Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package istioctl for openSUSE:Factory checked in at 2025-04-17 16:09:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/istioctl (Old) and /work/SRC/openSUSE:Factory/.istioctl.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "istioctl" Thu Apr 17 16:09:20 2025 rev:33 rq:1270127 version:1.25.2 Changes: -------- --- /work/SRC/openSUSE:Factory/istioctl/istioctl.changes 2025-03-27 22:32:08.628215048 +0100 +++ /work/SRC/openSUSE:Factory/.istioctl.new.30101/istioctl.changes 2025-04-20 19:56:36.724508612 +0200 @@ -1,0 +2,8 @@ +Wed Apr 16 19:20:25 UTC 2025 - Johannes Kastl <opensuse_buildserv...@ojkastl.de> + +- update to 1.25.2: + https://istio.io/latest/news/releases/1.25.x/announcing-1.25.2/ + * Changes + - no apparent CLI-related changes + +------------------------------------------------------------------- Old: ---- istioctl-1.25.1.obscpio New: ---- istioctl-1.25.2.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ istioctl.spec ++++++ --- /var/tmp/diff_new_pack.qmb8JN/_old 2025-04-20 19:56:37.704549641 +0200 +++ /var/tmp/diff_new_pack.qmb8JN/_new 2025-04-20 19:56:37.708549808 +0200 @@ -17,7 +17,7 @@ Name: istioctl -Version: 1.25.1 +Version: 1.25.2 Release: 0 Summary: CLI for the istio servic mesh in Kubernetes License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.qmb8JN/_old 2025-04-20 19:56:37.744551315 +0200 +++ /var/tmp/diff_new_pack.qmb8JN/_new 2025-04-20 19:56:37.748551483 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/istio/istio</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">1.25.1</param> + <param name="revision">1.25.2</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">disable</param> <param name="filename">istioctl</param> ++++++ istioctl-1.25.1.obscpio -> istioctl-1.25.2.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/.devcontainer/devcontainer.json new/istioctl-1.25.2/.devcontainer/devcontainer.json --- old/istioctl-1.25.1/.devcontainer/devcontainer.json 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/.devcontainer/devcontainer.json 2025-04-11 16:24:19.000000000 +0200 @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:master-6bfe0028e941afdae35a3c5d4374bc08e3c04153", + "image": "gcr.io/istio-testing/build-tools:release-1.25-3860042a009e8b9d8a63eca8756803d0e7aad5bb", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/.gitattributes new/istioctl-1.25.2/.gitattributes --- old/istioctl-1.25.1/.gitattributes 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/.gitattributes 1970-01-01 01:00:00.000000000 +0100 @@ -1,16 +0,0 @@ -*.descriptor linguist-generated=true -*.descriptor -diff -merge -*.descriptor_set linguist-generated=true -*.descriptor_set -diff -merge -*.pb.html linguist-generated=true -*.pb.go linguist-generated=true -*.gen.go linguist-generated=true -*.gen.yaml linguist-generated=true -*.gen.json linguist-generated=true -*_pb2.py linguist-generated=true -manifests/charts/**/profile*.yaml linguist-generated=true -go.sum merge=union -vendor/** linguist-vendored -common/** linguist-vendored -archive/** linquist-vendored -**/vmlinux.h linquist-vendored diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/.github/ISSUE_TEMPLATE/bug_report.yml new/istioctl-1.25.2/.github/ISSUE_TEMPLATE/bug_report.yml --- old/istioctl-1.25.1/.github/ISSUE_TEMPLATE/bug_report.yml 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/.github/ISSUE_TEMPLATE/bug_report.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,74 +0,0 @@ -name: Bug report -description: Report a bug to help us improve Istio -body: - - type: markdown - attributes: - value: | - Thanks for taking the time to fill out this bug report! - - type: checkboxes - id: security-check - attributes: - label: Is this the right place to submit this? - description: |- - This is used to report product bugs: - To report a security vulnerability, please visit <https://istio.io/about/security-vulnerabilities>. - Any crashes are potentially security vulnerabilities and should be treated as such. - To ask questions about how to use Istio, please visit <https://github.com/istio/istio/discussions>. - options: - - label: "This is not a security vulnerability or a crashing bug" - required: true - - label: "This is not a question about how to use Istio" - required: true - - type: textarea - id: bug-description - attributes: - label: Bug Description - description: Tell us what issues you ran into. - placeholder: Include information about what you tried, what you expected to happen, and what actually happened. The more details, the better! - validations: - required: true - - type: textarea - id: version - attributes: - label: Version - description: Include the output of `istioctl version`, `kubectl version --short`, and `helm version --short` (if you used Helm) - placeholder: | - $ istioctl version - client version: 1.0.0 - control plane version: 1.0.0 - data plane version: 1.0.0 (100 proxies) - $ kubectl version - Client Version: v1.0.0 - Kustomize Version: v1.0.0 - Server Version: v1.0.0 - render: Text - validations: - required: true - - type: textarea - id: additional-info - attributes: - label: Additional Information - description: | - Please include the output of [`istioctl bug-report`](https://istio.io/help/bugs/#generating-a-cluster-state-archive). - If you are unable to do so, please ensure you have collected the relevant debugging information manually and attached below; - issue without enough information will not be resolvable. - - type: checkboxes - id: area - attributes: - label: Affected product area - options: - - label: "Ambient" - - label: "Docs" - - label: "Dual Stack" - - label: "Installation" - - label: "Networking" - - label: "Performance and Scalability" - - label: "Extensions and Telemetry" - - label: "Security" - - label: "Test and Release" - - label: "User Experience" - - label: "Developer Infrastructure" - - label: "Upgrade" - - label: "Multi Cluster" - - label: "Virtual Machine" - - label: "Control Plane Revisions" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/.github/ISSUE_TEMPLATE/config.yml new/istioctl-1.25.2/.github/ISSUE_TEMPLATE/config.yml --- old/istioctl-1.25.1/.github/ISSUE_TEMPLATE/config.yml 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/.github/ISSUE_TEMPLATE/config.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,4 +0,0 @@ -contact_links: -- name: "Crash bug" - url: https://istio.io/about/security-vulnerabilities/ - about: "Please file any bug causing a crash to istio-security-vulnerability-repo...@googlegroups.com." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/.github/ISSUE_TEMPLATE/feature_request.md new/istioctl-1.25.2/.github/ISSUE_TEMPLATE/feature_request.md --- old/istioctl-1.25.1/.github/ISSUE_TEMPLATE/feature_request.md 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/.github/ISSUE_TEMPLATE/feature_request.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,32 +0,0 @@ ---- -name: Feature request -about: Suggest an idea to improve Istio - ---- -(This is used to request new product features, please visit <https://github.com/istio/istio/discussions> for questions on using Istio) - -**Describe the feature request** - -**Describe alternatives you've considered** - -**Affected product area (please put an X in all that apply)** - -[ ] Ambient -[ ] Docs -[ ] Dual Stack -[ ] Installation -[ ] Networking -[ ] Performance and Scalability -[ ] Extensions and Telemetry -[ ] Security -[ ] Test and Release -[ ] User Experience -[ ] Developer Infrastructure - -**Affected features (please put an X in all that apply)** - -[ ] Multi Cluster -[ ] Virtual Machine -[ ] Multi Control Plane - -**Additional context** diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/.github/SECURITY.md new/istioctl-1.25.2/.github/SECURITY.md --- old/istioctl-1.25.1/.github/SECURITY.md 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/.github/SECURITY.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,23 +0,0 @@ -# Security Policy - -## Supported Versions - -Information about supported Istio versions can be found on the -[Support Announcements] page on Istio's website. - -## Reporting a Vulnerability - -Instructions for reporting a vulnerability can be found on the -[Istio Security Vulnerabilities] page. The Istio Product Security Working Group receives -vulnerability and security issue reports, and the company affiliation of the members of -the group can be found at [Early Disclosure Membership]. - -## Security Bulletins - -Information about previous Istio vulnerabilities can be found on the -[Security Bulletins] page. - -[Support Announcements]: https://istio.io/news/support/ -[Istio Security Vulnerabilities]: https://istio.io/about/security-vulnerabilities/ -[Security Bulletins]: https://istio.io/news/security/ -[Early Disclosure Membership]: https://github.com/istio/community/blob/master/EARLY-DISCLOSURE.md#membership diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/.github/dependabot.yml new/istioctl-1.25.2/.github/dependabot.yml --- old/istioctl-1.25.1/.github/dependabot.yml 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/.github/dependabot.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,14 +0,0 @@ -# Configures Depdendabot to PR go security updates only - -version: 2 -updates: - # Go configuration for master branch - - package-ecosystem: "gomod" - directory: "/" - schedule: - interval: "daily" - # Limit number of open PRs to 0 so that we only get security updates - # See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates - open-pull-requests-limit: 0 - labels: - - "release-notes-none" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/.github/pull_request_template.md new/istioctl-1.25.2/.github/pull_request_template.md --- old/istioctl-1.25.1/.github/pull_request_template.md 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/.github/pull_request_template.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,26 +0,0 @@ -**Please provide a description of this PR:** - - - -**To help us figure out who should review this PR, please put an X in all the areas that this PR affects.** - -- [ ] Ambient -- [ ] Configuration Infrastructure -- [ ] Docs -- [ ] Dual Stack -- [ ] Installation -- [ ] Networking -- [ ] Performance and Scalability -- [ ] Extensions and Telemetry -- [ ] Security -- [ ] Test and Release -- [ ] User Experience -- [ ] Developer Infrastructure -- [ ] Upgrade -- [ ] Multi Cluster -- [ ] Virtual Machine -- [ ] Control Plane Revisions - -**Please check any characteristics that apply to this pull request.** - -- [ ] Does not have any [user-facing](https://github.com/istio/istio/tree/master/releasenotes#when-to-add-release-notes) changes. This may include CLI changes, API changes, behavior changes, performance improvements, etc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/.gitignore new/istioctl-1.25.2/.gitignore --- old/istioctl-1.25.1/.gitignore 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/.gitignore 1970-01-01 01:00:00.000000000 +0100 @@ -1,65 +0,0 @@ -# git history files -.history_rewritten_* -# Eclipse artifacts -.project -.pydevproject -#Vagrant -tools/vagrant/.vagrant/ -# Intellij -*.iml -.idea/ -.run/ -# Visual Studio Code -.vscode/ -# Bazel -/bazel-* -# vi swap files -.*.swp -# vi backups -*.bak -# common backups -*~ -# python artifacts -*.pyc -# pilot -pilot/pkg/kube/config -pilot/pkg/proxy/envoy/envoy -# lint -lintconfig.gen.json -.istiorc -.istiorc.mk -# codegen stuff -bin/adapterlinter -bin/protoc-gen-gogoslick* -bin/protoc-min-version* -bin/protoc-gen-docs* -bin/testlinter -bin/envvarlinter -bin/istioctl -*.orig -# Avoid accidental istio.VERSION changes -istio.VERSION -LICENSES.txt -# Proxy generated proxy config in integration test -tests/integration/component/proxy/envoy.conf -**/var/run/secrets/ -# Certs generated by testing -security/cmd/node_agent/na/cert_file -security/cmd/node_agent/na/pkey -# istioctl bash completion file -tools/istioctl.bash -vendor -# Contains the built artifacts -out/ -etc/ -var/ -# Go compiled tests -*.test -# Profiles -*.prof -# MacOS extended attributes -._* -# MacOS Desktop Services Store -.DS_Store -/manifests/charts/**/charts/ -/manifests/charts/**/Chart.lock diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/Makefile.core.mk new/istioctl-1.25.2/Makefile.core.mk --- old/istioctl-1.25.1/Makefile.core.mk 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/Makefile.core.mk 2025-04-11 16:24:19.000000000 +0200 @@ -49,7 +49,7 @@ export VERSION # Base version of Istio image to use -BASE_VERSION ?= 1.25-2025-03-04T19-01-37 +BASE_VERSION ?= 1.25-2025-04-04T19-01-15 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release export GO111MODULE ?= on diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/cmd/root.go new/istioctl-1.25.2/cni/pkg/cmd/root.go --- old/istioctl-1.25.1/cni/pkg/cmd/root.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/cmd/root.go 2025-04-11 16:24:19.000000000 +0200 @@ -293,6 +293,7 @@ MonitoringPort: viper.GetInt(constants.MonitoringPort), ExcludeNamespaces: viper.GetString(constants.ExcludeNamespaces), + PodNamespace: viper.GetString(constants.PodNamespace), ZtunnelUDSAddress: viper.GetString(constants.ZtunnelUDSAddress), AmbientEnabled: viper.GetBool(constants.AmbientEnabled), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/config/config.go new/istioctl-1.25.2/cni/pkg/config/config.go --- old/istioctl-1.25.1/cni/pkg/config/config.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/config/config.go 2025-04-11 16:24:19.000000000 +0200 @@ -48,6 +48,9 @@ // Comma-separated list of K8S namespaces that CNI should ignore ExcludeNamespaces string + // Singular namespace that the istio CNI node agent resides in + PodNamespace string + // KUBERNETES_SERVICE_PROTOCOL K8sServiceProtocol string // KUBERNETES_SERVICE_HOST @@ -133,6 +136,7 @@ b.WriteString("SkipTLSVerify: " + fmt.Sprint(c.SkipTLSVerify) + "\n") b.WriteString("ExcludeNamespaces: " + fmt.Sprint(c.ExcludeNamespaces) + "\n") + b.WriteString("PodNamespace: " + fmt.Sprint(c.PodNamespace) + "\n") b.WriteString("K8sServiceProtocol: " + c.K8sServiceProtocol + "\n") b.WriteString("K8sServiceHost: " + c.K8sServiceHost + "\n") b.WriteString("K8sServicePort: " + fmt.Sprint(c.K8sServicePort) + "\n") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/constants/constants.go new/istioctl-1.25.2/cni/pkg/constants/constants.go --- old/istioctl-1.25.1/cni/pkg/constants/constants.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/constants/constants.go 2025-04-11 16:24:19.000000000 +0200 @@ -32,6 +32,7 @@ CNIEventSocket = "cni-event-address" CNIAgentRunDir = "cni-agent-run-dir" ExcludeNamespaces = "exclude-namespaces" + PodNamespace = "pod-namespace" AmbientEnabled = "ambient-enabled" AmbientDNSCapture = "ambient-dns-capture" AmbientIPv6 = "ambient-ipv6" @@ -63,6 +64,8 @@ UDSLogPath = "/log" CNIEventSocketName = "pluginevent.sock" LogUDSSocketName = "log.sock" + LocalRollingLogName = "istio-cni.log" + RollingLogMaxSizeMB = 10 CNIPluginKubeconfName = "istio-cni-kubeconfig" // K8s liveness and readiness endpoints LivenessEndpoint = "/healthz" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/install/cniconfig.go new/istioctl-1.25.2/cni/pkg/install/cniconfig.go --- old/istioctl-1.25.1/cni/pkg/install/cniconfig.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/install/cniconfig.go 2025-04-11 16:24:19.000000000 +0200 @@ -37,6 +37,7 @@ CNIAgentRunDir: cfg.CNIAgentRunDir, AmbientEnabled: cfg.AmbientEnabled, ExcludeNamespaces: strings.Split(cfg.ExcludeNamespaces, ","), + PodNamespace: cfg.PodNamespace, } pluginConfig.Name = "istio-cni" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/install/cniconfig_test.go new/istioctl-1.25.2/cni/pkg/install/cniconfig_test.go --- old/istioctl-1.25.1/cni/pkg/install/cniconfig_test.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/install/cniconfig_test.go 2025-04-11 16:24:19.000000000 +0200 @@ -366,6 +366,7 @@ "name": "istio-cni", "type": "istio-cni", "plugin_log_level": "__LOG_LEVEL__", + "pod_namespace": "__POD_NAMESPACE__", "kubernetes": { "kubeconfig": "__KUBECONFIG_FILENAME__", "cni_bin_dir": "/path/cni/bin" @@ -451,6 +452,7 @@ ChainedCNIPlugin: c.chainedCNIPlugin, PluginLogLevel: "debug", CNIAgentRunDir: kubeconfigFilename, + PodNamespace: "my-namespace", } cfg := config.InstallConfig{ @@ -458,6 +460,7 @@ ChainedCNIPlugin: c.chainedCNIPlugin, PluginLogLevel: "debug", CNIAgentRunDir: kubeconfigFilename, + PodNamespace: "my-namespace", } test := func(cfg config.InstallConfig) func(t *testing.T) { return func(t *testing.T) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/install/testdata/bridge.conf.golden new/istioctl-1.25.2/cni/pkg/install/testdata/bridge.conf.golden --- old/istioctl-1.25.1/cni/pkg/install/testdata/bridge.conf.golden 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/install/testdata/bridge.conf.golden 2025-04-11 16:24:19.000000000 +0200 @@ -27,6 +27,7 @@ "ipam": {}, "name": "istio-cni", "plugin_log_level": "debug", + "pod_namespace": "my-namespace", "type": "istio-cni" } ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/install/testdata/istio-cni.conf new/istioctl-1.25.2/cni/pkg/install/testdata/istio-cni.conf --- old/istioctl-1.25.1/cni/pkg/install/testdata/istio-cni.conf 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/install/testdata/istio-cni.conf 2025-04-11 16:24:19.000000000 +0200 @@ -9,5 +9,6 @@ "ambient_enabled": false, "exclude_namespaces": [ "" - ] + ], + "pod_namespace": "my-namespace" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/install/testdata/list-with-istio.conflist.golden new/istioctl-1.25.2/cni/pkg/install/testdata/list-with-istio.conflist.golden --- old/istioctl-1.25.1/cni/pkg/install/testdata/list-with-istio.conflist.golden 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/install/testdata/list-with-istio.conflist.golden 2025-04-11 16:24:19.000000000 +0200 @@ -37,6 +37,7 @@ "ipam": {}, "name": "istio-cni", "plugin_log_level": "debug", + "pod_namespace": "my-namespace", "type": "istio-cni" } ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/install/testdata/list.conflist.golden new/istioctl-1.25.2/cni/pkg/install/testdata/list.conflist.golden --- old/istioctl-1.25.1/cni/pkg/install/testdata/list.conflist.golden 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/install/testdata/list.conflist.golden 2025-04-11 16:24:19.000000000 +0200 @@ -37,6 +37,7 @@ "ipam": {}, "name": "istio-cni", "plugin_log_level": "debug", + "pod_namespace": "my-namespace", "type": "istio-cni" } ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/pkg/plugin/plugin.go new/istioctl-1.25.2/cni/pkg/plugin/plugin.go --- old/istioctl-1.25.1/cni/pkg/plugin/plugin.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/pkg/plugin/plugin.go 2025-04-11 16:24:19.000000000 +0200 @@ -24,6 +24,7 @@ "path/filepath" "runtime/debug" "strconv" + "strings" "time" "github.com/containernetworking/cni/pkg/skel" @@ -66,6 +67,7 @@ CNIAgentRunDir string `json:"cni_agent_run_dir"` AmbientEnabled bool `json:"ambient_enabled"` ExcludeNamespaces []string `json:"exclude_namespaces"` + PodNamespace string `json:"pod_namespace"` } // K8sArgs is the valid CNI_ARGS used for Kubernetes @@ -109,6 +111,8 @@ return &conf, nil } +// Logging with CNI plugins is special - we *cannot* log to stdout, as the CNI spec uses stdin/stdout to pass context between invoked plugins. +// So, we log to a rolling logfile, and also forward logs via UDS to the node agent (if available) func GetLoggingOptions(cfg *Config) *log.Options { loggingOptions := log.DefaultOptions() loggingOptions.OutputPaths = []string{"stderr"} @@ -120,6 +124,10 @@ if file.Exists(udsAddr) { loggingOptions.WithTeeToUDS(udsAddr, constants.UDSLogPath) } + + // Also tee to a rolling log on the node's local filesystem, in case the UDS server is down. + loggingOptions.WithTeeToRollingLocal(filepath.Join(cfg.CNIAgentRunDir, constants.LocalRollingLogName), constants.RollingLogMaxSizeMB) + // Override plugin log level based on their config. Not we use "all" (OverrideScopeName) since there is no scoping in the plugin. if cfg.PluginLogLevel != "" { loggingOptions.SetDefaultOutputLevel(log.OverrideScopeName, log.StringToLevel(cfg.PluginLogLevel)) @@ -222,8 +230,9 @@ cniEventAddr := filepath.Join(conf.CNIAgentRunDir, constants.CNIEventSocketName) cniClient := newCNIClient(cniEventAddr, constants.CNIAddEventPath) if err = PushCNIEvent(cniClient, args, prevResIps, podName, podNamespace); err != nil { - log.Errorf("istio-cni cmdAdd failed to signal node Istio CNI agent: %s", err) - return err + // return a more informative error in the pod event log if CNI plugin fails + wrapErr := fmt.Errorf("istio-cni cmdAdd failed to contact node Istio CNI agent: %s", err) + return wrapErr } return nil } @@ -231,6 +240,8 @@ } // End ambient plugin logic + maybeCNIPod := string(k8sArgs.K8S_POD_NAME) + maybeCNINS := string(k8sArgs.K8S_POD_NAMESPACE) pi := &PodInfo{} var k8sErr error for attempt := 1; attempt <= podRetrievalMaxRetries; attempt++ { @@ -239,8 +250,35 @@ break } log.Debugf("Failed to get %s/%s pod info: %v", podNamespace, podName, k8sErr) + + // Failsafe - if we get here, we could be in a state where + // 1. We are being upgraded - `istio-cni` node agent pod is gone + // 2. This plugin was left in place to stall pod spawns until the + // replacement arrives. + // 3. This plugin can't contact the K8S API server (creds expired/invalid) + // 4. The pod this plugin would be blocking by returning this error + // *is* our replacement `istio-cni` pod (which would refresh our creds) + // + // So, if we can't contact the K8S API server at all, fall back to checking the + // K8S_POD/K8S_NAMESPACE values from the CNI layer, and let this pod through + // if it looks like it might be our `istio-cni` node agent. + // + // We could do this check unconditionally above, but it seems smarter to only + // fall back to this (lightly) relaxed check when we know we are in a degraded state. + // + // Is this fail open? Not really, the K8S args come from the cluster's CNI and are as-authoritative + // as the hard query we would otherwise make against the API. + // + // TODO NRI could probably give us more identifying information here OOB from k8s. + if strings.HasPrefix(maybeCNIPod, "istio-cni-node-") && + maybeCNINS == conf.PodNamespace { + log.Infof("in a degraded state and %v looks like our own agent pod, skipping", maybeCNIPod) + return nil + } + time.Sleep(podRetrievalInterval) } + if k8sErr != nil { log.Errorf("Failed to get %s/%s pod info: %v", podNamespace, podName, k8sErr) return k8sErr diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/test/testdata/expected/10-calico.conflist-istioconfig new/istioctl-1.25.2/cni/test/testdata/expected/10-calico.conflist-istioconfig --- old/istioctl-1.25.1/cni/test/testdata/expected/10-calico.conflist-istioconfig 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/test/testdata/expected/10-calico.conflist-istioconfig 2025-04-11 16:24:19.000000000 +0200 @@ -34,6 +34,7 @@ "ipam": {}, "name": "istio-cni", "plugin_log_level": "debug", + "pod_namespace": "", "type": "istio-cni" } ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/test/testdata/expected/YYY-istio-cni.conf new/istioctl-1.25.2/cni/test/testdata/expected/YYY-istio-cni.conf --- old/istioctl-1.25.1/cni/test/testdata/expected/YYY-istio-cni.conf 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/test/testdata/expected/YYY-istio-cni.conf 2025-04-11 16:24:19.000000000 +0200 @@ -9,5 +9,6 @@ "ambient_enabled": false, "exclude_namespaces": [ "istio-system" - ] + ], + "pod_namespace": "" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/cni/test/testdata/expected/minikube_cni.conflist.expected new/istioctl-1.25.2/cni/test/testdata/expected/minikube_cni.conflist.expected --- old/istioctl-1.25.1/cni/test/testdata/expected/minikube_cni.conflist.expected 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/cni/test/testdata/expected/minikube_cni.conflist.expected 2025-04-11 16:24:19.000000000 +0200 @@ -31,6 +31,7 @@ "ipam": {}, "name": "istio-cni", "plugin_log_level": "debug", + "pod_namespace": "", "type": "istio-cni" } ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/common/.commonfiles.sha new/istioctl-1.25.2/common/.commonfiles.sha --- old/istioctl-1.25.1/common/.commonfiles.sha 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/common/.commonfiles.sha 2025-04-11 16:24:19.000000000 +0200 @@ -1 +1 @@ -cc5b9dbfa2da642c086e67c6dae3a27076f40e4b +e2468dc1777226309f31a3bc29a1a3d1620240bb diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/common/scripts/run.sh new/istioctl-1.25.2/common/scripts/run.sh --- old/istioctl-1.25.1/common/scripts/run.sh 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/common/scripts/run.sh 2025-04-11 16:24:19.000000000 +0200 @@ -47,7 +47,6 @@ "${DOCKER_RUN_OPTIONS[@]}" \ --init \ --sig-proxy=true \ - --cap-add=SYS_ADMIN \ ${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \ $CONTAINER_OPTIONS \ --env-file <(env | grep -v ${ENV_BLOCKLIST}) \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/common/scripts/setup_env.sh new/istioctl-1.25.2/common/scripts/setup_env.sh --- old/istioctl-1.25.1/common/scripts/setup_env.sh 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/common/scripts/setup_env.sh 2025-04-11 16:24:19.000000000 +0200 @@ -75,7 +75,7 @@ TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=release-1.25-78fa2111903203d3003f2fca26dd8c42112fe29e + IMAGE_VERSION=release-1.25-3860042a009e8b9d8a63eca8756803d0e7aad5bb fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/go.mod new/istioctl-1.25.2/go.mod --- old/istioctl-1.25.1/go.mod 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/go.mod 2025-04-11 16:24:19.000000000 +0200 @@ -89,11 +89,12 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20250122153221-138b5a5a4fd4 google.golang.org/grpc v1.69.4 google.golang.org/protobuf v1.36.3 + gopkg.in/natefinch/lumberjack.v2 v2.2.1 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.17.0 - istio.io/api v1.25.1-0.20250321204246-eb3f2673759c - istio.io/client-go v1.25.1-0.20250321204545-b102c2d01354 + istio.io/api v1.25.2-0.20250410212420-84c271001f68 + istio.io/client-go v1.25.2-0.20250410213018-e5f6074bc228 k8s.io/api v0.32.1 k8s.io/apiextensions-apiserver v0.32.1 k8s.io/apimachinery v0.32.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/go.sum new/istioctl-1.25.2/go.sum --- old/istioctl-1.25.1/go.sum 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/go.sum 2025-04-11 16:24:19.000000000 +0200 @@ -652,6 +652,8 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= @@ -666,10 +668,10 @@ helm.sh/helm/v3 v3.17.0/go.mod h1:Mo7eGyKPPHlS0Ml67W8z/lbkox/gD9Xt1XpD6bxvZZA= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -istio.io/api v1.25.1-0.20250321204246-eb3f2673759c h1:noezmv3FpPUjO4SFBjy/dDkW51YvyqMFTQczsD5foSc= -istio.io/api v1.25.1-0.20250321204246-eb3f2673759c/go.mod h1:QFzEXv/IT582T0FHZVp1QoolvE4ws0zz/vVO55blmlE= -istio.io/client-go v1.25.1-0.20250321204545-b102c2d01354 h1:PpZL9h/qUGBu3ByxXi50S9ITHAID7DEs/RB9IIycRYY= -istio.io/client-go v1.25.1-0.20250321204545-b102c2d01354/go.mod h1:Vap9OyHJMvvDegYoZczcNybS4wbPaTk+4bZcWMb8+vE= +istio.io/api v1.25.2-0.20250410212420-84c271001f68 h1:v+9w/OYqRpsGXJirWT/1k+rCPxI7FL8SblJbrQAUC6c= +istio.io/api v1.25.2-0.20250410212420-84c271001f68/go.mod h1:QFzEXv/IT582T0FHZVp1QoolvE4ws0zz/vVO55blmlE= +istio.io/client-go v1.25.2-0.20250410213018-e5f6074bc228 h1:U6Hto4YRRdZHBaALhoSYvzwyUfWxdLz/OldQSyVGWPw= +istio.io/client-go v1.25.2-0.20250410213018-e5f6074bc228/go.mod h1:E2LTxTcCVe4cqpKy4/9Y4VmwSoLiH6ff9MEG7EhfSDo= k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc= k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k= k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/istio.deps new/istioctl-1.25.2/istio.deps --- old/istioctl-1.25.1/istio.deps 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/istio.deps 2025-04-11 16:24:19.000000000 +0200 @@ -4,13 +4,13 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "d1333136f077ed86411257320fe37d4b5f8b8ddd" + "lastStableSHA": "8d14f6fc8fe9703ff17d4377d9053b3cbbe85dea" }, { "_comment": "", "name": "ZTUNNEL_REPO_SHA", "repoName": "ztunnel", "file": "", - "lastStableSHA": "31902c7512acadf3a93e148c74b24a5683360f5d" + "lastStableSHA": "b8527fc5f2a27c0cdc463420f87db67373eac2d8" } ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/istioctl/pkg/writer/ztunnel/configdump/api.go new/istioctl-1.25.2/istioctl/pkg/writer/ztunnel/configdump/api.go --- old/istioctl-1.25.1/istioctl/pkg/writer/ztunnel/configdump/api.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/istioctl/pkg/writer/ztunnel/configdump/api.go 2025-04-11 16:24:19.000000000 +0200 @@ -126,6 +126,7 @@ Identity string `json:"identity"` State string `json:"state"` CertChain []*Cert `json:"certChain"` + RootCert []*Cert `json:"rootCerts"` } type Cert struct { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/istioctl/pkg/writer/ztunnel/configdump/certificates.go new/istioctl-1.25.2/istioctl/pkg/writer/ztunnel/configdump/certificates.go --- old/istioctl-1.25.1/istioctl/pkg/writer/ztunnel/configdump/certificates.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/istioctl/pkg/writer/ztunnel/configdump/certificates.go 2025-04-11 16:24:19.000000000 +0200 @@ -63,11 +63,13 @@ fmt.Fprintf(w, "%v\t%v\t%v\t%v\t%v\t%v\t%v\n", secret.Identity, valueOrNA(""), secret.State, false, valueOrNA(""), valueOrNA(""), valueOrNA("")) } else { + // Before, the root was part of the certChain. + legacyFormat := len(secret.RootCert) == 0 for i, ca := range secret.CertChain { t := "Intermediate" if i == 0 { t = "Leaf" - } else if i == len(secret.CertChain)-1 { + } else if i == len(secret.CertChain)-1 && legacyFormat { t = "Root" } n := new(big.Int) @@ -75,6 +77,12 @@ fmt.Fprintf(w, "%v\t%v\t%v\t%v\t%x\t%v\t%v\n", secret.Identity, t, secret.State, certNotExpired(ca), n, valueOrNA(ca.ExpirationTime), valueOrNA(ca.ValidFrom)) } + for _, ca := range secret.RootCert { + n := new(big.Int) + n, _ = n.SetString(ca.SerialNumber, 10) + fmt.Fprintf(w, "%v\t%v\t%v\t%v\t%x\t%v\t%v\n", + secret.Identity, "Root", secret.State, certNotExpired(ca), n, valueOrNA(ca.ExpirationTime), valueOrNA(ca.ValidFrom)) + } } } return w.Flush() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/licenses/gopkg.in/natefinch/lumberjack.v2/LICENSE new/istioctl-1.25.2/licenses/gopkg.in/natefinch/lumberjack.v2/LICENSE --- old/istioctl-1.25.1/licenses/gopkg.in/natefinch/lumberjack.v2/LICENSE 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.25.2/licenses/gopkg.in/natefinch/lumberjack.v2/LICENSE 2025-04-11 16:24:19.000000000 +0200 @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Nate Finch + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/manifests/charts/istio-cni/templates/configmap-cni.yaml new/istioctl-1.25.2/manifests/charts/istio-cni/templates/configmap-cni.yaml --- old/istioctl-1.25.1/manifests/charts/istio-cni/templates/configmap-cni.yaml 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/manifests/charts/istio-cni/templates/configmap-cni.yaml 2025-04-11 16:24:19.000000000 +0200 @@ -21,8 +21,8 @@ CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. {{- end }} CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDED_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/manifests/charts/istio-cni/templates/daemonset.yaml new/istioctl-1.25.2/manifests/charts/istio-cni/templates/daemonset.yaml --- old/istioctl-1.25.1/manifests/charts/istio-cni/templates/daemonset.yaml 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/manifests/charts/istio-cni/templates/daemonset.yaml 2025-04-11 16:24:19.000000000 +0200 @@ -14,6 +14,10 @@ kind: DaemonSet apiVersion: apps/v1 metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. name: {{ template "name" . }}-node namespace: {{ .Release.Namespace }} labels: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml new/istioctl-1.25.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml --- old/istioctl-1.25.1/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2025-04-11 16:24:19.000000000 +0200 @@ -169,9 +169,10 @@ # Also, check for an explicit ENV override (legacy approach) and prefer that # if present {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/ztunnel" + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" {{- end }} {{- if .Values.env }} {{- range $key, $val := .Values.env }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/manifests/charts/istio-control/istio-discovery/values.yaml new/istioctl-1.25.2/manifests/charts/istio-control/istio-discovery/values.yaml --- old/istioctl-1.25.1/manifests/charts/istio-control/istio-discovery/values.yaml 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/manifests/charts/istio-control/istio-discovery/values.yaml 2025-04-11 16:24:19.000000000 +0200 @@ -104,6 +104,8 @@ # If unset, `istiod` will assume the trusted node proxy ztunnel resides # in the same namespace as itself. trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" sidecarInjectorWebhook: # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pilot/cmd/pilot-agent/options/security.go new/istioctl-1.25.2/pilot/cmd/pilot-agent/options/security.go --- old/istioctl-1.25.1/pilot/cmd/pilot-agent/options/security.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pilot/cmd/pilot-agent/options/security.go 2025-04-11 16:24:19.000000000 +0200 @@ -16,6 +16,7 @@ import ( "fmt" + "os" "strings" meshconfig "istio.io/api/mesh/v1alpha1" @@ -28,6 +29,9 @@ "istio.io/istio/security/pkg/nodeagent/cafile" ) +// Similar with ISTIO_META_, which is used to customize the node metadata - this customizes extra CA header. +const caHeaderPrefix = "CA_HEADER_" + func NewSecurityOptions(proxyConfig *meshconfig.ProxyConfig, stsPort int, tokenManagerPlugin string) (*security.Options, error) { o := &security.Options{ CAEndpoint: caEndpointEnv, @@ -55,6 +59,7 @@ CertChainFilePath: security.DefaultCertChainFilePath, KeyFilePath: security.DefaultKeyFilePath, RootCertFilePath: security.DefaultRootCertFilePath, + CAHeaders: map[string]string{}, } o, err := SetupSecurityOptions(proxyConfig, o, jwtPolicy.Get(), @@ -63,6 +68,8 @@ return o, err } + extractCAHeadersFromEnv(o) + return o, err } @@ -124,3 +131,19 @@ } return o, nil } + +// extractCAHeadersFromEnv extracts CA headers from environment variables. +func extractCAHeadersFromEnv(o *security.Options) { + envs := os.Environ() + for _, e := range envs { + if !strings.HasPrefix(e, caHeaderPrefix) { + continue + } + + parts := strings.SplitN(e, "=", 2) + if len(parts) != 2 { + continue + } + o.CAHeaders[parts[0][len(caHeaderPrefix):]] = parts[1] + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pilot/cmd/pilot-agent/options/security_test.go new/istioctl-1.25.2/pilot/cmd/pilot-agent/options/security_test.go --- old/istioctl-1.25.1/pilot/cmd/pilot-agent/options/security_test.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pilot/cmd/pilot-agent/options/security_test.go 2025-04-11 16:24:19.000000000 +0200 @@ -59,3 +59,81 @@ } } } + +func TestExtractCAHeadersFromEnv(t *testing.T) { + tests := []struct { + name string + envVars map[string]string + expectedCAHeaders map[string]string + }{ + { + name: "no CA headers", + envVars: map[string]string{ + "RANDOM_KEY": "value", + }, + expectedCAHeaders: map[string]string{}, + }, + { + name: "single CA header", + envVars: map[string]string{ + "CA_HEADER_FOO": "foo", + }, + expectedCAHeaders: map[string]string{ + "FOO": "foo", + }, + }, + { + name: "multiple CA headers", + envVars: map[string]string{ + "CA_HEADER_FOO": "foo", + "CA_HEADER_BAR": "bar", + }, + expectedCAHeaders: map[string]string{ + "FOO": "foo", + "BAR": "bar", + }, + }, + { + name: "mixed CA and non-CA headers", + envVars: map[string]string{ + "CA_HEADER_FOO": "foo", + "XDS_HEADER_BAR": "bar", + "CA_HEADER_BAZ": "=baz", + }, + expectedCAHeaders: map[string]string{ + "FOO": "foo", + "BAZ": "=baz", + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // Set environment variables + for k, v := range tt.envVars { + os.Setenv(k, v) + } + // Clean up environment variables after test + defer func() { + for k := range tt.envVars { + os.Unsetenv(k) + } + }() + + o := &security.Options{ + CAHeaders: map[string]string{}, + } + extractCAHeadersFromEnv(o) + + if len(o.CAHeaders) != len(tt.expectedCAHeaders) { + t.Errorf("expected %d CA headers, got %d", len(tt.expectedCAHeaders), len(o.CAHeaders)) + } + + for k, v := range tt.expectedCAHeaders { + if o.CAHeaders[k] != v { + t.Errorf("expected CA header %s to be %s, got %s", k, v, o.CAHeaders[k]) + } + } + }) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pilot/pkg/networking/core/httproute.go new/istioctl-1.25.2/pilot/pkg/networking/core/httproute.go --- old/istioctl-1.25.1/pilot/pkg/networking/core/httproute.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pilot/pkg/networking/core/httproute.go 2025-04-11 16:24:19.000000000 +0200 @@ -116,7 +116,7 @@ // TODO: trace decorators, inbound timeouts func buildSidecarInboundHTTPRouteConfig(lb *ListenerBuilder, cc inboundChainConfig) *route.RouteConfiguration { traceOperation := telemetry.TraceOperation(string(cc.telemetryMetadata.InstanceHostname), cc.port.Port) - defaultRoute := istio_route.BuildDefaultHTTPInboundRoute(lb.node, cc.clusterName, traceOperation) + defaultRoute := istio_route.BuildDefaultHTTPInboundRoute(lb.node, cc.clusterName, traceOperation, cc.port.Protocol) inboundVHost := &route.VirtualHost{ Name: inboundVirtualHostPrefix + strconv.Itoa(cc.port.Port), // Format: "inbound|http|%d" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pilot/pkg/networking/core/route/route.go new/istioctl-1.25.2/pilot/pkg/networking/core/route/route.go --- old/istioctl-1.25.1/pilot/pkg/networking/core/route/route.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pilot/pkg/networking/core/route/route.go 2025-04-11 16:24:19.000000000 +0200 @@ -47,6 +47,7 @@ "istio.io/istio/pkg/config/constants" "istio.io/istio/pkg/config/host" "istio.io/istio/pkg/config/labels" + "istio.io/istio/pkg/config/protocol" "istio.io/istio/pkg/jwt" "istio.io/istio/pkg/log" "istio.io/istio/pkg/util/grpc" @@ -1241,7 +1242,7 @@ } // BuildDefaultHTTPInboundRoute builds a default inbound route. -func BuildDefaultHTTPInboundRoute(proxy *model.Proxy, clusterName string, operation string) *route.Route { +func BuildDefaultHTTPInboundRoute(proxy *model.Proxy, clusterName string, operation string, protocol protocol.Instance) *route.Route { out := buildDefaultHTTPRoute(clusterName, operation) // For inbound, configure with notimeout. out.GetRoute().Timeout = Notimeout @@ -1251,7 +1252,8 @@ // gRPC requests time out like any other requests using timeout or its default. GrpcTimeoutHeaderMax: Notimeout, } - if util.VersionGreaterOrEqual124(proxy) && features.EnableInboundRetryPolicy { + // "reset-before-request" does not work well for gRPC streaming services. + if util.VersionGreaterOrEqual124(proxy) && features.EnableInboundRetryPolicy && !protocol.IsGRPC() { out.GetRoute().RetryPolicy = &route.RetryPolicy{ RetryOn: "reset-before-request", NumRetries: &wrapperspb.UInt32Value{ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pilot/pkg/networking/core/route/route_cache.go new/istioctl-1.25.2/pilot/pkg/networking/core/route/route_cache.go --- old/istioctl-1.25.1/pilot/pkg/networking/core/route/route_cache.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pilot/pkg/networking/core/route/route_cache.go 2025-04-11 16:24:19.000000000 +0200 @@ -147,6 +147,12 @@ h.Write(Slash) h.WriteString(svc.Attributes.Namespace) h.Write(Separator) + for _, alias := range svc.Attributes.Aliases { + h.WriteString(string(alias.Hostname)) + h.Write(Slash) + h.WriteString(alias.Namespace) + h.Write(Separator) + } } h.Write(Separator) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pilot/pkg/networking/core/route/route_test.go new/istioctl-1.25.2/pilot/pkg/networking/core/route/route_test.go --- old/istioctl-1.25.1/pilot/pkg/networking/core/route/route_test.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pilot/pkg/networking/core/route/route_test.go 2025-04-11 16:24:19.000000000 +0200 @@ -2988,11 +2988,13 @@ testCases := []struct { name string enableRetry bool + protocol protocol.Instance expected *envoyroute.Route }{ { - name: "enable retry", + name: "enable retry, http protocol", enableRetry: true, + protocol: protocol.HTTP, expected: &envoyroute.Route{ Name: "default", Match: route.TranslateRouteMatch(config.Config{}, nil), @@ -3018,8 +3020,31 @@ }, }, { + name: "enable retry, grpc protocol", + enableRetry: true, + protocol: protocol.GRPC, + expected: &envoyroute.Route{ + Name: "default", + Match: route.TranslateRouteMatch(config.Config{}, nil), + Action: &envoyroute.Route_Route{ + Route: &envoyroute.RouteAction{ + ClusterSpecifier: &envoyroute.RouteAction_Cluster{Cluster: "cluster"}, + Timeout: route.Notimeout, + MaxStreamDuration: &envoyroute.RouteAction_MaxStreamDuration{ + MaxStreamDuration: route.Notimeout, + GrpcTimeoutHeaderMax: route.Notimeout, + }, + }, + }, + Decorator: &envoyroute.Decorator{ + Operation: "operation", + }, + }, + }, + { name: "disable retry", enableRetry: false, + protocol: protocol.HTTP, expected: &envoyroute.Route{ Name: "default", Match: route.TranslateRouteMatch(config.Config{}, nil), @@ -3043,7 +3068,7 @@ t.Run(tc.name, func(t *testing.T) { test.SetForTest(t, &features.EnableInboundRetryPolicy, tc.enableRetry) inroute := route.BuildDefaultHTTPInboundRoute(&model.Proxy{IstioVersion: &model.IstioVersion{Major: 1, Minor: 24, Patch: -1}}, - "cluster", "operation") + "cluster", "operation", tc.protocol) if !reflect.DeepEqual(tc.expected, inroute) { t.Errorf("error in inbound routes. Got: %v, Want: %v", inroute, tc.expected) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go new/istioctl-1.25.2/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go --- old/istioctl-1.25.1/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go 2025-04-11 16:24:19.000000000 +0200 @@ -221,6 +221,8 @@ Waypoints, Services, ServiceEntries, + GatewayClasses, + MeshConfig, Namespaces, opts, ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pilot/pkg/serviceregistry/kube/controller/ambient/authorization_test.go new/istioctl-1.25.2/pilot/pkg/serviceregistry/kube/controller/ambient/authorization_test.go --- old/istioctl-1.25.1/pilot/pkg/serviceregistry/kube/controller/ambient/authorization_test.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pilot/pkg/serviceregistry/kube/controller/ambient/authorization_test.go 2025-04-11 16:24:19.000000000 +0200 @@ -16,6 +16,7 @@ import ( "context" + "fmt" "testing" "time" @@ -32,10 +33,13 @@ securityclient "istio.io/client-go/pkg/apis/security/v1" "istio.io/istio/pilot/pkg/model" "istio.io/istio/pkg/config/constants" + "istio.io/istio/pkg/config/mesh" + "istio.io/istio/pkg/config/mesh/meshwatcher" "istio.io/istio/pkg/config/schema/gvk" "istio.io/istio/pkg/kube" "istio.io/istio/pkg/kube/kclient" "istio.io/istio/pkg/kube/krt" + "istio.io/istio/pkg/kube/krt/krttest" "istio.io/istio/pkg/test/util/assert" "istio.io/istio/pkg/test/util/retry" "istio.io/istio/pkg/workloadapi" @@ -228,6 +232,16 @@ clientSe := kclient.New[*networkingclient.ServiceEntry](c) seCol := krt.WrapClient(clientSe) + clientGwClass := kclient.New[*gtwapiv1beta1.GatewayClass](c) + gwClassCol := krt.WrapClient(clientGwClass) + + meshConfigMock := krttest.NewMock(t, []any{ + meshwatcher.MeshConfigResource{ + MeshConfig: mesh.DefaultMeshConfig(), + }, + }) + meshConfigCol := GetMeshConfig(meshConfigMock) + clientNs := kclient.New[*v1.Namespace](c) nsCol := krt.WrapClient(clientNs) @@ -258,7 +272,7 @@ } }) - wpsCollection := WaypointPolicyStatusCollection(authzPolCol, waypointCol, svcCol, seCol, nsCol, krt.OptionsBuilder{}) + wpsCollection := WaypointPolicyStatusCollection(authzPolCol, waypointCol, svcCol, seCol, gwClassCol, meshConfigCol, nsCol, krt.OptionsBuilder{}) c.RunAndWait(ctx.Done()) _, err := clientNs.Create(&v1.Namespace{ @@ -978,6 +992,165 @@ }, }, }, + { + testName: "single-bind-gateway-class", + gatewayClasses: []gtwapiv1beta1.GatewayClass{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "istio-waypoint", + }, + Spec: gtwapiv1beta1.GatewayClassSpec{ + ControllerName: constants.ManagedGatewayMeshController, + }, + }, + }, + policy: securityclient.AuthorizationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "single-gateway-class-pol", + Namespace: "istio-system", + Generation: 1, + }, + Spec: v1beta1.AuthorizationPolicy{ + TargetRefs: []*apiv1beta1.PolicyTargetReference{ + { + Group: gvk.GatewayClass.Group, + Kind: gvk.GatewayClass.Kind, + Name: "istio-waypoint", + }, + }, + Rules: []*v1beta1.Rule{}, + Action: 0, + }, + }, + expect: []model.PolicyBindingStatus{ + { + Ancestor: "GatewayClass.gateway.networking.k8s.io:istio-system/istio-waypoint", + Status: &model.StatusMessage{ + Reason: model.WaypointPolicyReasonAccepted, + Message: "bound to istio-waypoint", + }, + Bound: true, + ObservedGeneration: 1, + }, + }, + }, + { + testName: "nonexistent-gateway-class", + gatewayClasses: []gtwapiv1beta1.GatewayClass{}, + policy: securityclient.AuthorizationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "single-no-gateway-class-pol", + Namespace: "istio-system", + Generation: 1, + }, + Spec: v1beta1.AuthorizationPolicy{ + TargetRefs: []*apiv1beta1.PolicyTargetReference{ + { + Group: gvk.GatewayClass.Group, + Kind: gvk.GatewayClass.Kind, + Name: "nonexistent-gateway-class", + }, + }, + Rules: []*v1beta1.Rule{}, + Action: 0, + }, + }, + expect: []model.PolicyBindingStatus{ + { + Ancestor: "GatewayClass.gateway.networking.k8s.io:istio-system/nonexistent-gateway-class", + Status: &model.StatusMessage{ + Reason: model.WaypointPolicyReasonTargetNotFound, + Message: "not bound", + }, + Bound: false, + ObservedGeneration: 1, + }, + }, + }, + { + testName: "non-waypoint-gateway-class", + gatewayClasses: []gtwapiv1beta1.GatewayClass{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "not-for-waypoint", + }, + Spec: gtwapiv1beta1.GatewayClassSpec{ + ControllerName: "random-controller", + }, + }, + }, + policy: securityclient.AuthorizationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "non-waypoint-gateway-class-pol", + Namespace: "istio-system", + Generation: 1, + }, + Spec: v1beta1.AuthorizationPolicy{ + TargetRefs: []*apiv1beta1.PolicyTargetReference{ + { + Group: gvk.GatewayClass.Group, + Kind: gvk.GatewayClass.Kind, + Name: "not-for-waypoint", + }, + }, + Rules: []*v1beta1.Rule{}, + Action: 0, + }, + }, + expect: []model.PolicyBindingStatus{ + { + Ancestor: "GatewayClass.gateway.networking.k8s.io:istio-system/not-for-waypoint", + Status: &model.StatusMessage{ + Reason: model.WaypointPolicyReasonInvalid, + Message: fmt.Sprintf("GatewayClass must use controller name `%s` for waypoints", constants.ManagedGatewayMeshController), + }, + Bound: false, + ObservedGeneration: 1, + }, + }, + }, + { + testName: "gateway-class-ap-not-in-root-ns", + gatewayClasses: []gtwapiv1beta1.GatewayClass{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "waypoint", + }, + Spec: gtwapiv1beta1.GatewayClassSpec{ + ControllerName: constants.ManagedGatewayMeshController, + }, + }, + }, + policy: securityclient.AuthorizationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "gateway-class-ap-not-in-root-ns-pol", + Namespace: "other-ns", + Generation: 1, + }, + Spec: v1beta1.AuthorizationPolicy{ + TargetRefs: []*apiv1beta1.PolicyTargetReference{ + { + Group: gvk.GatewayClass.Group, + Kind: gvk.GatewayClass.Kind, + Name: "waypoint", + }, + }, + Rules: []*v1beta1.Rule{}, + Action: 0, + }, + }, + expect: []model.PolicyBindingStatus{ + { + Ancestor: "GatewayClass.gateway.networking.k8s.io:other-ns/waypoint", + Status: &model.StatusMessage{ + Reason: model.WaypointPolicyReasonInvalid, + Message: "AuthorizationPolicy must be in the root namespace `istio-system` when referencing a GatewayClass", + }, + Bound: false, + ObservedGeneration: 1, + }, + }, + }, } // these nolint are to suppress findings regarding copying the mutex contained within our service entry proto fields @@ -996,6 +1169,11 @@ assert.NoError(t, err) } + for _, gwClass := range tc.gatewayClasses { + _, err := clientGwClass.Create(&gwClass) + assert.NoError(t, err) + } + _, err := clientAuthzPol.Create(&tc.policy) assert.NoError(t, err) @@ -1014,6 +1192,7 @@ testName string serviceEntries []networkingclient.ServiceEntry services []v1.Service + gatewayClasses []gtwapiv1beta1.GatewayClass policy securityclient.AuthorizationPolicy expect []model.PolicyBindingStatus } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pilot/pkg/serviceregistry/kube/controller/ambient/policies.go new/istioctl-1.25.2/pilot/pkg/serviceregistry/kube/controller/ambient/policies.go --- old/istioctl-1.25.1/pilot/pkg/serviceregistry/kube/controller/ambient/policies.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pilot/pkg/serviceregistry/kube/controller/ambient/policies.go 2025-04-11 16:24:19.000000000 +0200 @@ -17,16 +17,21 @@ import ( "fmt" + "strconv" "strings" corev1 "k8s.io/api/core/v1" + "sigs.k8s.io/gateway-api/apis/v1beta1" + "istio.io/api/annotation" networkingclient "istio.io/client-go/pkg/apis/networking/v1" securityclient "istio.io/client-go/pkg/apis/security/v1" "istio.io/istio/pilot/pkg/model" + "istio.io/istio/pkg/config/constants" "istio.io/istio/pkg/config/schema/gvk" "istio.io/istio/pkg/kube/krt" "istio.io/istio/pkg/log" + "istio.io/istio/pkg/ptr" "istio.io/istio/pkg/slices" "istio.io/istio/pkg/spiffe" "istio.io/istio/pkg/workloadapi/security" @@ -37,6 +42,8 @@ waypoints krt.Collection[Waypoint], services krt.Collection[*corev1.Service], serviceEntries krt.Collection[*networkingclient.ServiceEntry], + gatewayClasses krt.Collection[*v1beta1.GatewayClass], + meshConfig krt.Singleton[MeshConfig], namespaces krt.Collection[*corev1.Namespace], opts krt.OptionsBuilder, ) krt.Collection[model.WaypointPolicyStatus] { @@ -47,7 +54,14 @@ return nil // targetRef is required for binding to waypoint } - var conditions []model.PolicyBindingStatus + var ( + conditions []model.PolicyBindingStatus + rootNs string + ) + + if meshConfig.Get() != nil { + rootNs = meshConfig.Get().MeshConfig.RootNamespace + } for _, target := range targetRefs { namespace := i.GetNamespace() @@ -59,6 +73,28 @@ reason := "unknown" bound := false switch target.GetKind() { + case gvk.GatewayClass_v1.Kind: + // first verify the AP is in the root namespace, if not it's ignored + if namespace != rootNs { + reason = model.WaypointPolicyReasonInvalid + message = fmt.Sprintf("AuthorizationPolicy must be in the root namespace `%s` when referencing a GatewayClass", rootNs) + break + } + + fetchedGatewayClass := ptr.Flatten(krt.FetchOne(ctx, gatewayClasses, krt.FilterKey(target.GetName()))) + if fetchedGatewayClass == nil { + reason = model.WaypointPolicyReasonTargetNotFound + } else { + // verify GatewayClass is for waypoint + if fetchedGatewayClass.Spec.ControllerName != constants.ManagedGatewayMeshController { + reason = model.WaypointPolicyReasonInvalid + message = fmt.Sprintf("GatewayClass must use controller name `%s` for waypoints", constants.ManagedGatewayMeshController) + } else { + bound = true + reason = model.WaypointPolicyReasonAccepted + message = fmt.Sprintf("bound to %s", fetchedGatewayClass.GetName()) + } + } case gvk.KubernetesGateway.Kind: fetchedWaypoints := krt.Fetch(ctx, waypoints, krt.FilterKey(key)) if len(fetchedWaypoints) == 1 { @@ -132,6 +168,10 @@ flags FeatureFlags, ) (krt.Collection[model.WorkloadAuthorization], krt.Collection[model.WorkloadAuthorization]) { AuthzDerivedPolicies := krt.NewCollection(authzPolicies, func(ctx krt.HandlerContext, i *securityclient.AuthorizationPolicy) *model.WorkloadAuthorization { + dryRun, _ := strconv.ParseBool(i.Annotations[annotation.IoIstioDryRun.Name]) + if dryRun { + return nil + } meshCfg := krt.FetchOne(ctx, meshConfig.AsCollection()) pol, status := convertAuthorizationPolicy(meshCfg.GetRootNamespace(), i) if status == nil && pol == nil { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pkg/log/options.go new/istioctl-1.25.2/pkg/log/options.go --- old/istioctl-1.25.1/pkg/log/options.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pkg/log/options.go 2025-04-11 16:24:19.000000000 +0200 @@ -130,6 +130,15 @@ }) } +// WithTeeToRolling configures a parallel logging pipeline that writes logs to a local rolling log of fixed size. +// This is mainly used by the CNI plugin, and so the size and rollover is intentionally kept small. +// rollingPath is the path the rolling log(s) will be written to. +func (o *Options) WithTeeToRollingLocal(rollingPath string, maxSizeInMB int) *Options { + return o.WithExtension(func(c zapcore.Core) (zapcore.Core, func() error, error) { + return teeToRollingLocal(c, rollingPath, maxSizeInMB), func() error { return nil }, nil + }) +} + // Extension provides an extension mechanism for logs. // This is essentially like https://pkg.go.dev/golang.org/x/exp/slog#Handler. // This interface should be considered unstable; we will likely swap it for slog in the future and not expose zap internals. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pkg/log/uds.go new/istioctl-1.25.2/pkg/log/uds.go --- old/istioctl-1.25.1/pkg/log/uds.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pkg/log/uds.go 2025-04-11 16:24:19.000000000 +0200 @@ -24,8 +24,10 @@ "sync" "time" + "go.uber.org/zap" "go.uber.org/zap/buffer" "go.uber.org/zap/zapcore" + lj "gopkg.in/natefinch/lumberjack.v2" ) // An udsCore write entries to an UDS server with HTTP Post. Log messages will be encoded into a JSON array. @@ -60,9 +62,30 @@ break } } + return zapcore.NewTee(baseCore, uc) } +// Creates a small/fixed rolling log on the node's local FS. +// This can be useful as a backup/fallback in case the node agent is down +// and the UDS logging consequently fails (losing logs). +func teeToRollingLocal(baseCore zapcore.Core, path string, maxSizeMB int) zapcore.Core { + w := zapcore.AddSync(&lj.Logger{ + Filename: path, + MaxSize: maxSizeMB, + MaxBackups: 1, + MaxAge: 2, // days + }) + + core := zapcore.NewCore( + zapcore.NewJSONEncoder(defaultEncoderConfig), + w, + zap.InfoLevel, + ) + + return zapcore.NewTee(baseCore, core) +} + // Enabled implements zapcore.Core. func (u *udsCore) Enabled(l zapcore.Level) bool { return l >= u.minimumLevel diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/pkg/security/security.go new/istioctl-1.25.2/pkg/security/security.go --- old/istioctl-1.25.1/pkg/security/security.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/pkg/security/security.go 2025-04-11 16:24:19.000000000 +0200 @@ -255,6 +255,9 @@ KeyFilePath string // The path for an existing root certificate bundle RootCertFilePath string + + // Extra headers to add to the CA connection. + CAHeaders map[string]string } // Client interface defines the clients need to implement to talk to CA for CSR. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/releasenotes/notes/55304.yaml new/istioctl-1.25.2/releasenotes/notes/55304.yaml --- old/istioctl-1.25.1/releasenotes/notes/55304.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.25.2/releasenotes/notes/55304.yaml 2025-04-11 16:24:19.000000000 +0200 @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +issue: + - 55215 +releaseNotes: + - | + **Fixed** Corner cases where `istio-cni` might block its own upgrade. Added fallback logging (in case agent is down) to a fixed-size node-local logfile. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/releasenotes/notes/add-customized-ca-metadata-support-to-istio-agent.yaml new/istioctl-1.25.2/releasenotes/notes/add-customized-ca-metadata-support-to-istio-agent.yaml --- old/istioctl-1.25.1/releasenotes/notes/add-customized-ca-metadata-support-to-istio-agent.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.25.2/releasenotes/notes/add-customized-ca-metadata-support-to-istio-agent.yaml 2025-04-11 16:24:19.000000000 +0200 @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: feature +area: traffic-management +issue: +- 55064 +releaseNotes: +- | + **Added** an environment variable prefix `CA_HEADER_` (similar to `XDS_HEADER_``) that can be added to CA requests for different purposes, such as routing to appropriate external Istiods. Istio sidecar proxy, router, and waypoint now support this feature. \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/releasenotes/notes/ap-gateway-class-status.yml new/istioctl-1.25.2/releasenotes/notes/ap-gateway-class-status.yml --- old/istioctl-1.25.1/releasenotes/notes/ap-gateway-class-status.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.25.2/releasenotes/notes/ap-gateway-class-status.yml 2025-04-11 16:24:19.000000000 +0200 @@ -0,0 +1,6 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +releaseNotes: +- | + **Fixed** an issue where `AuthorizationPolicy`'s WaypointAccepted status condition was not being updated to reflect the resolution of a `GatewayClass` target reference. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/releasenotes/notes/ap-not-in-root-ns-gwclass-targetref.yml new/istioctl-1.25.2/releasenotes/notes/ap-not-in-root-ns-gwclass-targetref.yml --- old/istioctl-1.25.1/releasenotes/notes/ap-not-in-root-ns-gwclass-targetref.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.25.2/releasenotes/notes/ap-not-in-root-ns-gwclass-targetref.yml 2025-04-11 16:24:19.000000000 +0200 @@ -0,0 +1,6 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +releaseNotes: +- | + **Fixed** an issue where WaypointAccepted status condition for AuthorizationPolicies that reference a GatewayClass and do not reside in the root namespace was not being updated with the correct reason and message. \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/releasenotes/notes/grpc-inbound-retry.yaml new/istioctl-1.25.2/releasenotes/notes/grpc-inbound-retry.yaml --- old/istioctl-1.25.1/releasenotes/notes/grpc-inbound-retry.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.25.2/releasenotes/notes/grpc-inbound-retry.yaml 2025-04-11 16:24:19.000000000 +0200 @@ -0,0 +1,6 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +releaseNotes: + - | + **Fixed** an issue where proxy memory goes up with gRPC streaming services. \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/releasenotes/notes/rds-cache-alias.yaml new/istioctl-1.25.2/releasenotes/notes/rds-cache-alias.yaml --- old/istioctl-1.25.1/releasenotes/notes/rds-cache-alias.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.25.2/releasenotes/notes/rds-cache-alias.yaml 2025-04-11 16:24:19.000000000 +0200 @@ -0,0 +1,6 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +releaseNotes: + - | + **Fixed** an issue causing changes to ExternalName services to sometimes be skipped due to a cache eviction bug. \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/security/pkg/nodeagent/caclient/providers/citadel/client.go new/istioctl-1.25.2/security/pkg/nodeagent/caclient/providers/citadel/client.go --- old/istioctl-1.25.1/security/pkg/nodeagent/caclient/providers/citadel/client.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/security/pkg/nodeagent/caclient/providers/citadel/client.go 2025-04-11 16:24:19.000000000 +0200 @@ -105,6 +105,10 @@ }() ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("ClusterID", c.opts.ClusterID)) + for k, v := range c.opts.CAHeaders { + ctx = metadata.AppendToOutgoingContext(ctx, k, v) + } + resp, err := c.client.CreateCertificate(ctx, req) if err != nil { return nil, fmt.Errorf("create certificate: %v", err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.25.1/security/pkg/server/ca/server.go new/istioctl-1.25.2/security/pkg/server/ca/server.go --- old/istioctl-1.25.1/security/pkg/server/ca/server.go 2025-03-22 06:37:44.000000000 +0100 +++ new/istioctl-1.25.2/security/pkg/server/ca/server.go 2025-04-11 16:24:19.000000000 +0200 @@ -137,10 +137,6 @@ serverCaLog.Debugf("Append cert chain to response, %s", string(certChainBytes)) } } - if len(rootCertBytes) != 0 { - respCertChain = append(respCertChain, string(rootCertBytes)) - } - // expand `respCertChain` since each element might be a concatenated multi-cert PEM // the expanded structure (one cert per `string` in `certChain`) is specifically expected by `ztunnel` response := &pb.IstioCertificateResponse{} @@ -151,6 +147,13 @@ response.CertChain = append(response.CertChain, cert+"\n") } } + // Per the spec: "... the root cert is the last element." so we do not want to flatten the root cert. + // If we did, the client cannot distinguish the root. + // A better API would put the root in a separate field entirely... + if len(rootCertBytes) != 0 { + response.CertChain = append(response.CertChain, string(rootCertBytes)) + } + serverCaLog.Debugf("Responding with cert chain, %q", response.CertChain) s.monitoring.Success.Increment() serverCaLog.Debugf("CSR successfully signed, sans %v.", sans) ++++++ istioctl.obsinfo ++++++ --- /var/tmp/diff_new_pack.qmb8JN/_old 2025-04-20 19:56:39.524625836 +0200 +++ /var/tmp/diff_new_pack.qmb8JN/_new 2025-04-20 19:56:39.528626004 +0200 @@ -1,5 +1,5 @@ name: istioctl -version: 1.25.1 -mtime: 1742621864 -commit: be4b14ad8be844c5f876a41ad4437217a2e03cf8 +version: 1.25.2 +mtime: 1744381459 +commit: 0d83506c28834f5f12553ee11d76a18e7ea75f20 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/istioctl/vendor.tar.gz /work/SRC/openSUSE:Factory/.istioctl.new.30101/vendor.tar.gz differ: char 5, line 1
