chore(chart-deps): update istio to version 1.30.1#3316
Closed
svcAPLBot wants to merge 49 commits into
Closed
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
Author
|
Comparison of Helm chart templating output: # base/templates/crds.yaml
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.configPatches.items.properties.match.properties.waypoint.properties.portNumber.x-kubernetes-validations.0.rule @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/envoyfilters.networking.istio.io
! ± value change
- 0 < self && self <= 6553
+ 0 < self && self <= 65535
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.rules.items.properties.from.items.properties.source.properties @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/authorizationpolicies.security.istio.io
! + two map entries added:
+ notTrustDomains:
+ type: array
+ description: Optional.
+ items:
+ type: string
+ trustDomains:
+ type: array
+ description: Optional.
+ items:
+ type: string
@@ spec.versions.v1beta1.schema.openAPIV3Schema.properties.spec.properties.rules.items.properties.from.items.properties.source.properties @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/authorizationpolicies.security.istio.io
! + two map entries added:
+ notTrustDomains:
+ type: array
+ description: Optional.
+ items:
+ type: string
+ trustDomains:
+ type: array
+ description: Optional.
+ items:
+ type: string
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.tracing.items.properties @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/telemetries.telemetry.istio.io
! + one map entry added:
+ disableContextPropagation:
+ type: boolean
+ description: "Controls whether trace context headers (e.g., `traceparent`/`tracestate` for W3C, `X-B3-*` for Zipkin) are propagated in forwarded requests."
+ nullable: true
@@ spec.versions.v1alpha1.schema.openAPIV3Schema.properties.spec.properties.tracing.items.properties @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/telemetries.telemetry.istio.io
! + one map entry added:
+ disableContextPropagation:
+ type: boolean
+ description: "Controls whether trace context headers (e.g., `traceparent`/`tracestate` for W3C, `X-B3-*` for Zipkin) are propagated in forwarded requests."
+ nullable: true
@@ (root level) @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/trafficextensions.extensions.istio.io
! + one document added:
+ ---
+ # Source: base/templates/crds.yaml
+ # TODO enableCRDTemplates is now defaulted to true as we
+ # want to always self-manage CRD upgrades via plain templates,
+ # so we should remove this flag after a few releases
+ # If we are templating these CRDs, we want to wipe out the "static"/legacy
+ # labels and replace them with the standard templated istio ones.
+ # This allows the continued use of `kubectl apply -f crd-all.gen.yaml`
+ # without any templating+the old labels, if desired.
+ apiVersion: apiextensions.k8s.io/v1
+ kind: CustomResourceDefinition
+ metadata:
+ name: trafficextensions.extensions.istio.io
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio-base
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.30.1
+ helm.sh/chart: base-1.30.1
+ spec:
+ group: extensions.istio.io
+ names:
+ categories:
+ - istio-io
+ - extensions-istio-io
+ kind: TrafficExtension
+ listKind: TrafficExtensionList
+ plural: trafficextensions
+ singular: trafficextension
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - name: Age
+ type: date
+ description: "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
+ jsonPath: .metadata.creationTimestamp
+ schema:
+ openAPIV3Schema:
+ type: object
+ required:
+ - spec
+ properties:
+ spec:
+ type: object
+ description: "Extend the functionality provided by the Istio proxy through WebAssembly or Lua filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/traffic_extension.html"
+ x-kubernetes-validations:
+ - message: "only one of targetRefs or selector can be set"
+ rule: "(has(self.selector) ? 1 : 0) + (has(self.targetRefs) ? 1 : 0) <= 1"
+ - message: "exactly one of wasm or lua must be set"
+ rule: "has(self.wasm) != has(self.lua)"
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - wasm
+ - required:
+ - lua
+ - required:
+ - wasm
+ - required:
+ - lua
+ properties:
+ lua:
+ type: object
+ description: "Lua filter configuration."
+ required:
+ - inlineCode
+ properties:
+ inlineCode:
+ type: string
+ description: "The inline Lua code to be executed."
+ maxLength: 65536
+ minLength: 1
+ match:
+ type: array
+ description: "Specifies the criteria to determine which traffic is passed to TrafficExtension."
+ items:
+ type: object
+ properties:
+ mode:
+ type: string
+ description: |
+ Criteria for selecting traffic by their direction.
+
+ Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER
+ enum:
+ - UNDEFINED
+ - CLIENT
+ - SERVER
+ - CLIENT_AND_SERVER
+ ports:
+ type: array
+ description: "Criteria for selecting traffic by their destination port."
+ x-kubernetes-list-type: map
+ x-kubernetes-list-map-keys:
+ - number
+ items:
+ type: object
+ required:
+ - number
+ properties:
+ number:
+ type: integer
+ maximum: 65535
+ minimum: 1
+ phase:
+ type: string
+ description: |
+ Determines where in the filter chain this `TrafficExtension` is to be injected.
+
+ Valid Options: AUTHN, AUTHZ, STATS
+ enum:
+ - UNSPECIFIED
+ - AUTHN
+ - AUTHZ
+ - STATS
+ priority:
+ type: integer
+ description: "Determines ordering of `TrafficExtensions` in the same `phase`."
+ format: int32
+ nullable: true
+ selector:
+ type: object
+ description: Optional.
+ properties:
+ matchLabels:
+ type: object
+ description: "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied."
+ maxProperties: 4096
+ x-kubernetes-validations:
+ - message: "wildcard not allowed in label key match"
+ rule: "self.all(key, !key.contains(\"*\"))"
+ - message: "key must not be empty"
+ rule: "self.all(key, key.size() != 0)"
+ additionalProperties:
+ type: string
+ maxLength: 63
+ x-kubernetes-validations:
+ - message: "wildcard not allowed in label value match"
+ rule: "!self.contains(\"*\")"
+ targetRefs:
+ type: array
+ description: Optional.
+ maxItems: 16
+ items:
+ type: object
+ required:
+ - kind
+ - name
+ properties:
+ name:
+ type: string
+ description: "name is the name of the target resource."
+ maxLength: 253
+ minLength: 1
+ group:
+ type: string
+ description: "group is the group of the target resource."
+ maxLength: 253
+ pattern: "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+ kind:
+ type: string
+ description: "kind is kind of the target resource."
+ maxLength: 63
+ minLength: 1
+ pattern: "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"
+ namespace:
+ type: string
+ description: "namespace is the namespace of the referent."
+ x-kubernetes-validations:
+ - message: "cross namespace referencing is not currently supported"
+ rule: "self.size() == 0"
+ wasm:
+ type: object
+ description: "WebAssembly filter configuration."
+ required:
+ - url
+ properties:
+ url:
+ type: string
+ description: "URL of a Wasm module or OCI container."
+ minLength: 1
+ x-kubernetes-validations:
+ - message: "url must have schema one of [http, https, file, oci]"
+ rule: |
+ isURL(self) ? (url(self).getScheme() in ["", "http", "https", "file", "oci"]) : (isURL("http://" + self) &&
+ url("http://" + self).getScheme() in ["", "http", "https", "file", "oci"])
+ imagePullSecret:
+ type: string
+ description: "Credentials to use for OCI image pulling."
+ maxLength: 253
+ minLength: 1
+ pluginConfig:
+ type: object
+ description: "The configuration that will be passed on to the plugin."
+ x-kubernetes-preserve-unknown-fields: true
+ pluginName:
+ type: string
+ description: "The plugin name to be used in the Envoy configuration (used to be called `rootID`)."
+ maxLength: 256
+ minLength: 1
+ sha256:
+ type: string
+ description: "SHA256 checksum that will be used to verify Wasm module or OCI container."
+ pattern: (^$|^[a-f0-9]{64}$)
+ verificationKey:
+ type: string
+ failStrategy:
+ type: string
+ description: |
+ Specifies the failure behavior for the plugin due to fatal errors.
+
+ Valid Options: FAIL_CLOSE, FAIL_OPEN, FAIL_RELOAD
+ enum:
+ - FAIL_CLOSE
+ - FAIL_OPEN
+ - FAIL_RELOAD
+ imagePullPolicy:
+ type: string
+ description: |
+ The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`.
+
+ Valid Options: IfNotPresent, Always
+ enum:
+ - UNSPECIFIED_POLICY
+ - IfNotPresent
+ - Always
+ type:
+ type: string
+ description: |
+ Specifies the type of Wasm Extension to be used.
+
+ Valid Options: HTTP, NETWORK
+ enum:
+ - UNSPECIFIED_PLUGIN_TYPE
+ - HTTP
+ - NETWORK
+ vmConfig:
+ type: object
+ description: "Configuration for a Wasm VM."
+ properties:
+ env:
+ type: array
+ description: "Specifies environment variables to be injected to this VM."
+ maxItems: 256
+ x-kubernetes-list-type: map
+ x-kubernetes-list-map-keys:
+ - name
+ items:
+ type: object
+ required:
+ - name
+ x-kubernetes-validations:
+ - message: "value may only be set when valueFrom is INLINE"
+ rule: "(has(self.valueFrom) ? self.valueFrom : \"\") != \"HOST\" || !has(self.value)"
+ properties:
+ name:
+ type: string
+ description: "Name of the environment variable."
+ maxLength: 256
+ minLength: 1
+ value:
+ type: string
+ description: "Value for the environment variable."
+ maxLength: 2048
+ valueFrom:
+ type: string
+ description: |
+ Source for the environment variable's value.
+
+ Valid Options: INLINE, HOST
+ enum:
+ - INLINE
+ - HOST
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ properties:
+ conditions:
+ type: array
+ description: "Current service state of the resource."
+ items:
+ type: object
+ properties:
+ type:
+ type: string
+ description: "Type is the type of the condition."
+ lastProbeTime:
+ type: string
+ description: "Last time we probed the condition."
+ format: date-time
+ lastTransitionTime:
+ type: string
+ description: "Last time the condition transitioned from one status to another."
+ format: date-time
+ message:
+ type: string
+ description: "Human-readable message indicating details about last transition."
+ reason:
+ type: string
+ description: "Unique, one-word, CamelCase reason for the condition's last transition."
+ status:
+ type: string
+ description: "Status is the status of the condition."
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: "Resource Generation to which the Condition refers."
+ x-kubernetes-int-or-string: true
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ type: array
+ description: "Includes any errors or warnings detected by Istio's analyzers."
+ items:
+ type: object
+ properties:
+ type:
+ type: object
+ properties:
+ name:
+ type: string
+ description: "A human-readable name for the message type."
+ code:
+ type: string
+ description: "A 7 character code matching `^IST[0-9]{4}$` intended to uniquely identify the message type."
+ documentationUrl:
+ type: string
+ description: "A url pointing to the Istio documentation for this specific error type."
+ level:
+ type: string
+ description: |
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
# base/templates/defaultrevision-validatingwebhookconfiguration.yaml
# base/templates/reader-serviceaccount.yaml
# istiod/templates/autoscale.yaml
# istiod/templates/clusterrole.yaml
@@ rules @@
# rbac.authorization.k8s.io/v1/ClusterRole/istiod-clusterrole-1-26-0-istio-system
! - two list entries removed:
- - resources:
- - xbackendtrafficpolicies/status
- - xlistenersets/status
- apiGroups:
- - gateway.networking.x-k8s.io
- verbs:
- - patch
- - update
- - resources:
- - backendtlspolicies/status
- - gatewayclasses/status
- - gateways/status
- - grpcroutes/status
- - httproutes/status
- - referencegrants/status
- - tcproutes/status
- - tlsroutes/status
- - udproutes/status
- apiGroups:
- - gateway.networking.k8s.io
- verbs:
- - patch
- - update
! + two list entries added:
+ - resources:
+ - xbackendtrafficpolicies/status
+ apiGroups:
+ - gateway.networking.x-k8s.io
+ verbs:
+ - patch
+ - update
+ - resources:
+ - backendtlspolicies/status
+ - gatewayclasses/status
+ - gateways/status
+ - grpcroutes/status
+ - httproutes/status
+ - listenersets/status
+ - referencegrants/status
+ - tcproutes/status
+ - tlsroutes/status
+ - udproutes/status
+ apiGroups:
+ - gateway.networking.k8s.io
+ verbs:
+ - patch
+ - update
# istiod/templates/clusterrolebinding.yaml
# istiod/templates/configmap-values.yaml
@@ data.merged-values @@
! ± value change in multiline text (two inserts, two deletions)
{
"affinity": {},
"autoscaleBehavior": {},
"autoscaleEnabled": true,
[49 lines unchanged)]
"cpu": "10m"
}
},
"externalIstiod": false,
- "hub": "docker.io/istio",
+ "hub": "registry.istio.io/release",
"imagePullPolicy": "",
"imagePullSecrets": [
"otomi-pullsecret-global"
],
[78 lines unchanged)]
},
"sts": {
"servicePort": 0
},
- "tag": "1.29.2",
+ "tag": "1.30.1",
"variant": "distroless",
"waypoint": {
"affinity": {},
"nodeSelector": {},
[149 lines unchanged)]
"variant": "",
"volumeMounts": [],
"volumes": []
}
# istiod/templates/configmap.yaml
# istiod/templates/deployment.yaml
@@ spec.template.spec.containers.discovery.image @@
! ± value change
- docker.io/istio/pilot:1.29.2-distroless
+ registry.istio.io/release/pilot:1.30.1-distroless
# istiod/templates/gateway-class-configmap.yaml
# istiod/templates/istiod-injector-configmap.yaml
@@ data.values @@
! ± value change in multiline text (two inserts, two deletions)
{
"gateways": {
"seccompProfile": {},
"securityContext": {}
[twelve lines unchanged)]
"cpu": "10m"
}
},
"externalIstiod": false,
- "hub": "docker.io/istio",
+ "hub": "registry.istio.io/release",
"imagePullPolicy": "",
"imagePullSecrets": [
"otomi-pullsecret-global"
],
[78 lines unchanged)]
},
"sts": {
"servicePort": 0
},
- "tag": "1.29.2",
+ "tag": "1.30.1",
"variant": "distroless",
"waypoint": {
"affinity": {},
"nodeSelector": {},
[33 lines unchanged)]
"rewriteAppHTTPProbe": true,
"templates": {}
}
}
@@ data.config @@
! ± value change in multiline text (six inserts, two deletions)
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
defaultTemplates: [sidecar]
policy: enabled
alwaysInjectSelector:
[350 lines unchanged)]
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
+ {{- $otelResAttrs := otelResourceAttributes .MeshConfig .ObjectMeta.Annotations .ObjectMeta.Labels .DeploymentMeta.Namespace .Spec.Containers }}
+ {{- if $otelResAttrs }}
+ - name: OTEL_RESOURCE_ATTRIBUTES
+ value: "{{ $otelResAttrs }}"
+ {{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
[1843 lines unchanged)]
value: "{{ $value }}"
{{- end }}
- name: XDS_ADDRESS
value: {{ .ProxyConfig.DiscoveryAddress | quote }}
+ - name: CA_ADDRESS
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
startupProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
[16 lines unchanged)]
volumeMounts:
- mountPath: /var/run/secrets/xds
name: istiod-ca-cert
- mountPath: /var/run/secrets/xds-tokens
- name: istio-token
+ name: xds-token
- mountPath: /tmp
name: tmp
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
volumes:
- emptyDir: {}
name: tmp
- - name: istio-token
+ - name: xds-token
projected:
sources:
- serviceAccountToken:
path: xds-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
[98 lines unchanged)]
spec:
selector:
matchLabels:
gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
# istiod/templates/mutatingwebhook.yaml
# istiod/templates/reader-clusterrole.yaml
# istiod/templates/reader-clusterrolebinding.yaml
# istiod/templates/role.yaml
# istiod/templates/rolebinding.yaml
# istiod/templates/service.yaml
# istiod/templates/serviceaccount.yaml
# istiod/templates/validatingwebhookconfiguration.yaml
# otomi-api/templates/core-config.yaml
@@ data.core.yaml @@
! ± value change in multiline text (one insert, one deletion)
adminApps:
- deps:
- prometheus
name: alertmanager
[277 lines unchanged)]
about: Istio is an open platform for providing a uniform way to integrate microservices,
manage traffic flow across microservices, enforce policies and aggregate telemetry
data. Istio's control plane provides an abstraction layer over the underlying
cluster management platform.
- appVersion: 1.29.2
+ appVersion: 1.30.1
integration: App Platform has security best practices built in, and is designed
for intrusion. Istio is used by App Platform as a service mesh to deliver mTLS
enforcement for all traffic that is deemed compromisable, egress control to
force teams to choose explicit egress endpoints, and advanced routing capabilities
[309 lines unchanged)]
path: /explore?orgId=1&left=%7B"datasource":"loki","queries":%5B%7B"refId":"A","expr":"","queryType":"range","datasource":%7B"type":"loki","uid":"loki"%7D%7D%5D,"range":%7B"from":"now-1h","to":"now"%7D%7D
useHost: grafana
- name: tekton
ownHost: true
# otomi-api/templates/deployment.yaml
# rabbitmq-cluster-operator/templates/messaging-topology-operator/validating-webhook-configuration.yaml
# values-repo.yaml
|
Collaborator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates the dependency base to version 1.30.1.