Merge tag '1.22.4' into tetratefips-release-1.22

Istio release 1.22.4

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:release-1.22-46fce460ef8547fb88a20de8494683bfb3bfa8e5",
+  "image": "gcr.io/istio-testing/build-tools:release-1.22-02098ccc0766fde1c577cf9f9258fb43a08ec8c8",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.22-2024-06-27T19-01-41
+BASE_VERSION ?= 1.22-2024-08-08T19-01-18
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on
@@ -380,7 +380,10 @@ copy-templates:
 		for profile in manifests/helm-profiles/*.yaml ; do \
 			sed "1s|^|$${warning}\n\n|" $$profile > manifests/charts/$$chart/files/profile-$$(basename $$profile) ; \
 		done; \
-		cp manifests/zzz_profile.yaml manifests/charts/$$chart/templates ; \
+		[[ "$$chart" == "ztunnel" ]] && flatten="true" || flatten="false" ; \
+		cat manifests/zzz_profile.yaml | \
+		  sed "s/FLATTEN_GLOBALS_REPLACEMENT/$${flatten}/g" \
+		  > manifests/charts/$$chart/templates/zzz_profile.yaml ; \
 	done
 
 #-----------------------------------------------------------------------------

cni/pkg/ipset/nldeps_linux.go

@@ -19,9 +19,9 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"strings"
 
 	"github.com/vishvananda/netlink"
-	"github.com/vishvananda/netlink/nl"
 )
 
 func RealNlDeps() NetlinkIpsetDeps {
@@ -32,7 +32,16 @@ type realDeps struct{}
 
 func (m *realDeps) ipsetIPPortCreate(name string) error {
 	err := netlink.IpsetCreate(name, "hash:ip", netlink.IpsetCreateOptions{Comments: true, Replace: true})
-	if ipsetErr, ok := err.(nl.IPSetError); ok && ipsetErr == nl.IPSET_ERR_EXIST {
+	// Note there appears to be a bug in vishvananda/netlink here:
+	// https://github.com/vishvananda/netlink/issues/992
+	//
+	// The "right" way to do this is:
+	// if err == nl.IPSetError(nl.IPSET_ERR_EXIST) {
+	// 	log.Debugf("ignoring ipset err")
+	// 	return nil
+	// }
+	// but that doesn't actually work, so strings.Contains the error.
+	if err != nil && strings.Contains(err.Error(), "exists") {
 		return nil
 	}
 	return err

cni/pkg/nodeagent/cni-watcher_test.go

@@ -107,10 +107,7 @@ func TestCNIPluginServer(t *testing.T) {
 		valid.Netns,
 	).Return(nil)
 
-	dpServer := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	dpServer := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, dpServer, "istio-system")
 
@@ -183,10 +180,7 @@ func TestGetPodWithRetry(t *testing.T) {
 	wg, _ := NewWaitForNCalls(t, 1)
 	fs := &fakeServer{testWG: wg}
 
-	dpServer := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	dpServer := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, dpServer, "istio-system")
 
@@ -261,10 +255,7 @@ func TestCNIPluginServerPrefersCNIProvidedPodIP(t *testing.T) {
 		valid.Netns,
 	).Return(nil)
 
-	dpServer := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	dpServer := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, dpServer, "istio-system")
 

cni/pkg/nodeagent/informers_test.go

@@ -65,10 +65,7 @@ func TestExistingPodAddedWhenNsLabeled(t *testing.T) {
 		"",
 	).Return(nil)
 
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -127,10 +124,7 @@ func TestExistingPodAddedWhenDualStack(t *testing.T) {
 		"",
 	).Return(nil)
 
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	server := getFakeDP(fs, client.Kube())
 
 	fs.Start(ctx)
 	handlers := setupHandlers(ctx, client, server, "istio-system")
@@ -179,10 +173,7 @@ func TestExistingPodNotAddedIfNoIPInAnyStatusField(t *testing.T) {
 
 	fs := &fakeServer{}
 
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -244,10 +235,7 @@ func TestExistingPodRemovedWhenNsUnlabeled(t *testing.T) {
 		"",
 	).Return(nil)
 
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -337,10 +325,7 @@ func TestExistingPodRemovedWhenPodLabelRemoved(t *testing.T) {
 		"",
 	).Return(nil)
 
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -440,10 +425,7 @@ func TestJobPodRemovedWhenPodTerminates(t *testing.T) {
 		"",
 	).Return(nil)
 
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -556,10 +538,8 @@ func TestGetActiveAmbientPodSnapshotOnlyReturnsActivePods(t *testing.T) {
 	client := kube.NewFakeClient(ns, enrolledNotRedirected, redirectedNotEnrolled)
 	fs := &fakeServer{}
 	fs.Start(ctx)
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -618,10 +598,8 @@ func TestGetActiveAmbientPodSnapshotSkipsTerminatedJobPods(t *testing.T) {
 	client := kube.NewFakeClient(ns, enrolledNotRedirected, enrolledButTerminated)
 	fs := &fakeServer{}
 	fs.Start(ctx)
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -661,10 +639,8 @@ func TestAmbientEnabledReturnsPodIfEnabled(t *testing.T) {
 	client := kube.NewFakeClient(ns, pod)
 	fs := &fakeServer{}
 	fs.Start(ctx)
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -704,10 +680,8 @@ func TestAmbientEnabledReturnsNoPodIfNotEnabled(t *testing.T) {
 	client := kube.NewFakeClient(ns, pod)
 	fs := &fakeServer{}
 	fs.Start(ctx)
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -748,10 +722,8 @@ func TestAmbientEnabledReturnsErrorIfBogusNS(t *testing.T) {
 	client := kube.NewFakeClient(ns, pod)
 	fs := &fakeServer{}
 	fs.Start(ctx)
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())
@@ -802,10 +774,7 @@ func TestExistingPodAddedWhenItPreExists(t *testing.T) {
 		"",
 	).Return(nil)
 
-	server := &meshDataplane{
-		kubeClient: client.Kube(),
-		netServer:  fs,
-	}
+	server := getFakeDP(fs, client.Kube())
 
 	handlers := setupHandlers(ctx, client, server, "istio-system")
 	client.RunAndWait(ctx.Done())