home-ops
home-ops copied to clipboard
Published
20 hours ago •
coolguy1771
coolguy1771
feat(helm): update istiod ( 1.21.2 → 1.22.0 )
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| istiod | minor | 1.21.2 -> 1.22.0 |
[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Renovate Bot.
![lumiere-bot[bot] avatar](https://avatars.githubusercontent.com/in/165833?v=4 "Published by a pub.dev verified publisher"){kind=small}
--- kubernetes/sol/apps/istio-system/istiod/app Kustomization: flux-system/istiod HelmRelease: istio-system/istiod
+++ kubernetes/sol/apps/istio-system/istiod/app Kustomization: flux-system/istiod HelmRelease: istio-system/istiod
@@ -13,13 +13,13 @@
spec:
chart: istiod
sourceRef:
kind: HelmRepository
name: istio
namespace: flux-system
- version: 1.21.2
+ version: 1.22.0
install:
remediation:
retries: 5
interval: 15m
upgrade:
remediation:
--- HelmRelease: istio-system/istiod ConfigMap: istio-system/istio
+++ HelmRelease: istio-system/istiod ConfigMap: istio-system/istio
@@ -17,15 +17,12 @@
discoveryAddress: istiod.istio-system.svc:15012
gatewayTopology:
forwardClientCertDetails: ALWAYS_FORWARD_ONLY
numTrustedProxies: 1
image:
imageType: distroless
- tracing:
- zipkin:
- address: zipkin.istio-system:9411
defaultProviders:
metrics:
- prometheus
enablePrometheusMerge: true
rootNamespace: istio-system
trustDomain: cluster.local
--- HelmRelease: istio-system/istiod ConfigMap: istio-system/istio-sidecar-injector
+++ HelmRelease: istio-system/istiod ConfigMap: istio-system/istio-sidecar-injector
@@ -15,12 +15,13 @@
"global": {
"autoscalingv2API": true,
"caAddress": "",
"caName": "",
"certSigners": [],
"configCluster": false,
+ "configValidation": true,
"defaultPodDisruptionBudget": {
"enabled": false
},
"defaultResources": {
"requests": {
"cpu": "10m"
@@ -31,13 +32,12 @@
"imagePullPolicy": "",
"imagePullSecrets": [],
"istioNamespace": "istio-system",
"istiod": {
"enableAnalysis": false
},
- "jwtPolicy": "third-party-jwt",
"logAsJson": false,
"logging": {
"level": "default:info"
},
"meshID": "",
"meshNetworks": {},
@@ -45,13 +45,12 @@
"multiCluster": {
"clusterName": "",
"enabled": false
},
"network": "",
"omitSidecarInjectorConfigMap": false,
- "oneNamespace": false,
"operatorManageWebhooks": false,
"pilotCertProvider": "istiod",
"priorityClassName": "",
"proxy": {
"autoInject": "enabled",
"clusterDomain": "cluster.local",
@@ -81,13 +80,13 @@
},
"startupProbe": {
"enabled": true,
"failureThreshold": 600
},
"statusPort": 15020,
- "tracer": "zipkin"
+ "tracer": "none"
},
"proxy_init": {
"image": "proxyv2",
"resources": {
"limits": {
"cpu": "200m",
@@ -105,18 +104,24 @@
"aud": "istio-ca"
}
},
"sts": {
"servicePort": 0
},
- "tag": "1.21.2",
+ "tag": "1.22.0",
"variant": "distroless"
},
"istio_cni": {
"chained": true,
- "enabled": false
+ "provider": "default"
+ },
+ "pilot": {
+ "cni": {
+ "enabled": false,
+ "provider": "default"
+ }
},
"revision": "",
"sidecarInjectorWebhook": {
"alwaysInjectSelector": [],
"defaultTemplates": [],
"enableNamespacesByDefault": false,
@@ -170,20 +175,21 @@
\ | quote }},\n {{- if ge (len $containers) 1 }}\n {{- if not (isset\
\ .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}\n\
\ kubectl.kubernetes.io/default-logs-container: \"{{ index $containers\
\ 0 }}\",\n {{- end }}\n {{- if not (isset .ObjectMeta.Annotations\
\ `kubectl.kubernetes.io/default-container`) }}\n kubectl.kubernetes.io/default-container:\
\ \"{{ index $containers 0 }}\",\n {{- end }}\n {{- end }}\n \
- \ {{- if .Values.istio_cni.enabled }}\n {{- if not .Values.istio_cni.chained\
- \ }}\n k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations\
- \ `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',\n {{- end }}\n\
- \ sidecar.istio.io/interceptionMode: \"{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode`\
- \ .ProxyConfig.InterceptionMode }}\",\n {{ with annotation .ObjectMeta\
- \ `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges\
- \ }}traffic.sidecar.istio.io/includeOutboundIPRanges: \"{{.}}\",{{ end }}\n \
- \ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges`\
+ \ {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }}\n {{-\
+ \ if or (eq .Values.pilot.cni.provider \"multus\") (eq .Values.istio_cni.provider\
+ \ \"multus\") (not .Values.istio_cni.chained)}}\n k8s.v1.cni.cncf.io/networks:\
+ \ '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`)\
+ \ `default/istio-cni` }}',\n {{- end }}\n sidecar.istio.io/interceptionMode:\
+ \ \"{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode\
+ \ }}\",\n {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges`\
+ \ .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges:\
+ \ \"{{.}}\",{{ end }}\n {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges`\
\ .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges:\
\ \"{{.}}\",{{ end }}\n {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts`\
\ .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts:\
\ \"{{.}}\",{{ end }}\n traffic.sidecar.istio.io/excludeInboundPorts: \"\
{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)\
\ (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts)\
@@ -199,20 +205,21 @@
\ }}traffic.sidecar.istio.io/kubevirtInterfaces: \"{{.}}\",{{ end }}\n \
\ {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`\
\ }}traffic.sidecar.istio.io/excludeInterfaces: \"{{.}}\",{{ end }}\n {{- end\
\ }}\n }\n spec:\n {{- $holdProxy := and\n (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue\
\ .Values.global.proxy.holdApplicationUntilProxyStarts)\n (not $nativeSidecar)\
\ }}\n initContainers:\n {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode`\
- \ .ProxyConfig.InterceptionMode) `NONE` }}\n {{ if .Values.istio_cni.enabled\
- \ -}}\n - name: istio-validation\n {{ else -}}\n - name: istio-init\n\
- \ {{ end -}}\n {{- if contains \"/\" (annotation .ObjectMeta `sidecar.istio.io/proxyImage`\
- \ .Values.global.proxy_init.image) }}\n image: \"{{ annotation .ObjectMeta\
- \ `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}\"\n {{-\
- \ else }}\n image: \"{{ .ProxyImage }}\"\n {{- end }}\n args:\n\
- \ - istio-iptables\n - \"-p\"\n - {{ .MeshConfig.ProxyListenPort\
- \ | default \"15001\" | quote }}\n - \"-z\"\n - {{ .MeshConfig.ProxyInboundListenPort\
+ \ .ProxyConfig.InterceptionMode) `NONE` }}\n {{ if or .Values.pilot.cni.enabled\
+ \ .Values.istio_cni.enabled -}}\n - name: istio-validation\n {{ else\
+ \ -}}\n - name: istio-init\n {{ end -}}\n {{- if contains \"/\"\
+ \ (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image)\
+ \ }}\n image: \"{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage`\
+ \ .Values.global.proxy_init.image }}\"\n {{- else }}\n image: \"{{\
+ \ .ProxyImage }}\"\n {{- end }}\n args:\n - istio-iptables\n\
+ \ - \"-p\"\n - {{ .MeshConfig.ProxyListenPort | default \"15001\"\
+ \ | quote }}\n - \"-z\"\n - {{ .MeshConfig.ProxyInboundListenPort\
\ | default \"15006\" | quote }}\n - \"-u\"\n - {{ .ProxyUID | default\
\ \"1337\" | quote }}\n - \"-m\"\n - \"{{ annotation .ObjectMeta\
\ `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}\"\n \
\ - \"-i\"\n - \"{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges`\
\ .Values.global.proxy.includeIPRanges }}\"\n - \"-x\"\n - \"{{\
\ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges\
@@ -235,28 +242,30 @@
\ -}}\n - \"-k\"\n - \"{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`\
\ }}\"\n {{ end -}}\n {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`)\
\ -}}\n - \"-c\"\n - \"{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`\
\ }}\"\n {{ end -}}\n - \"--log_output_level={{ annotation .ObjectMeta\
\ `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}\"\n \
\ {{ if .Values.global.logAsJson -}}\n - \"--log_as_json\"\n {{\
- \ end -}}\n {{ if .Values.istio_cni.enabled -}}\n - \"--run-validation\"\
- \n - \"--skip-rule-apply\"\n {{ end -}}\n {{with .Values.global.imagePullPolicy\
- \ }}imagePullPolicy: \"{{.}}\"{{end}}\n {{- if .ProxyConfig.ProxyMetadata\
- \ }}\n env:\n {{- range $key, $value := .ProxyConfig.ProxyMetadata\
- \ }}\n - name: {{ $key }}\n value: \"{{ $value }}\"\n {{-\
- \ end }}\n {{- end }}\n resources:\n {{ template \"resources\"\
- \ . }}\n securityContext:\n allowPrivilegeEscalation: {{ .Values.global.proxy.privileged\
- \ }}\n privileged: {{ .Values.global.proxy.privileged }}\n capabilities:\n\
- \ {{- if not .Values.istio_cni.enabled }}\n add:\n \
- \ - NET_ADMIN\n - NET_RAW\n {{- end }}\n drop:\n\
- \ - ALL\n {{- if not .Values.istio_cni.enabled }}\n \
- \ readOnlyRootFilesystem: false\n runAsGroup: 0\n runAsNonRoot:\
- \ false\n runAsUser: 0\n {{- else }}\n readOnlyRootFilesystem:\
- \ true\n runAsGroup: {{ .ProxyGID | default \"1337\" }}\n runAsUser:\
- \ {{ .ProxyUID | default \"1337\" }}\n runAsNonRoot: true\n {{-\
- \ end }}\n {{ end -}}\n {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump`\
+ \ end -}}\n {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled\
[Diff truncated by flux-local]
--- HelmRelease: istio-system/istiod ClusterRole: istio-system/istio-reader-clusterrole-istio-system
+++ HelmRelease: istio-system/istiod ClusterRole: istio-system/istio-reader-clusterrole-istio-system
@@ -10,12 +10,14 @@
- apiGroups:
- config.istio.io
- security.istio.io
- networking.istio.io
- authentication.istio.io
- rbac.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
resources:
- '*'
verbs:
- get
- list
- watch
--- HelmRelease: istio-system/istiod Deployment: istio-system/istiod
+++ HelmRelease: istio-system/istiod Deployment: istio-system/istiod
@@ -25,22 +25,25 @@
app: istiod
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
sidecar.istio.io/inject: 'false'
operator.istio.io/component: Pilot
istio: pilot
+ istio.io/dataplane-mode: none
annotations:
prometheus.io/port: '15014'
prometheus.io/scrape: 'true'
- ambient.istio.io/redirection: disabled
sidecar.istio.io/inject: 'false'
spec:
+ tolerations:
+ - key: cni.istio.io/not-ready
+ operator: Exists
serviceAccountName: istiod
containers:
- name: discovery
- image: docker.io/istio/pilot:1.21.2-distroless
+ image: docker.io/istio/pilot:1.22.0-distroless
args:
- discovery
- --monitoringAddr=:15014
- --log_output_level=default:info
- --domain
- cluster.local
@@ -60,14 +63,12 @@
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: REVISION
value: default
- - name: JWT_POLICY
- value: third-party-jwt
- name: PILOT_CERT_PROVIDER
value: istiod
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
--- HelmRelease: istio-system/istiod ValidatingWebhookConfiguration: istio-system/istio-validator-istio-system
+++ HelmRelease: istio-system/istiod ValidatingWebhookConfiguration: istio-system/istio-validator-istio-system
@@ -0,0 +1,42 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: istio-validator-istio-system
+ labels:
+ app: istiod
+ release: istiod
+ istio: istiod
+ istio.io/rev: default
+webhooks:
+- name: rev.validation.istio.io
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /validate
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions:
+ - '*'
+ resources:
+ - '*'
+ failurePolicy: Ignore
+ sideEffects: None
+ admissionReviewVersions:
+ - v1beta1
+ - v1
+ objectSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ - default
+