Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package istioctl for openSUSE:Factory checked in at 2025-05-31 19:17:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/istioctl (Old) and /work/SRC/openSUSE:Factory/.istioctl.new.16005 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "istioctl" Sat May 31 19:17:35 2025 rev:35 rq:1281591 version:1.26.1 Changes: -------- --- /work/SRC/openSUSE:Factory/istioctl/istioctl.changes 2025-05-09 18:52:01.010722729 +0200 +++ /work/SRC/openSUSE:Factory/.istioctl.new.16005/istioctl.changes 2025-05-31 19:18:35.771066322 +0200 @@ -1,0 +2,10 @@ +Sat May 31 07:05:33 UTC 2025 - Johannes Kastl <opensuse_buildserv...@ojkastl.de> + +- update to 1.26.1: + https://istio.io/latest/news/releases/1.26.x/announcing-1.26.1/ + * Changes + - Fixed false positives when istioctl analyze raised error IST0134 + even when PILOT_ENABLE_IP_AUTOALLOCATE was set to true. + (Issue #56083) + +------------------------------------------------------------------- Old: ---- istioctl-1.26.0.obscpio New: ---- istioctl-1.26.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ istioctl.spec ++++++ --- /var/tmp/diff_new_pack.7e3C7D/_old 2025-05-31 19:18:36.915114515 +0200 +++ /var/tmp/diff_new_pack.7e3C7D/_new 2025-05-31 19:18:36.919114684 +0200 @@ -17,7 +17,7 @@ Name: istioctl -Version: 1.26.0 +Version: 1.26.1 Release: 0 Summary: CLI for the istio servic mesh in Kubernetes License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.7e3C7D/_old 2025-05-31 19:18:36.955116200 +0200 +++ /var/tmp/diff_new_pack.7e3C7D/_new 2025-05-31 19:18:36.955116200 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/istio/istio</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">1.26.0</param> + <param name="revision">1.26.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">disable</param> <param name="filename">istioctl</param> ++++++ istioctl-1.26.0.obscpio -> istioctl-1.26.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/go.mod new/istioctl-1.26.1/go.mod --- old/istioctl-1.26.0/go.mod 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/go.mod 2025-05-27 19:44:34.000000000 +0200 @@ -44,7 +44,7 @@ github.com/howardjohn/unshare-go v0.5.0 github.com/lestrrat-go/jwx v1.2.30 github.com/mattn/go-isatty v0.0.20 - github.com/miekg/dns v1.1.64 + github.com/miekg/dns v1.1.65 github.com/mitchellh/copystructure v1.2.0 github.com/moby/buildkit v0.20.1 github.com/onsi/gomega v1.36.2 @@ -79,10 +79,10 @@ go.opentelemetry.io/proto/otlp v1.5.0 go.uber.org/atomic v1.11.0 go.uber.org/zap v1.27.0 - golang.org/x/net v0.38.0 + golang.org/x/net v0.39.0 golang.org/x/oauth2 v0.28.0 - golang.org/x/sync v0.12.0 - golang.org/x/sys v0.31.0 + golang.org/x/sync v0.13.0 + golang.org/x/sys v0.32.0 golang.org/x/time v0.11.0 gomodules.xyz/jsonpatch/v2 v2.5.0 google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463 @@ -92,7 +92,7 @@ gopkg.in/natefinch/lumberjack.v2 v2.2.1 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.17.1 + helm.sh/helm/v3 v3.17.3 istio.io/api v1.26.0-beta.0 istio.io/client-go v1.26.0-beta.0 k8s.io/api v0.32.3 @@ -105,7 +105,7 @@ k8s.io/kubectl v0.32.3 k8s.io/utils v0.0.0-20241210054802-24370beab758 sigs.k8s.io/controller-runtime v0.20.4 - sigs.k8s.io/gateway-api v1.3.0-rc.1.0.20250404104637-92efbedcc2b4 + sigs.k8s.io/gateway-api v1.3.0 sigs.k8s.io/mcs-api v0.1.1-0.20240624222831-d7001fe1d21c sigs.k8s.io/yaml v1.4.0 ) @@ -208,11 +208,11 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect go.uber.org/mock v0.5.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/crypto v0.36.0 // indirect + golang.org/x/crypto v0.37.0 // indirect golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e // indirect golang.org/x/mod v0.23.0 // indirect - golang.org/x/term v0.30.0 // indirect - golang.org/x/text v0.23.0 // indirect + golang.org/x/term v0.31.0 // indirect + golang.org/x/text v0.24.0 // indirect golang.org/x/tools v0.30.0 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect @@ -223,5 +223,5 @@ sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect sigs.k8s.io/kustomize/api v0.18.0 // indirect sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/go.sum new/istioctl-1.26.1/go.sum --- old/istioctl-1.26.0/go.sum 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/go.sum 2025-05-27 19:44:34.000000000 +0200 @@ -300,8 +300,8 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/miekg/dns v1.1.64 h1:wuZgD9wwCE6XMT05UU/mlSko71eRSXEAm2EbjQXLKnQ= -github.com/miekg/dns v1.1.64/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck= +github.com/miekg/dns v1.1.65 h1:0+tIPHzUW0GCge7IiK3guGP57VAw7hoPDfApjkMD1Fc= +github.com/miekg/dns v1.1.65/go.mod h1:Dzw9769uoKVaLuODMDZz9M6ynFU6Em65csPuoi8G0ck= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= @@ -499,8 +499,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= -golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= +golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE= +golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e h1:4qufH0hlUYs6AO6XmZC3GqfDPGSXHVXUFR6OND+iJX4= golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c= @@ -520,8 +520,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= -golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= +golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY= +golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc= golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= @@ -530,8 +530,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= -golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610= +golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -544,14 +544,14 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= -golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= -golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= +golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20= +golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o= +golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= -golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= +golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0= +golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -613,8 +613,8 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= -helm.sh/helm/v3 v3.17.1 h1:gzVoAD+qVuoJU6KDMSAeo0xRJ6N1znRxz3wyuXRmJDk= -helm.sh/helm/v3 v3.17.1/go.mod h1:nvreuhuR+j78NkQcLC3TYoprCKStLyw5P4T7E5itv2w= +helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg= +helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= istio.io/api v1.26.0-beta.0 h1:m1WxHjHdAOrjuz0YzSFgzlKRmf3hvVmspkWTM6FX/po= @@ -647,8 +647,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.1/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.20.4 h1:X3c+Odnxz+iPTRobG4tp092+CvBU9UK0t/bRf+n0DGU= sigs.k8s.io/controller-runtime v0.20.4/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY= -sigs.k8s.io/gateway-api v1.3.0-rc.1.0.20250404104637-92efbedcc2b4 h1:B5WxrbbwAJQpC5UatORrm0MArdaQgj2NhAlMRQwAqho= -sigs.k8s.io/gateway-api v1.3.0-rc.1.0.20250404104637-92efbedcc2b4/go.mod h1:uM5idPTEQZVyd0bRSu00mbtF4VEgraPyU1OFNbY6lqk= +sigs.k8s.io/gateway-api v1.3.0 h1:q6okN+/UKDATola4JY7zXzx40WO4VISk7i9DIfOvr9M= +sigs.k8s.io/gateway-api v1.3.0/go.mod h1:d8NV8nJbaRbEKem+5IuxkL8gJGOZ+FJ+NvOIltV8gDk= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo= @@ -659,7 +659,7 @@ sigs.k8s.io/mcs-api v0.1.1-0.20240624222831-d7001fe1d21c/go.mod h1:DPFniRsBzCeLB4ANjlPEvQQt9QGIX489d1faK+GPvI4= sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016 h1:kXv6kKdoEtedwuqMmkqhbkgvYKeycVbC8+iPCP9j5kQ= sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= -sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= +sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI= +sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/istio.deps new/istioctl-1.26.1/istio.deps --- old/istioctl-1.26.0/istio.deps 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/istio.deps 2025-05-27 19:44:34.000000000 +0200 @@ -4,13 +4,13 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "71a753428f4479887db4b686ca9d01cfc6e11068" + "lastStableSHA": "19d31b12e62848c5e9f3f786c6c9a650ebc00b64" }, { "_comment": "", "name": "ZTUNNEL_REPO_SHA", "repoName": "ztunnel", "file": "", - "lastStableSHA": "2f601957bd172b34990612f4d8f847cadf4e880d" + "lastStableSHA": "c5c31102fd1ddefe95bf3c40dbbe36652dcd7889" } ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/operator/cmd/mesh/manifest-translate.go new/istioctl-1.26.1/operator/cmd/mesh/manifest-translate.go --- old/istioctl-1.26.0/operator/cmd/mesh/manifest-translate.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/operator/cmd/mesh/manifest-translate.go 2025-05-27 19:44:34.000000000 +0200 @@ -25,6 +25,8 @@ "github.com/spf13/cobra" "istio.io/istio/istioctl/pkg/cli" + "istio.io/istio/operator/pkg/component" + "istio.io/istio/operator/pkg/manifest" "istio.io/istio/operator/pkg/render" "istio.io/istio/operator/pkg/util/clog" "istio.io/istio/pkg/kube" @@ -110,11 +112,14 @@ if err != nil { return err } + generatedManifestMap := make(map[component.Name]manifest.ManifestSet) + for _, m := range istioctlGeneratedManifests { + generatedManifestMap[m.Component] = m + } res, err := render.Migrate(mgArgs.InFilenames, setFlags, kubeClient) if err != nil { return err } - _ = res out := mgArgs.Output write := func(name string, contents string) error { perm := 0o644 @@ -124,7 +129,7 @@ return os.WriteFile(filepath.Join(out, name), []byte(contents), fs.FileMode(perm)) } results := []string{} - for idx, info := range res.Components { + for _, info := range res.Components { name := ptr.NonEmptyOrDefault(info.ComponentSpec.Name, info.Component.SpecName) if info.Component.ReleaseName == "" { results = append(results, fmt.Sprintf(`* ❌ **Component %s**: migration is **NOT** directly supported!`, @@ -158,7 +163,11 @@ } diffWarn := "" helmManifests := strings.Join(sortManifests(info.Manifest), "\n---\n") - istioctlManifests := strings.Join(sortManifests(istioctlGeneratedManifests[idx].Manifests), "\n---\n") + generatedManifest, ok := generatedManifestMap[info.Component.UserFacingName] + if !ok { + continue + } + istioctlManifests := strings.Join(sortManifests(generatedManifest.Manifests), "\n---\n") if helmManifests != istioctlManifests { helmName := fmt.Sprintf("diff-%s-helm-output.yaml", name) istioctlName := fmt.Sprintf("diff-%s-istioctl-output.yaml", name) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/pilot/pkg/bootstrap/istio_ca.go new/istioctl-1.26.1/pilot/pkg/bootstrap/istio_ca.go --- old/istioctl-1.26.0/pilot/pkg/bootstrap/istio_ca.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/pilot/pkg/bootstrap/istio_ca.go 2025-05-27 19:44:34.000000000 +0200 @@ -263,13 +263,24 @@ return nil } - signingKeyFile := path.Join(dir, ca.CAPrivateKeyFile) - if _, err := os.Stat(signingKeyFile); err == nil { + // Skip remote fetch if a complete CA bundle is already mounted + signingCABundleComplete, bundleExists, err := checkCABundleCompleteness( + path.Join(dir, ca.CAPrivateKeyFile), + path.Join(dir, ca.CACertFile), + path.Join(dir, ca.RootCertFile), + []string{path.Join(dir, ca.CertChainFile)}, + ) + if err != nil && !os.IsNotExist(err) { + return fmt.Errorf("error loading remote CA certs: %w", err) + } + if signingCABundleComplete { return nil - } else if !os.IsNotExist(err) { - return fmt.Errorf("signing key file %s already exists", signingKeyFile) + } + if bundleExists { + log.Warnf("incomplete signing CA bundle detected at %s", dir) } + // if locally mounted signing bundle not found or is incomplete, try loading from remote cluster secrets secret, err := s.kubeClient.Kube().CoreV1().Secrets(caOpts.Namespace).Get( context.TODO(), ca.CACertsSecret, metav1.GetOptions{}) if err != nil { @@ -279,6 +290,9 @@ return err } + // TODO(deveshdama): writing cacerts files from remote cluster will always fail, + // since etc/cacerts is mounted as readonly volume + // tracking issue: https://github.com/istio/istio/issues/55698 log.Infof("cacerts Secret found in config cluster, saving contents to %s", dir) if err := os.MkdirAll(dir, 0o700); err != nil { return err @@ -427,7 +441,7 @@ // which may contain multiple roots. A 'cert-chain.pem' file has the full cert chain. func (s *Server) createIstioCA(opts *caOptions) (*ca.IstioCA, error) { var caOpts *ca.IstioCAOptions - var detectedSigningCABundle bool + var signingCABundleComplete bool var istioGenerated bool var err error @@ -435,14 +449,28 @@ if err != nil { return nil, fmt.Errorf("unable to determine signing file format %v", err) } - if _, err := os.Stat(fileBundle.SigningKeyFile); err == nil { - detectedSigningCABundle = true + + signingCABundleComplete, bundleExists, err := checkCABundleCompleteness( + fileBundle.SigningKeyFile, + fileBundle.SigningCertFile, + fileBundle.RootCertFile, + fileBundle.CertChainFiles, + ) + if err != nil { + return nil, fmt.Errorf("failed to create an istiod CA: %w", err) + } + if !signingCABundleComplete && bundleExists { + return nil, fmt.Errorf("failed to create an istiod CA: incomplete signing CA bundle detected") + } + + if signingCABundleComplete { if _, err := os.Stat(path.Join(LocalCertDir.Get(), ca.IstioGenerated)); err == nil { istioGenerated = true } } - if !detectedSigningCABundle || (features.UseCacertsForSelfSignedCA && istioGenerated) { + useSelfSignedCA := !signingCABundleComplete || (features.UseCacertsForSelfSignedCA && istioGenerated) + if useSelfSignedCA { if features.UseCacertsForSelfSignedCA && istioGenerated { log.Infof("IstioGenerated %s secret found, use it as the CA certificate", ca.CACertsSecret) @@ -568,3 +596,72 @@ }) return raServer, err } + +// checkCABundleCompleteness checks if all required CA certificate files exist +// this function may return bundleExists as false even when some files exist in case of an error +func checkCABundleCompleteness( + signingKeyFile, signingCertFile, rootCertFile string, + chainFiles []string, +) ( + signingCABundleComplete bool, + bundleExists bool, + err error, +) { + signingKeyExists, err := fileExists(signingKeyFile) + if err != nil { + return false, false, err + } + + signingCertExists, err := fileExists(signingCertFile) + if err != nil { + return false, signingKeyExists, err + } + + rootCertExists, err := fileExists(rootCertFile) + if err != nil { + return false, signingKeyExists || signingCertExists, err + } + + chainFilesExist, err := hasValidChainFiles(chainFiles) + if err != nil { + return false, signingKeyExists || signingCertExists || rootCertExists, err + } + + bundleExists = signingKeyExists || signingCertExists || rootCertExists || chainFilesExist + signingCABundleComplete = signingKeyExists && signingCertExists && rootCertExists && chainFilesExist + + return signingCABundleComplete, bundleExists, nil +} + +// fileExists checks if a file exists and is accessible +func fileExists(filename string) (bool, error) { + if filename == "" { + return false, nil + } + _, err := os.Stat(filename) + if err != nil { + if os.IsNotExist(err) { + return false, nil + } + return false, fmt.Errorf("error checking file %s: %v", filename, err) + } + return true, nil +} + +// hasValidChainFiles checks if there is at least one valid cert chain file +func hasValidChainFiles(files []string) (bool, error) { + if len(files) == 0 { + return false, nil + } + + for _, file := range files { + exists, err := fileExists(file) + if err != nil { + return false, err + } + if exists { + return true, nil + } + } + return false, nil +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/pilot/pkg/bootstrap/istio_ca_test.go new/istioctl-1.26.1/pilot/pkg/bootstrap/istio_ca_test.go --- old/istioctl-1.26.0/pilot/pkg/bootstrap/istio_ca_test.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/pilot/pkg/bootstrap/istio_ca_test.go 2025-05-27 19:44:34.000000000 +0200 @@ -32,6 +32,61 @@ const testNamespace = "istio-system" +func TestCheckCABundleCompleteness(t *testing.T) { + g := NewWithT(t) + + dir := t.TempDir() + + // Create partial certificate files (missing signing key) + rootCertFile := path.Join(dir, "root-cert.pem") + certChainFile := path.Join(dir, "cert-chain.pem") + caCertFile := path.Join(dir, "ca-cert.pem") + + // Create some files but not all + rootCert, err := readSampleCertFromFile("root-cert.pem") + g.Expect(err).Should(BeNil()) + err = os.WriteFile(rootCertFile, rootCert, 0o600) + g.Expect(err).Should(BeNil()) + + certChain, err := readSampleCertFromFile("cert-chain.pem") + g.Expect(err).Should(BeNil()) + err = os.WriteFile(certChainFile, certChain, 0o600) + g.Expect(err).Should(BeNil()) + + caCert, err := readSampleCertFromFile("ca-cert.pem") + g.Expect(err).Should(BeNil()) + err = os.WriteFile(caCertFile, caCert, 0o600) + g.Expect(err).Should(BeNil()) + + // Test with incomplete bundle + signingCABundleComplete, bundleExists, err := checkCABundleCompleteness( + path.Join(dir, "ca-key.pem"), + path.Join(dir, "ca-cert.pem"), + path.Join(dir, "root-cert.pem"), + []string{path.Join(dir, "cert-chain.pem")}, + ) + g.Expect(err).Should(BeNil()) + g.Expect(signingCABundleComplete).Should(Equal(false)) + g.Expect(bundleExists).Should(Equal(true)) + + // Add missing key file to complete the bundle + caKey, err := readSampleCertFromFile("ca-key.pem") + g.Expect(err).Should(BeNil()) + err = os.WriteFile(path.Join(dir, "ca-key.pem"), caKey, 0o600) + g.Expect(err).Should(BeNil()) + + // Test with complete bundle + signingCABundleComplete, bundleExists, err = checkCABundleCompleteness( + path.Join(dir, "ca-key.pem"), + path.Join(dir, "ca-cert.pem"), + path.Join(dir, "root-cert.pem"), + []string{path.Join(dir, "cert-chain.pem")}, + ) + g.Expect(err).Should(BeNil()) + g.Expect(signingCABundleComplete).Should(Equal(true)) + g.Expect(bundleExists).Should(Equal(true)) +} + func TestRemoteCerts(t *testing.T) { g := NewWithT(t) @@ -60,7 +115,6 @@ expectedRoot, err := readSampleCertFromFile("root-cert.pem") g.Expect(err).Should(BeNil()) - g.Expect(os.ReadFile(path.Join(dir, "root-cert.pem"))).Should(Equal(expectedRoot)) // Should do nothing because certs already exist locally. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/pilot/pkg/config/kube/gateway/conversion.go new/istioctl-1.26.1/pilot/pkg/config/kube/gateway/conversion.go --- old/istioctl-1.26.0/pilot/pkg/config/kube/gateway/conversion.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/pilot/pkg/config/kube/gateway/conversion.go 2025-05-27 19:44:34.000000000 +0200 @@ -613,8 +613,17 @@ out: for _, routeHostname := range hostnames { for _, parentHostNamespace := range parent.Hostnames { - spl := strings.Split(parentHostNamespace, "/") - parentNamespace, parentHostname := spl[0], spl[1] + var parentNamespace, parentHostname string + // When parentHostNamespace lacks a '/', it was likely sanitized from '*/host' to 'host' + // by sanitizeServerHostNamespace. Set parentNamespace to '*' to reflect the wildcard namespace + // and parentHostname to the sanitized host to prevent an index out of range panic. + if strings.Contains(parentHostNamespace, "/") { + spl := strings.Split(parentHostNamespace, "/") + parentNamespace, parentHostname = spl[0], spl[1] + } else { + parentNamespace, parentHostname = "*", parentHostNamespace + } + hostnameMatch := host.Name(parentHostname).Matches(host.Name(routeHostname)) namespaceMatch := parentNamespace == "*" || parentNamespace == localNamespace hostMatched = hostMatched || hostnameMatch @@ -1442,7 +1451,7 @@ // AllowedKinds indicates which kinds can be admitted by this parent AllowedKinds []k8s.RouteGroupKind // Hostnames is the hostnames that must be match to reference to the parent. For gateway this is listener hostname - // Format is ns/hostname + // Format is ns/hostname or just hostname, which is equivalent to */hostname Hostnames []string // OriginalHostname is the unprocessed form of Hostnames; how it appeared in users' config OriginalHostname string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/pilot/pkg/config/kube/gateway/conversion_test.go new/istioctl-1.26.1/pilot/pkg/config/kube/gateway/conversion_test.go --- old/istioctl-1.26.0/pilot/pkg/config/kube/gateway/conversion_test.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/pilot/pkg/config/kube/gateway/conversion_test.go 2025-05-27 19:44:34.000000000 +0200 @@ -29,6 +29,7 @@ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + k8s "sigs.k8s.io/gateway-api/apis/v1" "sigs.k8s.io/gateway-api/pkg/consts" "sigs.k8s.io/yaml" @@ -1153,6 +1154,65 @@ } }) } +} + +// Test is a little janky, but it checks if we can pass a `parent.Hostnames` in the form +// of `*.example.com` and `*/*.example.com` without a panic and successfully match. +func TestGatewayReferenceAllowedParentHostnameParsing(t *testing.T) { + cases := []struct { + Name string + ParentHostnames []string + RouteHostnames []k8s.Hostname + }{ + { + Name: "implied wildcard", + ParentHostnames: []string{"*.example.com"}, + RouteHostnames: []k8s.Hostname{"bookinfo.example.com"}, + }, + { + Name: "explicit wildcard", + ParentHostnames: []string{"*/*.example.com"}, + RouteHostnames: []k8s.Hostname{"bookinfo.example.com"}, + }, + } + + for _, tt := range cases { + t.Run(tt.Name, func(t *testing.T) { + // ctx doesn't end up getting used, but we need to pass something + ctx := RouteContext{} + routeKind := gvk.HTTPRoute + parent := parentInfo{ + InternalName: "default/bookinfo-gateway-istio-autogenerated-k8s-gateway-http", + Hostnames: []string{"*.example.com"}, + AllowedKinds: []k8s.RouteGroupKind{ + toRouteKind(gvk.HTTPRoute), + toRouteKind(gvk.GRPCRoute), + }, + OriginalHostname: "", + SectionName: "http", + Port: 80, + Protocol: "HTTP", + } + parentRef := parentReference{ + parentKey: parentKey{ + Kind: gvk.Gateway, + Name: "bookinfo-gateway", + Namespace: "default", + }, + SectionName: "", + Port: 0, + } + hostnames := []k8s.Hostname{"bookinfo.example.com"} + + parentError, waypointError := referenceAllowed(ctx, &parent, routeKind, parentRef, hostnames, "default") + if parentError != nil { + t.Fatalf("expected no error, got %v", parentError) + } + if waypointError != nil { + t.Fatalf("expected no error, got %v", waypointError) + } + }) + } } func TestReferencePolicy(t *testing.T) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/pkg/config/analysis/analyzers/serviceentry/protocoladdresses.go new/istioctl-1.26.1/pkg/config/analysis/analyzers/serviceentry/protocoladdresses.go --- old/istioctl-1.26.0/pkg/config/analysis/analyzers/serviceentry/protocoladdresses.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/pkg/config/analysis/analyzers/serviceentry/protocoladdresses.go 2025-05-27 19:44:34.000000000 +0200 @@ -53,6 +53,9 @@ if v, ok := mc.DefaultConfig.ProxyMetadata["ISTIO_META_DNS_AUTO_ALLOCATE"]; ok && v == "true" { autoAllocated = true } + if v, ok := mc.DefaultConfig.ProxyMetadata["PILOT_ENABLE_IP_AUTOALLOCATE"]; ok && v == "true" { + autoAllocated = true + } return true }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/pkg/config/analysis/msg/messages.gen.go new/istioctl-1.26.1/pkg/config/analysis/msg/messages.gen.go --- old/istioctl-1.26.0/pkg/config/analysis/msg/messages.gen.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/pkg/config/analysis/msg/messages.gen.go 2025-05-27 19:44:34.000000000 +0200 @@ -105,7 +105,7 @@ SchemaWarning = diag.NewMessageType(diag.Warning, "IST0133", "Schema validation warning: %v") // ServiceEntryAddressesRequired defines a diag.MessageType for message "ServiceEntryAddressesRequired". - // Description: Virtual IP addresses are required for ports serving TCP (or unset) protocol when ISTIO_META_DNS_AUTO_ALLOCATE is not set on a proxy + // Description: Virtual IP addresses are required for ports serving TCP (or unset) protocol when PILOT_ENABLE_IP_AUTOALLOCATE is not set on a proxy ServiceEntryAddressesRequired = diag.NewMessageType(diag.Warning, "IST0134", "ServiceEntry addresses are required for this protocol.") // DeprecatedAnnotation defines a diag.MessageType for message "DeprecatedAnnotation". @@ -259,6 +259,14 @@ // NegativeConditionStatus defines a diag.MessageType for message "NegativeConditionStatus". // Description: A condition with a negative status is present NegativeConditionStatus = diag.NewMessageType(diag.Warning, "IST0171", "A condition with a negative status is present: type=%s, reason=%s, message=%s.") + + // DestinationRuleSubsetNotSelectPods defines a diag.MessageType for message "DestinationRuleSubsetNotSelectPods". + // Description: Subsets defined in destination does not select any pods. + DestinationRuleSubsetNotSelectPods = diag.NewMessageType(diag.Error, "IST0173", "The Subset %s defined in the DestinationRule does not select any pods. Which may lead to 503 UH (NoHealthyUpstream).") + + // UnknownDestinationRuleHost defines a diag.MessageType for message "UnknownDestinationRuleHost". + // Description: Host defined in destination rule does not match any services in the mesh. + UnknownDestinationRuleHost = diag.NewMessageType(diag.Warning, "IST0174", "The host %s defined in the DestinationRule does not match any services in the mesh.") ) // All returns a list of all known message types. @@ -327,6 +335,8 @@ UpdateIncompatibility, MultiClusterInconsistentService, NegativeConditionStatus, + DestinationRuleSubsetNotSelectPods, + UnknownDestinationRuleHost, } } @@ -950,3 +960,21 @@ message, ) } + +// NewDestinationRuleSubsetNotSelectPods returns a new diag.Message based on DestinationRuleSubsetNotSelectPods. +func NewDestinationRuleSubsetNotSelectPods(r *resource.Instance, subset string) diag.Message { + return diag.NewMessage( + DestinationRuleSubsetNotSelectPods, + r, + subset, + ) +} + +// NewUnknownDestinationRuleHost returns a new diag.Message based on UnknownDestinationRuleHost. +func NewUnknownDestinationRuleHost(r *resource.Instance, host string) diag.Message { + return diag.NewMessage( + UnknownDestinationRuleHost, + r, + host, + ) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/pkg/config/analysis/msg/messages.yaml new/istioctl-1.26.1/pkg/config/analysis/msg/messages.yaml --- old/istioctl-1.26.0/pkg/config/analysis/msg/messages.yaml 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/pkg/config/analysis/msg/messages.yaml 2025-05-27 19:44:34.000000000 +0200 @@ -286,7 +286,8 @@ - name: "ServiceEntryAddressesRequired" code: IST0134 level: Warning - description: "Virtual IP addresses are required for ports serving TCP (or unset) protocol when ISTIO_META_DNS_AUTO_ALLOCATE is not set on a proxy" + description: "Virtual IP addresses are required for ports serving TCP (or unset) protocol when PILOT_ENABLE_IP_AUTOALLOCATE is not set on a proxy" + template: "ServiceEntry addresses are required for this protocol." - name: "DeprecatedAnnotation" @@ -681,3 +682,21 @@ type: string - name: message type: string + + - name: "DestinationRuleSubsetNotSelectPods" + code: IST0173 + level: Error + description: "Subsets defined in destination does not select any pods." + template: "The Subset %s defined in the DestinationRule does not select any pods. Which may lead to 503 UH (NoHealthyUpstream)." + args: + - name: subset + type: string + + - name: "UnknownDestinationRuleHost" + code: IST0174 + level: Warning + description: "Host defined in destination rule does not match any services in the mesh." + template: "The host %s defined in the DestinationRule does not match any services in the mesh." + args: + - name: host + type: string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/releasenotes/notes/56083.yaml new/istioctl-1.26.1/releasenotes/notes/56083.yaml --- old/istioctl-1.26.0/releasenotes/notes/56083.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.26.1/releasenotes/notes/56083.yaml 2025-05-27 19:44:34.000000000 +0200 @@ -0,0 +1,34 @@ +apiVersion: release-notes/v2 + +# This YAML file describes the format for specifying a release notes entry for Istio. +# This should be filled in for all user facing changes. + +# kind describes the type of change that this represents. +# Valid Values are: +# - bug-fix -- Used to specify that this change represents a bug fix. +# - security-fix -- Used to specify that this change represents a vulnerability fix. +# - feature -- Used to specify a new feature that has been added. +# - test -- Used to describe additional testing added. This file is optional for +# tests, but included for completeness. +kind: bug-fix + +# area describes the area that this change affects. +# Valid values are: +# - traffic-management +# - security +# - telemetry +# - installation +# - istioctl +# - documentation +area: istioctl + +# issue is a list of GitHub issues resolved in this note. +# If issue is not in the current repo, specify its full URL instead. +issue: [56083] + +# releaseNotes is a markdown listing of any user facing changes. This will appear in the +# release notes. +releaseNotes: + - | + **Fixed** false positive with `istioctl analyze` raising IST0134 even when `PILOT_ENABLE_IP_AUTOALLOCATE` is set to `true`. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/releasenotes/notes/56240.yaml new/istioctl-1.26.1/releasenotes/notes/56240.yaml --- old/istioctl-1.26.0/releasenotes/notes/56240.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.26.1/releasenotes/notes/56240.yaml 2025-05-27 19:44:34.000000000 +0200 @@ -0,0 +1,7 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: installation +issue: [56223] +releaseNotes: + - | + **Fixed** a panic in `istioctl manifest translate` when the IstioOperator config contains multiple gateways. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/releasenotes/notes/56300.yaml new/istioctl-1.26.1/releasenotes/notes/56300.yaml --- old/istioctl-1.26.0/releasenotes/notes/56300.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.26.1/releasenotes/notes/56300.yaml 2025-05-27 19:44:34.000000000 +0200 @@ -0,0 +1,9 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +issue: +- 56300 + +releaseNotes: +- | + **Fixed** Regression in Istio 1.26.0 that caused a panic in istiod when processing Gateway API hostnames. \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/releasenotes/notes/check-cacerts-completeness.yaml new/istioctl-1.26.1/releasenotes/notes/check-cacerts-completeness.yaml --- old/istioctl-1.26.0/releasenotes/notes/check-cacerts-completeness.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/istioctl-1.26.1/releasenotes/notes/check-cacerts-completeness.yaml 2025-05-27 19:44:34.000000000 +0200 @@ -0,0 +1,13 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: security +releaseNotes: + - | + **Fixed** an issue in the `pluginca` feature where `istiod` would silently fallback to the self-signed CA if the provided `cacerts` bundle was incomplete. + The system now properly validates the presence of all required CA files and fails with an error if the bundle is incomplete. +upgradeNote: + - title: Pluginca CA Bundle Validation + content: | + Previously, `istiod` would silently fallback to the self-signed CA if the `cacerts` bundle was incomplete—only the signing key file was being checked for presence. + This behavior could lead to unexpected use of a self-signed CA without operator awareness. + With this fix, `istiod` will now validate the entire CA bundle and return an explicit error if any required file is missing, rather than falling back silently. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/tests/integration/pilot/analysis/analysis_test.go new/istioctl-1.26.1/tests/integration/pilot/analysis/analysis_test.go --- old/istioctl-1.26.0/tests/integration/pilot/analysis/analysis_test.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/tests/integration/pilot/analysis/analysis_test.go 2025-05-27 19:44:34.000000000 +0200 @@ -80,7 +80,7 @@ // Status should report error retry.UntilSuccessOrFail(t, func() error { return expectVirtualServiceStatus(t, ns, true) - }, retry.Timeout(time.Second*5)) + }, retry.Timeout(time.Second*10)) // Apply config to make this not invalid t.ConfigIstio().YAML(ns.Name(), ` apiVersion: networking.istio.io/v1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/tests/integration/pilot/testdata/gateway-api-crd.yaml new/istioctl-1.26.1/tests/integration/pilot/testdata/gateway-api-crd.yaml --- old/istioctl-1.26.0/tests/integration/pilot/testdata/gateway-api-crd.yaml 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/tests/integration/pilot/testdata/gateway-api-crd.yaml 2025-05-27 19:44:34.000000000 +0200 @@ -1,10 +1,10 @@ -# Generated with `kubectl kustomize "https://github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=92efbedcc2b40dc097b7ea0eacb894a6033057e1"` +# Generated with `kubectl kustomize "https://github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.3.0"` apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null labels: @@ -652,7 +652,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gatewayclasses.gateway.networking.k8s.io @@ -1169,7 +1169,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gateways.gateway.networking.k8s.io @@ -1824,7 +1824,6 @@ - All - Selector - Same - - None type: string selector: description: |- @@ -3163,7 +3162,6 @@ - All - Selector - Same - - None type: string selector: description: |- @@ -3876,7 +3874,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: grpcroutes.gateway.networking.k8s.io @@ -6094,7 +6092,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: httproutes.gateway.networking.k8s.io @@ -13373,7 +13371,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: referencegrants.gateway.networking.k8s.io @@ -13563,7 +13561,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tcproutes.gateway.networking.k8s.io @@ -14296,7 +14294,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tlsroutes.gateway.networking.k8s.io @@ -15092,7 +15090,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: udproutes.gateway.networking.k8s.io @@ -15825,7 +15823,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null labels: @@ -15916,21 +15914,21 @@ interval: default: 10s description: |- - BudgetInterval defines the duration in which requests will be considered + Interval defines the duration in which requests will be considered for calculating the budget for retries. Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string x-kubernetes-validations: - - message: budgetInterval can not be greater than one hour - or less than one second + - message: interval can not be greater than one hour or less + than one second rule: '!(duration(self) < duration(''1s'') || duration(self) > duration(''1h''))' percent: default: 20 description: |- - BudgetPercent defines the maximum percentage of active requests that may + Percent defines the maximum percentage of active requests that may be made up of retries. Support: Extended @@ -16431,7 +16429,7 @@ metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.3.0-rc.1 + gateway.networking.k8s.io/bundle-version: v1.3.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: xlistenersets.gateway.networking.x-k8s.io @@ -16602,7 +16600,6 @@ - All - Selector - Same - - None type: string selector: description: |- @@ -16943,6 +16940,7 @@ > 0 || size(self.options) > 0 : true' required: - name + - port - protocol type: object maxItems: 64 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/tests/integration/security/ingress_test.go new/istioctl-1.26.1/tests/integration/security/ingress_test.go --- old/istioctl-1.26.0/tests/integration/security/ingress_test.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/tests/integration/security/ingress_test.go 2025-05-27 19:44:34.000000000 +0200 @@ -411,7 +411,10 @@ }, hostName: "testmultitlsgateway-invalidsecret1.example.com", expectedResponse: ingressutil.ExpectedResponse{ - ErrorMessage: "connection reset by peer", + AllowedErrorMessages: []string{ + "connection reset by peer", + "EOF", + }, }, callType: ingressutil.TLS, tlsContext: ingressutil.TLSContext{ @@ -427,7 +430,10 @@ }, hostName: "testmultitlsgateway-invalidsecret2.example.com", expectedResponse: ingressutil.ExpectedResponse{ - ErrorMessage: "connection reset by peer", + AllowedErrorMessages: []string{ + "connection reset by peer", + "EOF", + }, }, callType: ingressutil.TLS, tlsContext: ingressutil.TLSContext{ @@ -443,7 +449,10 @@ }, hostName: "testmultitlsgateway-invalidsecret3.example.com", expectedResponse: ingressutil.ExpectedResponse{ - ErrorMessage: "connection reset by peer", + AllowedErrorMessages: []string{ + "connection reset by peer", + "EOF", + }, }, callType: ingressutil.TLS, tlsContext: ingressutil.TLSContext{ @@ -458,7 +467,10 @@ }, hostName: "testmultitlsgateway-invalidsecret4.example.com", expectedResponse: ingressutil.ExpectedResponse{ - ErrorMessage: "connection reset by peer", + AllowedErrorMessages: []string{ + "connection reset by peer", + "EOF", + }, }, callType: ingressutil.TLS, tlsContext: ingressutil.TLSContext{ @@ -473,7 +485,10 @@ }, hostName: "testmultitlsgateway-invalidsecret5.example.com", expectedResponse: ingressutil.ExpectedResponse{ - ErrorMessage: "connection reset by peer", + AllowedErrorMessages: []string{ + "connection reset by peer", + "EOF", + }, }, callType: ingressutil.TLS, tlsContext: ingressutil.TLSContext{ @@ -540,7 +555,10 @@ }, hostName: "testmultimtlsgateway-invalidsecret1.example.com", expectedResponse: ingressutil.ExpectedResponse{ - ErrorMessage: "connection reset by peer", + AllowedErrorMessages: []string{ + "connection reset by peer", + "EOF", + }, }, callType: ingressutil.Mtls, tlsContext: ingressutil.TLSContext{ @@ -558,7 +576,10 @@ }, hostName: "testmultimtlsgateway-invalidsecret2.example.com", expectedResponse: ingressutil.ExpectedResponse{ - ErrorMessage: "connection reset by peer", + AllowedErrorMessages: []string{ + "connection reset by peer", + "EOF", + }, }, callType: ingressutil.Mtls, tlsContext: ingressutil.TLSContext{ @@ -577,7 +598,10 @@ }, hostName: "testmultimtlsgateway-invalidsecret3.example.com", expectedResponse: ingressutil.ExpectedResponse{ - ErrorMessage: "error decrypting message", + AllowedErrorMessages: []string{ + "connection reset by peer", + "tls: error decrypting message", + }, }, callType: ingressutil.Mtls, tlsContext: ingressutil.TLSContext{ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/istioctl-1.26.0/tests/integration/security/sds_ingress/util/util.go new/istioctl-1.26.1/tests/integration/security/sds_ingress/util/util.go --- old/istioctl-1.26.0/tests/integration/security/sds_ingress/util/util.go 2025-05-06 20:19:44.000000000 +0200 +++ new/istioctl-1.26.1/tests/integration/security/sds_ingress/util/util.go 2025-05-27 19:44:34.000000000 +0200 @@ -269,6 +269,7 @@ StatusCode int SkipErrorMessageVerification bool ErrorMessage string + AllowedErrorMessages []string } type TLSContext struct { @@ -321,12 +322,24 @@ // message then it should be treated as error when error message // verification is not skipped. Error message verification is skipped // when the error message is non-deterministic. - if !exRsp.SkipErrorMessageVerification && len(exRsp.ErrorMessage) == 0 { - return fmt.Errorf("unexpected error: %w", err) - } - if !exRsp.SkipErrorMessageVerification && !strings.Contains(err.Error(), exRsp.ErrorMessage) { - return fmt.Errorf("expected response error message %s but got %w", - exRsp.ErrorMessage, err) + if !exRsp.SkipErrorMessageVerification { + if len(exRsp.ErrorMessage) == 0 && len(exRsp.AllowedErrorMessages) == 0 { + return fmt.Errorf("unexpected error: %w", err) + } + matched := false + if exRsp.ErrorMessage != "" && strings.Contains(err.Error(), exRsp.ErrorMessage) { + matched = true + } + for _, allowed := range exRsp.AllowedErrorMessages { + if strings.Contains(err.Error(), allowed) { + matched = true + break + } + } + if !matched { + return fmt.Errorf("expected one of %v but got error: %w", + append([]string{exRsp.ErrorMessage}, exRsp.AllowedErrorMessages...), err) + } } return nil } ++++++ istioctl.obsinfo ++++++ --- /var/tmp/diff_new_pack.7e3C7D/_old 2025-05-31 19:18:42.751360363 +0200 +++ /var/tmp/diff_new_pack.7e3C7D/_new 2025-05-31 19:18:42.775361373 +0200 @@ -1,5 +1,5 @@ name: istioctl -version: 1.26.0 -mtime: 1746555584 -commit: c2e9871f340c0e0b114bcd1b73208284f1d17c9e +version: 1.26.1 +mtime: 1748367874 +commit: 2ce3ad897b984a045d9d5f80a8c1bb8eefdf88f5 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/istioctl/vendor.tar.gz /work/SRC/openSUSE:Factory/.istioctl.new.16005/vendor.tar.gz differ: char 13, line 1
