio-control/istio-discovery/templates/_helpers.tpl manifests/charts/istiod-remote/templates
 	sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/base/crds/crd-all.gen.yaml > manifests/charts/istiod-remote/templates/crd-all.gen.yaml
+	sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/base/templates/validatingadmissionpolicy.yaml > manifests/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml
+	sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/validatingadmissionpolicy.yaml > manifests/charts/istiod-remote/templates/validatingadmissionpolicy.yaml
 	sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/base/templates/default.yaml > manifests/charts/istiod-remote/templates/default.yaml
 	sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml > manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml
 	sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml > manifests/charts/istiod-remote/templates/serviceaccount.yaml

cni/pkg/nodeagent/net.go

@@ -231,8 +231,8 @@ func (s *NetServer) RemovePodFromMesh(ctx context.Context, pod *corev1.Pod) erro
 
 	openNetns := s.currentPodSnapshot.Take(string(pod.UID))
 	if openNetns == nil {
-		log.Warn("failed to find pod netns")
-		return fmt.Errorf("failed to find pod netns")
+		log.Warn("failed to find pod netns during removal")
+		return fmt.Errorf("failed to find pod netns during removal")
 	}
 	// pod is removed from the mesh, but is still running. remove iptables rules
 	log.Debugf("calling DeleteInpodRules.")
@@ -312,11 +312,17 @@ func addPodToHostNSIpset(pod *corev1.Pod, podIPs []netip.Addr, hostsideProbeSet
 	for _, pip := range podIPs {
 		// Add to host ipset
 		log.Debugf("adding pod %s probe to ipset %s with ip %s", pod.Name, hostsideProbeSet.Name, pip)
-		// Add IP/port combo to set. Note that we set Replace to true - a pod ip/port combo already being
-		// in the set is perfectly fine, and something we can always safely overwrite, so we will.
-		if err := hostsideProbeSet.AddIP(pip, ipProto, podUID, true); err != nil {
+		// Add IP/port combo to set. Note that we set Replace to false here - we _did_ previously
+		// set it to true, but in theory that could mask weird scenarios where K8S triggers events out of order ->
+		// an add(sameIPreused) then delete(originalIP).
+		// Which will result in the new pod starting to fail healthchecks.
+		//
+		// Since we purge on restart of CNI, and remove pod IPs from the set on every pod removal/deletion,
+		// we _shouldn't_ get any overwrite/overlap, unless something is wrong and we are asked to add
+		// a pod by an IP we already have in the set (which will give an error, which we want).
+		if err := hostsideProbeSet.AddIP(pip, ipProto, podUID, false); err != nil {
 			ipsetAddrErrs = append(ipsetAddrErrs, err)
-			log.Warnf("failed adding pod %s to ipset %s with ip %s, error was %s",
+			log.Errorf("failed adding pod %s to ipset %s with ip %s, error was %s",
 				pod.Name, hostsideProbeSet.Name, pip, err)
 		}
 	}

cni/pkg/nodeagent/net_test.go

@@ -146,7 +146,7 @@ func TestServerAddPod(t *testing.T) {
 		netip.MustParseAddr("99.9.9.9"),
 		uint8(unix.IPPROTO_TCP),
 		string(podMeta.UID),
-		true,
+		false,
 	).Return(nil)
 
 	err := netServer.AddPodToMesh(ctx, &corev1.Pod{ObjectMeta: podMeta}, podIPs, "fakenetns")
@@ -243,7 +243,7 @@ func expectPodAddedToIPSet(ipsetDeps *ipset.MockedIpsetDeps, podMeta metav1.Obje
 		netip.MustParseAddr("99.9.9.9"),
 		uint8(unix.IPPROTO_TCP),
 		string(podMeta.UID),
-		true,
+		false,
 	).Return(nil)
 }
 
@@ -361,15 +361,15 @@ func TestAddPodToHostNSIPSets(t *testing.T) {
 		netip.MustParseAddr("99.9.9.9"),
 		ipProto,
 		podUID,
-		true,
+		false,
 	).Return(nil)
 
 	fakeIPSetDeps.On("addIP",
 		"foo",
 		netip.MustParseAddr("2.2.2.2"),
 		ipProto,
 		podUID,
-		true,
+		false,
 	).Return(nil)
 
 	podIPs := []netip.Addr{netip.MustParseAddr("99.9.9.9"), netip.MustParseAddr("2.2.2.2")}
@@ -392,15 +392,15 @@ func TestAddPodProbePortsToHostNSIPSetsReturnsErrorIfOneFails(t *testing.T) {
 		netip.MustParseAddr("99.9.9.9"),
 		ipProto,
 		podUID,
-		true,
+		false,
 	).Return(nil)
 
 	fakeIPSetDeps.On("addIP",
 		"foo",
 		netip.MustParseAddr("2.2.2.2"),
 		ipProto,
 		podUID,
-		true,
+		false,
 	).Return(errors.New("bwoah"))
 
 	podIPs := []netip.Addr{netip.MustParseAddr("99.9.9.9"), netip.MustParseAddr("2.2.2.2")}
@@ -450,15 +450,15 @@ func TestSyncHostIPSetsPrunesNothingIfNoExtras(t *testing.T) {
 		netip.MustParseAddr("3.3.3.3"),
 		ipProto,
 		podUID,
-		true,
+		false,
 	).Return(nil)
 
 	fixture.ipsetDeps.On("addIP",
 		"foo",
 		netip.MustParseAddr("2.2.2.2"),
 		ipProto,
 		podUID,
-		true,
+		false,
 	).Return(nil)
 
 	fixture.ipsetDeps.On("listEntriesByIP",
@@ -512,15 +512,15 @@ func TestSyncHostIPSetsPrunesIfExtras(t *testing.T) {
 		netip.MustParseAddr("3.3.3.3"),
 		ipProto,
 		podUID,
-		true,
+		false,
 	).Return(nil)
 
 	fixture.ipsetDeps.On("addIP",
 		"foo",
 		netip.MustParseAddr("2.2.2.2"),
 		ipProto,
 		podUID,
-		true,
+		false,
 	).Return(nil)
 
 	// List should return one IP not in our "pod snapshot", which means we prune

go.mod

@@ -106,8 +106,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.14.3
-	istio.io/api v1.22.0-beta.0
-	istio.io/client-go v1.22.0-rc.0.0.20240511020757-412bec918d1e
+	istio.io/api v1.22.1-0.20240524024004-b6815be0740d
+	istio.io/client-go v1.22.1-0.20240524024404-e48447329f77
 	k8s.io/api v0.30.0
 	k8s.io/apiextensions-apiserver v0.30.0
 	k8s.io/apimachinery v0.30.0

go.sum

@@ -1102,10 +1102,10 @@ helm.sh/helm/v3 v3.14.3/go.mod h1:v6myVbyseSBJTzhmeE39UcPLNv6cQK6qss3dvgAySaE=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-istio.io/api v1.22.0-beta.0 h1:dlBLCqjH6/12RZEjDU5dbM3Evwl22jS6JucFn3nJyZ0=
-istio.io/api v1.22.0-beta.0/go.mod h1:S3l8LWqNYS9yT+d4bH+jqzH2lMencPkW7SKM1Cu9EyM=
-istio.io/client-go v1.22.0-rc.0.0.20240511020757-412bec918d1e h1:scHu9YFFfu8cj56K8kY2BxQfOV8SLywqUZDIJ1iT4w4=
-istio.io/client-go v1.22.0-rc.0.0.20240511020757-412bec918d1e/go.mod h1:1lAPr0DOVBbnRQqLAQKxWbEaxFk6b1CJTm+ypnP7sMo=
+istio.io/api v1.22.1-0.20240524024004-b6815be0740d h1:2GncSQ55NOr91NYPmi0jqhVM7z7/xswJsD96dQMkN38=
+istio.io/api v1.22.1-0.20240524024004-b6815be0740d/go.mod h1:S3l8LWqNYS9yT+d4bH+jqzH2lMencPkW7SKM1Cu9EyM=
+istio.io/client-go v1.22.1-0.20240524024404-e48447329f77 h1:RxyTd7arbmdk/E7xINxtrsC4pXtVR6piZgn25WYVqJ4=
+istio.io/client-go v1.22.1-0.20240524024404-e48447329f77/go.mod h1:Z2QE9uMt6tDVyrmiLfLVhutbqtfUkPJ7A5Uw/p6gNFo=
 k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
 k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
 k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=

istio.deps

@@ -4,13 +4,13 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "b2dd15dc498b84431c063042e7821e179d5a3c41"
+    "lastStableSHA": "f0254260634c0ca50a596a99e25fb2e55fe9bfb7"
   },
   {
     "_comment": "",
     "name": "ZTUNNEL_REPO_SHA",
     "repoName": "ztunnel",
     "file": "",
-    "lastStableSHA": "909bf991d01edc4db51265bc633acfe303555ef5"
+    "lastStableSHA": "959e69db8ea156a17c556de415c53b8791312e99"
   }
 ]

manifests/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml

@@ -0,0 +1,53 @@
+{{- if .Values.global.configCluster }}
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}

manifests/charts/istiod-remote/templates/validatingadmissionpolicy.yaml

@@ -0,0 +1,59 @@
+{{- if .Values.global.configCluster }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}

manifests/charts/ztunnel/values.yaml

@@ -32,8 +32,10 @@ defaults:
   # Pod resource configuration
   resources:
     requests:
-      cpu: 500m
-      memory: 2048Mi
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
 
   # List of secret names to add to the service account as image pull secrets
   imagePullSecrets: []

operator/cmd/mesh/install.go

@@ -406,8 +406,7 @@ func detectDefaultWebhookChange(p Printer, client kube.CLIClient, iop *v1alpha12
 	// If there is no default webhook but a revisioned default webhook exists,
 	// and we are installing a new IOP with default semantics, the default webhook shifts.
 	if exists && len(mwhs.Items) == 0 && iop.Spec.GetRevision() == "" {
-		p.Println("This installation will make default injection and validation pointing to the default revision, and " +
-			"originally it was pointing to the revisioned one.")
+		p.Println("The default revision has been updated to point to this installation.")
 	}
 	return nil
 }