diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 2cb39e8ca..08329e1ab 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:master-8463430ba963638b35745d773045701f6d02014d", + "image": "gcr.io/istio-testing/build-tools:master-8eb42e9551b9a67c330aeef783f2498647d91289", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/Makefile.core.mk b/Makefile.core.mk index a3afbac6c..86c76e3ce 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -468,7 +468,7 @@ OPERATOR_SDK_VERSION ?= v1.37.0 HELM_VERSION ?= v3.16.1 CONTROLLER_TOOLS_VERSION ?= v0.16.3 OPM_VERSION ?= v1.47.0 -GITLEAKS_VERSION ?= v8.20.0 +GITLEAKS_VERSION ?= v8.20.1 ISTIOCTL_VERSION ?= 1.23.0 # GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not diff --git a/api/v1alpha1/values_types.gen.go b/api/v1alpha1/values_types.gen.go index f1d55adb4..1f156da29 100644 --- a/api/v1alpha1/values_types.gen.go +++ b/api/v1alpha1/values_types.gen.go @@ -685,6 +685,8 @@ type ProxyConfig struct { // Enables core dumps for newly injected sidecars. // // If set, newly injected sidecars will have core dumps enabled. + // + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. EnableCoreDump *bool `json:"enableCoreDump,omitempty"` // Specifies the Istio ingress ports not to capture. ExcludeInboundPorts string `json:"excludeInboundPorts,omitempty"` @@ -3228,12 +3230,12 @@ type ProxyConfigProxyHeadersSetCurrentClientCertDetails struct { // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the // XFCC header comma separated from other values with the value Cert="PEM". // Defaults to false. - Cert bool `json:"cert,omitempty"` + Cert *bool `json:"cert,omitempty"` // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM // format. This will appear in the XFCC header comma separated from other values with the value // Chain="PEM". // Defaults to false. - Chain bool `json:"chain,omitempty"` + Chain *bool `json:"chain,omitempty"` // Whether to forward the DNS type Subject Alternative Names of the client cert. // Defaults to true. Dns *bool `json:"dns,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 847e60775..516cdd97c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2939,6 +2939,16 @@ func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopyInto(out * *out = new(bool) **out = **in } + if in.Cert != nil { + in, out := &in.Cert, &out.Cert + *out = new(bool) + **out = **in + } + if in.Chain != nil { + in, out := &in.Chain, &out.Chain + *out = new(bool) + **out = **in + } if in.Dns != nil { in, out := &in.Dns, &out.Dns *out = new(bool) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 0a577c671..d23d2c956 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-08T15:48:56Z" + createdAt: "2024-10-09T14:29:03Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -374,7 +374,7 @@ spec: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (6f95f8c9) + - latest (51903838) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -766,13 +766,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + - image: gcr.io/istio-testing/install-cni:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + - image: gcr.io/istio-testing/pilot:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index f94de37ce..5370d3268 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -599,6 +599,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 57cd36751..8e16af7dd 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -658,6 +658,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml index f0511ee38..7954b577c 100644 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ b/bundle/manifests/sailoperator.io_remoteistios.yaml @@ -653,6 +653,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index 4cad3c0c0..e7533f351 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -599,6 +599,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index f1b6843b9..8254f7469 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -658,6 +658,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml index bd7b8e570..ee128cf3f 100644 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ b/chart/crds/sailoperator.io_remoteistios.yaml @@ -653,6 +653,8 @@ spec: Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean excludeIPRanges: description: Lists the excluded IP ranges of Istio egress diff --git a/chart/values.yaml b/chart/values.yaml index ad6afeb70..06a8ef4f1 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -19,7 +19,7 @@ csv: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (6f95f8c9) + - latest (51903838) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index 902101baf..22283f3bd 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -430db67c8ca3604651633bcf49bb096193933ef8 +c12e9c52ed2facb49d394df9b1c92ff36fc7f5f1 diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index 9418434d8..6cbe0225f 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=master-8463430ba963638b35745d773045701f6d02014d + IMAGE_VERSION=master-8eb42e9551b9a67c330aeef783f2498647d91289 fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index d028681b5..5e7ba430e 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -2196,7 +2196,7 @@ _Appears in:_ | `autoInject` _string_ | Controls the 'policy' in the sidecar injector. | | | | `clusterDomain` _string_ | Domain for the cluster, default: "cluster.local". K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ | | | | `componentLogLevel` _string_ | Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. | | | -| `enableCoreDump` _boolean_ | Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. | | | +| `enableCoreDump` _boolean_ | Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `excludeInboundPorts` _string_ | Specifies the Istio ingress ports not to capture. | | | | `excludeIPRanges` _string_ | Lists the excluded IP ranges of Istio egress traffic that the sidecar captures. | | | | `image` _string_ | Image name or path for the proxy, default: "proxyv2". If registry or tag are not specified, global.hub and global.tag are used. Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 | | | @@ -2330,7 +2330,7 @@ _Appears in:_ #### ProxyConfigProxyHeadersSetCurrentClientCertDetails -_Underlying type:_ _[struct{Subject *bool "json:\"subject,omitempty\""; Cert bool "json:\"cert,omitempty\""; Chain bool "json:\"chain,omitempty\""; Dns *bool "json:\"dns,omitempty\""; Uri *bool "json:\"uri,omitempty\""}](#struct{subject-*bool-"json:\"subject,omitempty\"";-cert-bool-"json:\"cert,omitempty\"";-chain-bool-"json:\"chain,omitempty\"";-dns-*bool-"json:\"dns,omitempty\"";-uri-*bool-"json:\"uri,omitempty\""})_ +_Underlying type:_ _[struct{Subject *bool "json:\"subject,omitempty\""; Cert *bool "json:\"cert,omitempty\""; Chain *bool "json:\"chain,omitempty\""; Dns *bool "json:\"dns,omitempty\""; Uri *bool "json:\"uri,omitempty\""}](#struct{subject-*bool-"json:\"subject,omitempty\"";-cert-*bool-"json:\"cert,omitempty\"";-chain-*bool-"json:\"chain,omitempty\"";-dns-*bool-"json:\"dns,omitempty\"";-uri-*bool-"json:\"uri,omitempty\""})_ diff --git a/go.mod b/go.mod index fcd7bd26d..5d10a7e8d 100644 --- a/go.mod +++ b/go.mod @@ -23,8 +23,8 @@ require ( gomodules.xyz/jsonpatch/v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 - istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d - istio.io/istio v0.0.0-20241006152922-6f95f8c912c4 + istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4 + istio.io/istio v0.0.0-20241009082345-51903838fc21 k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 @@ -166,7 +166,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gotest.tools/v3 v3.5.1 // indirect - istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22 // indirect + istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e // indirect k8s.io/apiserver v0.31.1 // indirect k8s.io/component-base v0.31.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/go.sum b/go.sum index 0cdb5dc87..667594e1c 100644 --- a/go.sum +++ b/go.sum @@ -489,12 +489,12 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= -istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22 h1:zJhF3wFCBR6aYymRVqO9/lSX2D/sk/qklQrRF7lbIj8= -istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= -istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d h1:rlMkdB4mK+b8TKSuxVOOZYh4mpDkDgYvVQj75wwLYKA= -istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d/go.mod h1:K/KtGTGAA72MC0oPUIFE1ux9aQUqepNP2e4YCz2YleE= -istio.io/istio v0.0.0-20241006152922-6f95f8c912c4 h1:njSM52+zyIPtmLYNr4jEFb7n4NBnudB95llLRzicBNs= -istio.io/istio v0.0.0-20241006152922-6f95f8c912c4/go.mod h1:///kOEmTI1EXlYBf1zS1l63r/Otcx0S1EG/95ZJ0LOo= +istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e h1:XFDQ7gJIvtFtqnQSkAUjj95+ZpgClPEz+pwSU3rvxkk= +istio.io/api v1.23.0-alpha.0.0.20241008225447-9e245289297e/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= +istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4 h1:4CxCrMN+Q+S9GDSrlrigR63zYqQ+uc5nGmknHNhT+PU= +istio.io/client-go v1.23.0-alpha.0.0.20241008225844-395a48e49cd4/go.mod h1:72IX50+zpXByj9hYLJ5b28v6h62v/UHcU+ZFVJBiwao= +istio.io/istio v0.0.0-20241009082345-51903838fc21 h1:WeDrhaXfvt4Ufux7iLIXw/pXp36mF+Oh7dG/BEIRsfs= +istio.io/istio v0.0.0-20241009082345-51903838fc21/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 90d7c8743..cb509e593 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 07bc06d3c..98118950f 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index 491f58253..979c9b9e5 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -112,7 +112,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + tag: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index 49bde88c7..a0805dba7 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index c064a3baa..864a7c815 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/istiod/files/injection-template.yaml b/resources/latest/charts/istiod/files/injection-template.yaml index f41122f9b..a0b8d5b6f 100644 --- a/resources/latest/charts/istiod/files/injection-template.yaml +++ b/resources/latest/charts/istiod/files/injection-template.yaml @@ -161,34 +161,6 @@ spec: runAsNonRoot: true {{- end }} {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} {{ if not $nativeSidecar }} containers: {{ end }} @@ -384,7 +356,7 @@ spec: drop: - ALL privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 @@ -403,7 +375,7 @@ spec: drop: - ALL privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false diff --git a/resources/latest/charts/istiod/files/waypoint.yaml b/resources/latest/charts/istiod/files/waypoint.yaml index f12a128f4..570648f03 100644 --- a/resources/latest/charts/istiod/files/waypoint.yaml +++ b/resources/latest/charts/istiod/files/waypoint.yaml @@ -295,6 +295,7 @@ metadata: {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} labels: {{- toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index c727eb887..35182b455 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + tag: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" @@ -314,9 +314,6 @@ _internal_defaults_do_not_set: # not set, then the global "logLevel" will be used. componentLogLevel: "misc:error" - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - # istio ingress capture allowlist # examples: # Redirect only selected ports: --includeInboundPorts="80,8080" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index c6f4a8861..65c98da26 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +appVersion: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 +version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index 877f05f27..b26dca371 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + tag: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index 6f4a4e74a..28987ca1f 100644 --- a/versions.yaml +++ b/versions.yaml @@ -43,13 +43,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + version: 1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9 repo: https://github.com/istio/istio branch: master - commit: 6f95f8c912c44489b4f78568207337bd907f46c1 + commit: 51903838fc216411efd9ad147ed3cfe0c6e258e9 charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/base-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/cni-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/gateway-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/istiod-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/ztunnel-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/base-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/cni-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/gateway-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/istiod-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9/helm/ztunnel-1.24-alpha.51903838fc216411efd9ad147ed3cfe0c6e258e9.tgz