Merge tag '1.19.4' into tetratefips-release-1.19

Istio release 1.19.4

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:release-1.19-997ea5ffb748b3d6499f3d91f236e15f0dcaaab6",
+  "image": "gcr.io/istio-testing/build-tools:release-1.19-ae4f4b509789426724c404fba8b228a1b487fd0a",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= master-2023-07-20T20-50-43
+BASE_VERSION ?= 1.19-2023-11-06T19-02-47
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

cni/cmd/istio-cni/main.go

@@ -26,8 +26,6 @@ import (
 	"istio.io/istio/cni/pkg/plugin"
 	"istio.io/istio/pkg/log"
 	istioversion "istio.io/istio/pkg/version"
-	"istio.io/istio/tools/istio-iptables/pkg/cmd"
-	"istio.io/istio/tools/istio-iptables/pkg/constants"
 )
 
 func main() {
@@ -42,24 +40,6 @@ func main() {
 		_ = log.Sync()
 	}()
 
-	// configure-routes allows setting up the iproute2 configuration.
-	// This is an old workaround and kept in place to preserve old behavior.
-	// It is called standalone when HostNSEnterExec=true.
-	// Default behavior is to use go netns, which is not in need for this:
-
-	// Older versions of Go < 1.10 cannot change network namespaces safely within a go program
-	// (see https://www.weave.works/blog/linux-namespaces-and-go-don-t-mix).
-	// As a result, the flow is:
-	// * CNI plugin is called with no args, skipping this section.
-	// * CNI code invokes iptables code with CNIMode=true. This in turn runs 'nsenter -- istio-cni configure-routes'
-	if len(os.Args) > 1 && os.Args[1] == constants.CommandConfigureRoutes {
-		if err := cmd.GetRouteCommand().Execute(); err != nil {
-			log.Errorf("failed to configure routes: %v", err)
-			os.Exit(1)
-		}
-		return
-	}
-
 	// TODO: implement plugin version
 	skel.PluginMain(plugin.CmdAdd, plugin.CmdCheck, plugin.CmdDelete, version.All,
 		fmt.Sprintf("CNI plugin istio-cni %v", istioversion.Info.Version))

cni/pkg/config/config.go

@@ -76,9 +76,6 @@ type InstallConfig struct {
 
 	// Whether ebpf is enabled
 	EbpfEnabled bool
-
-	// Use the external nsenter command for network namespace switching
-	HostNSEnterExec bool
 }
 
 // RepairConfig struct defines the Istio CNI race repair configuration
@@ -132,7 +129,6 @@ func (c InstallConfig) String() string {
 	b.WriteString("K8sNodeName: " + c.K8sNodeName + "\n")
 	b.WriteString("MonitoringPort: " + fmt.Sprint(c.MonitoringPort) + "\n")
 	b.WriteString("LogUDSAddress: " + fmt.Sprint(c.LogUDSAddress) + "\n")
-	b.WriteString("HostNSEnterExec: " + fmt.Sprint(c.HostNSEnterExec) + "\n")
 
 	b.WriteString("AmbientEnabled: " + fmt.Sprint(c.AmbientEnabled) + "\n")
 

cni/pkg/plugin/iptables_linux.go

@@ -35,7 +35,6 @@ var getNs = ns.GetNS
 // provided in Redirect.
 func (ipt *iptables) Program(podName, netns string, rdrct *Redirect) error {
 	viper.Set(constants.CNIMode, true)
-	viper.Set(constants.HostNSEnterExec, rdrct.hostNSEnterExec)
 	viper.Set(constants.NetworkNamespace, netns)
 	viper.Set(constants.EnvoyPort, rdrct.targetPort)
 	viper.Set(constants.ProxyUID, rdrct.noRedirectUID)

cni/pkg/plugin/plugin.go

@@ -79,11 +79,10 @@ type Config struct {
 	PrevResult    *cniv1.Result   `json:"-"`
 
 	// Add plugin-specific flags here
-	LogLevel        string     `json:"log_level"`
-	LogUDSAddress   string     `json:"log_uds_address"`
-	AmbientEnabled  bool       `json:"ambient_enabled"`
-	Kubernetes      Kubernetes `json:"kubernetes"`
-	HostNSEnterExec bool       `json:"hostNSEnterExec"`
+	LogLevel       string     `json:"log_level"`
+	LogUDSAddress  string     `json:"log_uds_address"`
+	AmbientEnabled bool       `json:"ambient_enabled"`
+	Kubernetes     Kubernetes `json:"kubernetes"`
 }
 
 // K8sArgs is the valid CNI_ARGS used for Kubernetes
@@ -323,7 +322,6 @@ func doRun(args *skel.CmdArgs, conf *Config) error {
 		return fmt.Errorf("redirect failed to find InterceptRuleMgr")
 	}
 
-	redirect.hostNSEnterExec = conf.HostNSEnterExec
 	rulesMgr := interceptMgrCtor()
 	if err := rulesMgr.Program(podName, args.Netns, redirect); err != nil {
 		return err

cni/pkg/plugin/redirect.go

@@ -90,7 +90,6 @@ type Redirect struct {
 	dnsRedirect          bool
 	dualStack            bool
 	invalidDrop          bool
-	hostNSEnterExec      bool
 }
 
 type annotationValidationFunc func(value string) error

common/.commonfiles.sha

@@ -1 +1 @@
-b8589936d6d3cd77e3675d62b4288e053a68242e
+48593220d84a5f57cfb381e026f8fded7b559348

common/scripts/setup_env.sh

@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=release-1.19-997ea5ffb748b3d6499f3d91f236e15f0dcaaab6
+  IMAGE_VERSION=release-1.19-ae4f4b509789426724c404fba8b228a1b487fd0a
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools

docker/Dockerfile.distroless

@@ -1,5 +1,5 @@
 # prepare a distroless source context to copy files from
-FROM gcr.io/distroless/static-debian11@sha256:e7e79fb2947f38ce0fab6061733f7e1959c12b843079042fe13f56ca7b9d178c as distroless_source
+FROM gcr.io/distroless/static-debian11@sha256:6706c73aae2afaa8201d63cc3dda48753c09bcd6c300762251065c0f7e602b25 as distroless_source
 
 # prepare a base dev to modify file contents
 FROM ubuntu:focal as ubuntu_source

go.mod

@@ -108,8 +108,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.12.2
-	istio.io/api v1.19.2-0.20231011000955-f3015ebb5bd4
-	istio.io/client-go v1.19.2-0.20231011002333-b819e2de19ef
+	istio.io/api v1.19.4-0.20231108024616-33a6ca44a2ff
+	istio.io/client-go v1.19.4-0.20231108025610-1df49f5c7eba
 	k8s.io/api v0.28.1
 	k8s.io/apiextensions-apiserver v0.28.1
 	k8s.io/apimachinery v0.28.1

go.sum

@@ -1388,10 +1388,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-istio.io/api v1.19.2-0.20231011000955-f3015ebb5bd4 h1:NoiArVONh9DPs/DovhCCl771BUeEkKp+/GhsRB1YbOk=
-istio.io/api v1.19.2-0.20231011000955-f3015ebb5bd4/go.mod h1:KstZe4bKbXouALUJ5PqpjNEhu5nj90HrDFitZfpNhlU=
-istio.io/client-go v1.19.2-0.20231011002333-b819e2de19ef h1:TjsXNObHEPEGfoMwlzXS9dXNDmuesBSk25CpNa/gKCY=
-istio.io/client-go v1.19.2-0.20231011002333-b819e2de19ef/go.mod h1:ra3fVlXcquh7EuQnNssuLxfp6lFv/nx5314PvNEzOUs=
+istio.io/api v1.19.4-0.20231108024616-33a6ca44a2ff h1:2LcDGnXumTFMJSErooHOAvN7eo0eB3nHia7xfhVY3Q0=
+istio.io/api v1.19.4-0.20231108024616-33a6ca44a2ff/go.mod h1:KstZe4bKbXouALUJ5PqpjNEhu5nj90HrDFitZfpNhlU=
+istio.io/client-go v1.19.4-0.20231108025610-1df49f5c7eba h1:+6W4x4PGf8DL0Oii1atAJqC1652RdgCM1aeYy9DU6D4=
+istio.io/client-go v1.19.4-0.20231108025610-1df49f5c7eba/go.mod h1:PQVSJB3q5BX8A6HC5sOQ3oA5CA7CB1c22EZ+8f+IC8M=
 k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
 k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
 k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108=

istio.deps

@@ -4,13 +4,13 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "a1ff538a63890e27dd2add4b2680ba8dc49293ca"
+    "lastStableSHA": "f9707e29aa0a36b1430b373d95e6c9abb5deca75"
   },
   {
     "_comment": "",
     "name": "ZTUNNEL_REPO_SHA",
     "repoName": "ztunnel",
     "file": "",
-    "lastStableSHA": "3ca9690f7a66cc551f5c2638c5e761873f64948e"
+    "lastStableSHA": "723c07f433d2e54ff973302c3ab655ecef0642f1"
   }
 ]

istioctl/pkg/tag/tag.go

@@ -227,6 +227,8 @@ func tagListCommand(ctx cli.Context) *cobra.Command {
 		},
 	}
 
+	cmd.PersistentFlags().StringVarP(&outputFormat, "output", "o", util.TableFormat, "Output format for tag description "+
+		"(available formats: table,json)")
 	return cmd
 }
 

istioctl/pkg/util/configdump/endpoint.go

@@ -15,16 +15,14 @@
 package configdump
 
 import (
-	"fmt"
-
 	admin "github.com/envoyproxy/go-control-plane/envoy/admin/v3"
 )
 
 // GetEndpointsConfigDump retrieves the listener config dump from the ConfigDump
 func (w *Wrapper) GetEndpointsConfigDump() (*admin.EndpointsConfigDump, error) {
 	endpointsDumpAny, err := w.getSection(endpoints)
 	if err != nil {
-		return nil, fmt.Errorf("endpoints not found (was include_eds=true used?): %v", err)
+		return nil, nil
 	}
 	endpointsDump := &admin.EndpointsConfigDump{}
 	err = endpointsDumpAny.UnmarshalTo(endpointsDump)

istioctl/pkg/writer/envoy/configdump/endpoint.go

@@ -145,6 +145,9 @@ func (c *ConfigWriter) retrieveSortedEndpointsSlice(filter EndpointFilter) ([]*e
 	if err != nil {
 		return nil, err
 	}
+	if dump == nil {
+		return nil, nil
+	}
 	endpoints := make([]*endpoint.ClusterLoadAssignment, 0, len(dump.DynamicEndpointConfigs))
 	for _, e := range dump.GetDynamicEndpointConfigs() {
 		cla, epCount := retrieveEndpoint(e.EndpointConfig, filter)

manifests/charts/gateway/templates/deployment.yaml

@@ -108,3 +108,6 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}

manifests/charts/gateway/values.schema.json

@@ -227,6 +227,9 @@
     },
     "terminationGracePeriodSeconds": {
       "type": "number"
+    },
+    "priorityClassName": {
+      "type": "string"
     }
   }
 }

manifests/charts/gateway/values.yaml

@@ -131,3 +131,9 @@ imagePullSecrets: []
 podDisruptionBudget: {}
 
 terminationGracePeriodSeconds: 30
+
+# Configure this to a higher priority class in order to make sure your Istio gateway pods
+# will not be killed because of low priority class.
+# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+# for more detail.
+priorityClassName: ""

pilot/docker/Dockerfile.proxyv2

@@ -12,8 +12,8 @@ FROM ${ISTIO_BASE_REGISTRY}/base:${BASE_VERSION} as debug
 # This image is a custom built debian11 distroless image with multiarchitecture support.
 # It is built on the base distroless image, with iptables binary and libraries added
 # The source can be found at https://github.com/istio/distroless/tree/iptables
-# This version is from commit 5bf244c0cf5dd11e4113d564272ed657d4784f95.
-FROM ${ISTIO_BASE_REGISTRY}/iptables@sha256:02ee2ed907aae3c08aabf9a95d10e2dbc1b6514954c5df6a00d3c9d3ebc5caeb as distroless
+# This version is from commit 973bd8e0048479c770ab4332063921e22d222c9b.
+FROM ${ISTIO_BASE_REGISTRY}/iptables@sha256:1696a2570c01a00f8910b3d9d68039ff22ae8ddbe7903fa78005740251bddd9f as distroless
 
 # This will build the final image based on either debug or distroless from above
 # hadolint ignore=DL3006

pilot/docker/Dockerfile.ztunnel

@@ -12,8 +12,8 @@ FROM ${ISTIO_BASE_REGISTRY}/base:${BASE_VERSION} as debug
 # This image is a custom built debian11 distroless image with multiarchitecture support.
 # It is built on the base distroless image, with iptables binary and libraries added
 # The source can be found at https://github.com/istio/distroless/tree/iptables
-# This version is from commit 5bf244c0cf5dd11e4113d564272ed657d4784f95.
-FROM ${ISTIO_BASE_REGISTRY}/iptables@sha256:02ee2ed907aae3c08aabf9a95d10e2dbc1b6514954c5df6a00d3c9d3ebc5caeb as distroless
+# This version is from commit 973bd8e0048479c770ab4332063921e22d222c9b.
+FROM ${ISTIO_BASE_REGISTRY}/iptables@sha256:1696a2570c01a00f8910b3d9d68039ff22ae8ddbe7903fa78005740251bddd9f as distroless
 
 # This will build the final image based on either debug or distroless from above
 # hadolint ignore=DL3006

pilot/pkg/bootstrap/configcontroller.go

@@ -291,13 +291,13 @@ func (s *Server) initInprocessAnalysisController(args *PilotArgs) error {
 	s.addStartFunc("analysis controller", func(stop <-chan struct{}) error {
 		go leaderelection.
 			NewLeaderElection(args.Namespace, args.PodName, leaderelection.AnalyzeController, args.Revision, s.kubeClient).
-			AddRunFunction(func(stop <-chan struct{}) {
-				cont, err := incluster.NewController(stop, s.RWConfigStore,
+			AddRunFunction(func(leaderStop <-chan struct{}) {
+				cont, err := incluster.NewController(leaderStop, s.RWConfigStore,
 					s.kubeClient, args.Revision, args.Namespace, s.statusManager, args.RegistryOptions.KubeOptions.DomainSuffix)
 				if err != nil {
 					return
 				}
-				cont.Run(stop)
+				cont.Run(leaderStop)
 			}).Run(stop)
 		return nil
 	})

pilot/pkg/config/kube/crdclient/client.go

@@ -28,6 +28,7 @@ import (
 	"time"
 
 	jsonmerge "github.com/evanphx/json-patch/v5"
+	"go.uber.org/atomic"
 	"golang.org/x/exp/maps"
 	"gomodules.xyz/jsonpatch/v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -71,6 +72,8 @@ type Client struct {
 	kinds   map[config.GroupVersionKind]kclient.Untyped
 	kindsMu sync.RWMutex
 	queue   queue.Instance
+	// a flag indicates whether this client has been run, it is to prevent run queue twice
+	started *atomic.Bool
 
 	// handlers defines a list of event handlers per-type
 	handlers map[config.GroupVersionKind][]model.EventHandler
@@ -115,6 +118,7 @@ func NewForSchemas(client kube.Client, opts Option, schemas collection.Schemas)
 		schemasByCRDName: schemasByCRDName,
 		revision:         opts.Revision,
 		queue:            queue.NewQueue(1 * time.Second),
+		started:          atomic.NewBool(false),
 		kinds:            map[config.GroupVersionKind]kclient.Untyped{},
 		handlers:         map[config.GroupVersionKind][]model.EventHandler{},
 		client:           client,
@@ -138,6 +142,11 @@ func (cl *Client) RegisterEventHandler(kind config.GroupVersionKind, handler mod
 
 // Run the queue and all informers. Callers should  wait for HasSynced() before depending on results.
 func (cl *Client) Run(stop <-chan struct{}) {
+	if cl.started.Swap(true) {
+		// was already started by other thread
+		return
+	}
+
 	t0 := time.Now()
 	cl.logger.Infof("Starting Pilot K8S CRD controller")
 
@@ -146,7 +155,6 @@ func (cl *Client) Run(stop <-chan struct{}) {
 		return
 	}
 	cl.logger.Infof("Pilot K8S CRD controller synced in %v", time.Since(t0))
-
 	cl.queue.Run(stop)
 	cl.logger.Infof("controller terminated")
 }

pilot/pkg/features/pilot.go

@@ -679,6 +679,11 @@ var (
 	// User should not rely on builtin resource labels, this flag will be removed in future releases(1.20).
 	EnableOTELBuiltinResourceLables = env.Register("ENABLE_OTEL_BUILTIN_RESOURCE_LABELS", false,
 		"If enabled, envoy will send builtin lables(e.g. node_name) via OTel sink.").Get()
+
+	// Useful for IPv6-only EKS clusters. See https://aws.github.io/aws-eks-best-practices/networking/ipv6/ why it assigns an additional IPv4 NAT address.
+	// Also see https://github.com/istio/istio/issues/46719 why this flag is required
+	EnableAdditionalIpv4OutboundListenerForIpv6Only = env.RegisterBoolVar("ISTIO_ENABLE_IPV4_OUTBOUND_LISTENER_FOR_IPV6_CLUSTERS", false,
+		"If true, pilot will configure an additional IPv4 listener for outbound traffic in IPv6 only clusters, e.g. AWS EKS IPv6 only clusters.").Get()
 )
 
 // UnsafeFeaturesEnabled returns true if any unsafe features are enabled.

pilot/pkg/model/gateway.go

@@ -267,19 +267,20 @@ func MergeGateways(gateways []gatewayWithInstances, proxy *Proxy, ps *PushContex
 							serversByRouteName[routeName] = []*networking.Server{s}
 						}
 						// build the port bind map for none plain text protocol, thus can avoid protocol conflict if it's different bind
-						if bindsPortMap, ok := nonPlainTextGatewayPortsBindMap[resolvedPort]; ok && !bindsPortMap.Contains(serverPort.Bind) {
-							bindsPortMap.Insert(serverPort.Bind)
+						var newBind bool
+						if bindsPortMap, ok := nonPlainTextGatewayPortsBindMap[resolvedPort]; ok {
+							newBind = !bindsPortMap.InsertContains(serverPort.Bind)
 						} else {
-							bindsPortMap := sets.String{}
-							bindsPortMap.Insert(serverPort.Bind)
-							nonPlainTextGatewayPortsBindMap[resolvedPort] = bindsPortMap
+							nonPlainTextGatewayPortsBindMap[resolvedPort] = sets.New(serverPort.Bind)
+							newBind = true
 						}
 						// If the bind/port combination is not being used as non-plaintext, they are different
 						// listeners and won't get conflicted even with same port different protocol
 						// i.e 0.0.0.0:443:GRPC/1.0.0.1:443:GRPC/1.0.0.2:443:HTTPS they are not conflicted, otherwise
 						// We have another TLS server on the same port. Can differentiate servers using SNI
-						if s.Tls == nil && !nonPlainTextGatewayPortsBindMap[resolvedPort].Contains(serverPort.Bind) {
+						if s.Tls == nil && !newBind {
 							log.Warnf("TLS server without TLS options %s %s", gatewayName, s.String())
+							RecordRejectedConfig(gatewayName)
 							continue
 						}
 						if mergedServers[serverPort] == nil {

pilot/pkg/model/virtualservice.go

@@ -365,7 +365,8 @@ func mergeHTTPMatchRequests(root, delegate []*networking.HTTPMatchRequest) (out
 }
 
 func mergeHTTPMatchRequest(root, delegate *networking.HTTPMatchRequest) *networking.HTTPMatchRequest {
-	out := delegate
+	// nolint: govet
+	out := *delegate
 	if out.Name == "" {
 		out.Name = root.Name
 	} else if root.Name != "" {
@@ -410,7 +411,7 @@ func mergeHTTPMatchRequest(root, delegate *networking.HTTPMatchRequest) *network
 	if len(out.StatPrefix) == 0 {
 		out.StatPrefix = root.StatPrefix
 	}
-	return out
+	return &out
 }
 
 func hasConflict(root, leaf *networking.HTTPMatchRequest) bool {