DaoCloud · weizhoublue · Jan 7, 2025
@@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false
 export REPO_URL=https://istio-release.storage.googleapis.com/charts
 export REPO_NAME=istio
 export CHART_NAME=istiod
-export VERSION=1.17.1
+export VERSION=1.24.2
 
 # pr, issue, none
 export UPGRADE_METHOD=pr

@@ -1,5 +1,5 @@
-apiVersion: v1
-appVersion: 1.17.1
+apiVersion: v2
+appVersion: 1.24.2
 description: Helm chart for istio control plane
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -8,9 +8,9 @@ keywords:
   - istio-discovery
 name: istiod
 sources:
-  - http://github.com/istio/istio
-version: 1.17.1
+  - https://github.com/istio/istio
+version: 1.24.2
 dependencies:
   - name: istiod
-    version: "1.17.1"
+    version: "1.24.2"
     repository: "https://istio-release.storage.googleapis.com/charts"
@@ -38,6 +38,20 @@ To view support configuration options and documentation, run:
 helm show values istio/istiod
 ```
 
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
 ### Examples
 
 #### Configuring mesh configuration settings

@@ -1,5 +1,5 @@
-apiVersion: v1
-appVersion: 1.17.1
+apiVersion: v2
+appVersion: 1.24.2
 description: Helm chart for istio control plane
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
@@ -8,5 +8,5 @@ keywords:
 - istio-discovery
 name: istiod
 sources:
-- http://github.com/istio/istio
-version: 1.17.1
+- https://github.com/istio/istio
+version: 1.24.2
@@ -38,6 +38,20 @@ To view support configuration options and documentation, run:
 helm show values istio/istiod
 ```
 
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
 ### Examples
 
 #### Configuring mesh configuration settings

@@ -4,17 +4,25 @@ metadata:
   labels:
     service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
     service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
-    istio.io/rev: {{ .Revision | default "default" | quote }}
   annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
     {{- if eq (len $containers) 1 }}
     kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
     kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
     {{ end }}
   }
 spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
   containers:
   - name: istio-proxy
-  {{- if contains "/" .Values.global.proxy.image }}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
     image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
   {{- else }}
     image: "{{ .ProxyImage }}"
@@ -41,9 +49,10 @@ spec:
     lifecycle:
       {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
   {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
     env:
-    - name: JWT_POLICY
-      value: {{ .Values.global.jwtPolicy }}
     - name: PILOT_CERT_PROVIDER
       value: {{ .Values.global.pilotCertProvider }}
     - name: CA_ADDR
@@ -72,6 +81,10 @@ spec:
       valueFrom:
         fieldRef:
           fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
     - name: PROXY_CONFIG
       value: |
              {{ protoToJSON .ProxyConfig }}
@@ -88,6 +101,18 @@ spec:
           {{- end}}
         {{- end}}
         ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
     - name: ISTIO_META_APP_CONTAINERS
       value: "{{ $containers | join "," }}"
     - name: ISTIO_META_CLUSTER_ID
@@ -156,10 +181,8 @@ spec:
     # SDS channel between istioagent and Envoy
     - mountPath: /etc/istio/proxy
       name: istio-envoy
-    {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
     - mountPath: /var/run/secrets/tokens
       name: istio-token
-    {{- end }}
     {{- if .Values.global.mountMtlsCerts }}
     # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
     - mountPath: /etc/certs/
@@ -196,15 +219,13 @@ spec:
         - path: "annotations"
           fieldRef:
             fieldPath: metadata.annotations
-  {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
   - name: istio-token
     projected:
       sources:
       - serviceAccountToken:
           path: istio-token
           expirationSeconds: 43200
           audience: {{ .Values.global.sds.token.aud }}
-  {{- end }}
   {{- if eq .Values.global.pilotCertProvider "istiod" }}
   - name: istiod-ca-cert
     configMap:
@@ -227,7 +248,3 @@ spec:
     - name: {{ . }}
     {{- end }}
   {{- end }}
-  {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "false") "true" }}
-  securityContext:
-    fsGroup: 1337
-  {{- end }}