Merge branch 'main' into hpatuning

Makefile

@@ -96,7 +96,7 @@ build: generate fmt vet ## Build manager binary.
 	go build -o bin/manager main.go
 
 .PHONY: run
-run: manifests install create-kyma-system-ns build ## Run a controller from your host.
+run: manifests install create-kyma-system-ns ## Run a controller from your host.
 	go run ./main.go
 
 .PHONY: docker-build

config/ui-extensions/istios/general

@@ -11,5 +11,5 @@ features:
     disableCreate: true
     disableDelete: true
 description: >-
-  {{[Istio CR](https://github.com/kyma-project/istio/blob/main/config/samples/operator_v1alpha2_istio.yaml)}}
-  describes the Istio module
+  {{[Istio custom resource ](https://kyma-project.io/#/istio/user/04-00-istio-custom-resource)}}
+  configures the Istio module.

docs/release-notes/1.7.0.md

@@ -2,7 +2,7 @@
 
 - Allow for opting out of the **ENABLE_EXTERNAL_NAME_ALIAS** Istio pilot environment variable in the Istio custom resource. This allows for retaining behavior that was present in Istio prior to version 1.21. See issue [#787](https://github.com/kyma-project/istio/issues/787 ).
 - Update the Istio version to 1.21.2 [#802](https://github.com/kyma-project/istio/pull/802). Read [Istio 1.21.2 Release Announcement](https://istio.io/latest/news/releases/1.21.x/announcing-1.21.2/) and [Change Notes](https://istio.io/latest/news/releases/1.21.x/announcing-1.21/change-notes/) for more details.
+- Add Request Authentication UI for Kyma dashboard [#816](https://github.com/kyma-project/istio/pull/816)
+- Now, Istio Operator does not restart Pods with Istio Sidecar, which contain custom image annotations. See the issue [#698](https://github.com/kyma-project/istio/issues/698) and [Istio Resource Annotations](https://istio.io/latest/docs/reference/config/annotations/#SidecarProxyImage) for more details.
 - Change Istio Ingress Gateway's scaling to be based only on CPU utilization. This adjustment ensures that the scaling is more responsive to traffic changes, as the Istio Ingress Gateway memory utilization is not a good indicator of the traffic load.
 - Set the default number of Istio Ingress Gateway replicas in smaller clusters to `1`.
-- Add Request Authentication UI for Kyma dashboard [#816](https://github.com/kyma-project/istio/pull/816)
-

docs/user/00-10-overview-istio-controller.md

@@ -18,6 +18,7 @@ The `istios.operator.kyma-project.io` CustomResourceDefinition (CRD) describes t
 
 When the Istio version is updated or the configuration of the proxies is changed, the Pods that have Istio injection enabled are automatically restarted. This is possible for all resources that allow for a rolling restart. If Istio is uninstalled, the workloads are restarted again to remove the sidecars.
 However, if a resource is a job, a ReplicaSet that is not managed by any deployment, or a Pod that is not managed by any other resource, the restart cannot be performed automatically. In such cases, a warning is logged, and you must manually restart the resources.
+Istio Operator does not restart an Istio sidecar proxy, if it has a custom image set. See [Resource Annotations](https://istio.io/latest/docs/reference/config/annotations/#SidecarProxyImage).
 
 ## Status Codes
 

docs/user/00-30-overview-istio-sidecars.md

@@ -35,4 +35,4 @@ Application resiliency is an important topic within traffic management. Traditio
 ## Operation Guides and Troubleshooting
 
 [Check if you have automatic Istio sidecar proxy injection enabled](./operation-guides/02-10-check-if-sidecar-injection-is-enabled.md) and learn how to [enable automatic Istio sidecar proxy injection](./operation-guides/02-20-enable-sidecar-injection.md).
-Follow the troubleshooting guides if you experience [issues with Istio sidecar injection](./troubleshooting/03-30-istio-no-sidecar.md) or have [incompatible Istio sidecar version after Kyma Istio Operator's upgrade](./troubleshooting/03-40-incompatible-istio-sidecar-version.md).
+Follow the troubleshooting guides if you experience [issues with Istio sidecar injection](./troubleshooting/03-30-istio-no-sidecar.md) or have [incompatible Istio sidecar version after Kyma Istio Operator's upgrade](./troubleshooting/03-40-incompatible-istio-sidecar-version.md).

docs/user/troubleshooting/03-70-cannot-connect-to-hana-db.md

@@ -0,0 +1,60 @@
+# Issues with Connection to SAP HANA Database
+
+## Symptom
+
+You're unable to connect an application to a SAP HANA Database instance.
+
+## Troubleshooting
+
+The Istio module's default configuration does not restrict outbound traffic. This means that the application should have no issues connecting to the SAP HANA Database instance.
+To determine the cause of the connection issue, follow the troubleshooting steps.
+
+### Connect to the SAP HANA Database Instance from Outside of the Cluster
+1. Download SAP HANA Client for your operating system from the [SAP Development Tools](https://tools.hana.ondemand.com/#hanatools).
+2. Unpack the downloaded archive.
+3. Install SAP HANA Client.
+4. Connect to SAP HANA Database instance using the following command:
+    ```bash
+    hdbsql -n {HANA_DB_INSTANCE_ADDRESS} -u {HANA_DB_USER} -p {HANA_DB_PASSWORD}
+    ```
+    For example:
+    ```bash
+    hdbsql -n aaa.bbb.ccc.ddd:30015 -u my_user -p mypassword
+    ```
+5. If the connection is successful and you can execute queries, the issue is not related to the SAP HANA Database instance.
+### Connect to the SAP HANA Database Instance from Inside of the Cluster
+1. Build a Docker image with the SAP HANA Client installed. You can use the following Dockerfile:
+    ```Dockerfile
+    FROM eclipse-temurin:17
+    WORKDIR /build
+    COPY client.tar client.tar
+    RUN tar -xvf client.tar
+    RUN echo "/usr/local/bin" | ./client/hdbinst
+
+    ENTRYPOINT ["sleep", "8000"]
+    ```
+    Download the SAP HANA Client for Linux x86 64-bit from [SAP Development Tools](https://tools.hana.ondemand.com/#hanatools) and save it as `client.tar` in the same directory as the Dockerfile. Then, run the following command to build the image:
+    ```bash
+    docker buildx build --platform=linux/amd64 -t hdbsql .
+    ```
+2. To test your image, run the following command:
+    ```bash
+    docker run --entrypoint "hdbsql" hdbsql -v
+    ```
+    You get an output similar to this example:
+    ```
+    HDBSQL version 2.20.20.1712178305, the SAP HANA Database interactive terminal.
+    Copyright 2000-2024 by SAP SE.
+    ```
+3. Publish the image to a container registry.
+4. Run the image in the Kubernetes cluster:
+    ```bash
+    kubectl create deployment hdbsql --image={PUBLISHED_IMAGE_NAME}
+    ```
+5. Attach to the Pod and try to connect to the SAP HANA Database instance using the following command:
+    ```bash
+    hdbsql -n {HANA_DB_INSTANCE_ADDRESS} -u {HANA_DB_USER} -p {HANA_DB_PASSWORD}
+    ```
+6. If the connection is successful and you can execute queries, the issue is not related to the setup of the cluster.
+7. Check the connection from a Pod that has the Istio sidecar injected. In that case, create the Deployment in a namespace with Istio sidecar injection enabled. The connection should be successful.
+

pkg/lib/sidecars/pods/filter.go

@@ -7,7 +7,8 @@ import (
 )
 
 const (
-	istioSidecarName = "istio-proxy"
+	istioSidecarName                         = "istio-proxy"
+	istioSidecarCustomImageAnnotation string = "sidecar.istio.io/proxyImage"
 )
 
 type RestartProxyPredicate struct {
@@ -38,6 +39,7 @@ func (r RestartProxyPredicate) NewProxyRestartEvaluator(_ context.Context) (filt
 func needsRestart(pod v1.Pod, expectedImage SidecarImage, expectedResources v1.ResourceRequirements) bool {
 	return HasIstioSidecarStatusAnnotation(pod) &&
 		IsPodReady(pod) &&
+		!hasCustomImageAnnotation(pod) &&
 		(hasSidecarContainerWithWithDifferentImage(pod, expectedImage) || hasDifferentSidecarResources(pod, expectedResources))
 }
 
@@ -64,6 +66,11 @@ func isPodRunning(pod v1.Pod) bool {
 	return pod.Status.Phase == v1.PodRunning
 }
 
+func hasCustomImageAnnotation(pod v1.Pod) bool {
+	_, found := pod.Annotations[istioSidecarCustomImageAnnotation]
+	return found
+}
+
 func hasSidecarContainerWithWithDifferentImage(pod v1.Pod, expectedImage SidecarImage) bool {
 
 	for _, container := range pod.Spec.Containers {

pkg/lib/sidecars/pods/filter_test.go

@@ -0,0 +1,63 @@
+package pods_test
+
+import (
+	"context"
+	"github.com/kyma-project/istio/operator/pkg/lib/sidecars/pods"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var _ = Describe("Evaluate restart", func() {
+	It("should should return false when pod has custom image annotation", func() {
+		pod := createPodWithProxySidecar("test-pod", "test-namespace", "1.21.0", map[string]string{"sidecar.istio.io/proxyImage": "istio/proxyv2:1.21.0"})
+
+		predicate := pods.NewRestartProxyPredicate(pods.NewSidecarImage("istio", "1.22.0"), v1.ResourceRequirements{})
+		evaluator, err := predicate.NewProxyRestartEvaluator(context.Background())
+		Expect(err).ToNot(HaveOccurred())
+		Expect(evaluator.RequiresProxyRestart(pod)).To(BeFalse())
+
+	})
+
+	It("should should return true when pod does not have custom image annotation", func() {
+		pod := createPodWithProxySidecar("test-pod", "test-namespace", "1.21.0", map[string]string{})
+
+		predicate := pods.NewRestartProxyPredicate(pods.NewSidecarImage("istio", "1.22.0"), v1.ResourceRequirements{})
+		evaluator, err := predicate.NewProxyRestartEvaluator(context.Background())
+		Expect(err).ToNot(HaveOccurred())
+		Expect(evaluator.RequiresProxyRestart(pod)).To(BeTrue())
+
+	})
+})
+
+func createPodWithProxySidecar(name, namespace, proxyIstioVersion string, annotations map[string]string) v1.Pod {
+	if annotations == nil {
+		annotations = map[string]string{}
+	}
+	annotations["sidecar.istio.io/status"] = "true"
+	return v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        name,
+			Namespace:   namespace,
+			Annotations: annotations,
+		},
+		Status: v1.PodStatus{
+			Phase: v1.PodRunning,
+			Conditions: []v1.PodCondition{
+				{
+					Type:   v1.PodReady,
+					Status: v1.ConditionTrue,
+				},
+			},
+		},
+		Spec: v1.PodSpec{
+			Containers: []v1.Container{
+				{
+					Name:  "istio-proxy",
+					Image: "istio/proxyv2:" + proxyIstioVersion,
+				},
+			},
+		},
+	}
+}

sec-scanners-config.yaml

@@ -1,6 +1,6 @@
 module-name: istio
 protecode:
-  - europe-docker.pkg.dev/kyma-project/prod/istio-manager:v20240508-60015489
+  - europe-docker.pkg.dev/kyma-project/prod/istio-manager:v20240515-c1567763
   - europe-docker.pkg.dev/kyma-project/prod/external/istio/install-cni:1.21.2-distroless
   - europe-docker.pkg.dev/kyma-project/prod/external/istio/proxyv2:1.21.2-distroless
   - europe-docker.pkg.dev/kyma-project/prod/external/istio/pilot:1.21.2-distroless