Added ambient profile installation for istio

[biswajit-9776]

Pull Request Template for Kubeflow manifests Issues

✏️ A brief description of the changes

I added common/istio-ambient-1-22 directory that introduces ambient profile installation for istio.

📦 List any dependencies that are required for this change

My PR depends on #

🐛 If this PR is related to an issue, please put the link to the issue here.

#2676

✅ Contributor checklist

• Make sure you have tested with kustomize. See Installation Prerequisites
• All the commits have been signed-off (To pass the DCO check)
• Submit the Contributor License Agreements (To pass the cla/google check)

---

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[juliusvonkohout]

Please add a script in /hack
Do you know whether the architecture works? Where do you want to have the L7 proxies based in the discussion in #2676 ?

@peterj can you help here?

[juliusvonkohout]

@hansinikarunarathne can you help here? We should allow to have multiple yamls in a single file separated by "---"

[biswajit-9776]

As per #2676, we could maybe focus on static namespaces for which a waypoint proxy would get created and we may need to configure a few stuffs. As for dynamic namespaces, I'm not sure if to proceed but as per @peterj we could just use sidecar mode before figuring out the L7 processing...

[juliusvonkohout]

As per #2676, we could maybe focus on static namespaces for which a waypoint proxy would get created and we may need to configure a few stuffs. As for dynamic namespaces, I'm not sure if to proceed but as per @peterj we could just use sidecar mode before figuring out the L7 processing...

If we can run it in parallel, yes let's do so.

[peterj]

As I suggested in #2676, I think it would be safer to follow these steps first as a preparation for a move to ambient:

1. Migrate to Kubernetes Gateway API - this would involve installing K8s gateway API and replacing VirtualService resources with HTTPRoutes.
2. Move to the latest istio (1.22.3), continue with profile: default (or whichever was used).

After this, you could commence the move to ambient by identifying the components needing L7 proxies, deploying them and then moving to ambient (profile=ambient).

[biswajit-9776]

Yes, @juliusvonkohout should I migrate to Gateway API in this PR or make another one?

[juliusvonkohout]

Yes, @juliusvonkohout should I migrate to Gateway API in this PR or make another one?

If it works also with the legacy and istio-cni i prefer a separate PR.

[juliusvonkohout]

As I suggested in #2676, I think it would be safer to follow these steps first as a preparation for a move to ambient:

1. Migrate to Kubernetes Gateway API - this would involve installing K8s gateway API and replacing VirtualService resources with HTTPRoutes.

2. Move to the latest istio (1.22.3), continue with profile: default (or whichever was used).

After this, you could commence the move to ambient by identifying the components needing L7 proxies, deploying them and then moving to ambient (profile=ambient).

Yes lets do so. That means

1. in a separate PR the istio upgrade
2. Afterwards ina nother PR the k8s gateway API
3. adding the ambient option

[kimwnasptd]

Hey @biswajit-9776 @peterj, could you also add instructions in the description of the PR on how to also test this PR?

[biswajit-9776]

Hey @kimwnasptd thanks for hopping in, apologies from my side as I have been working on PSS workflows since last week.
As for the testing of this PR, the pipelines and m2m tests in our present workflow need to be modified for Istio using ambient profile.
Istio with ambient profile doesn't use the ingress gateway and would be using the Kubernetes Gateway API. So, the port forwarding tests in current github workflows need to be modified accordingly and I will post the findings in my local system accordingly.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[juliusvonkohout]

/lifecycle frozen

[google-oss-prow]

@juliusvonkohout: The lifecycle/frozen label cannot be applied to Pull Requests.

In response to this:

/lifecycle frozen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.