From 6f511e8c1f1b8b922803eb833c1f35c9ec1bf0f3 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Fri, 21 Mar 2025 21:26:07 -0500
Subject: [PATCH 01/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CHANGELOG.md | 4 +
CODEOWNERS | 3 +-
README.md | 137 +++++++++---------
chart/Chart.yaml | 6 +-
chart/Kptfile | 4 +-
chart/files/profile-ambient.yaml | 3 -
.../profile-compatibility-version-1.22.yaml | 16 +-
.../profile-compatibility-version-1.23.yaml | 23 +++
.../profile-compatibility-version-1.24.yaml | 11 ++
chart/files/profile-demo.yaml | 21 +++
chart/files/profile-platform-gke.yaml | 6 +
chart/files/profile-platform-k3d.yaml | 7 +
chart/files/profile-platform-k3s.yaml | 7 +
chart/files/profile-platform-microk8s.yaml | 7 +
chart/files/profile-platform-minikube.yaml | 6 +
chart/files/profile-platform-openshift.yaml | 19 +++
chart/files/profile-remote.yaml | 13 ++
chart/templates/_helpers.tpl | 11 --
chart/templates/deployment.yaml | 19 ++-
chart/templates/hpa.yaml | 2 +
chart/templates/poddisruptionbudget.yaml | 2 +
chart/templates/role.yaml | 4 +
chart/templates/service.yaml | 2 +
chart/templates/serviceaccount.yaml | 2 +
chart/templates/zzz_profile.yaml | 45 +++++-
chart/values.schema.json | 20 ++-
chart/values.yaml | 26 +++-
docs/DEVELOPMENT_MAINTENANCE.md | 93 ++++++++++--
28 files changed, 394 insertions(+), 125 deletions(-)
create mode 100644 chart/files/profile-compatibility-version-1.23.yaml
create mode 100644 chart/files/profile-compatibility-version-1.24.yaml
create mode 100644 chart/files/profile-platform-gke.yaml
create mode 100644 chart/files/profile-platform-k3d.yaml
create mode 100644 chart/files/profile-platform-k3s.yaml
create mode 100644 chart/files/profile-platform-microk8s.yaml
create mode 100644 chart/files/profile-platform-minikube.yaml
create mode 100644 chart/files/profile-platform-openshift.yaml
create mode 100644 chart/files/profile-remote.yaml
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 30e07a6..c8f44ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
+## [1.25.0-bb.0] - 2024-03-18
+Changed
+- Updated to v1.25.0
+
## [1.23.3-bb.3] - 2024-02-13
### Added
diff --git a/CODEOWNERS b/CODEOWNERS
index 946c372..d6ded0f 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,2 +1 @@
-* @stephen.galamb @lgomez2 @jimmy.bourque @kipten @dbaker1298 @zcallahan
-
+* @stephen.galamb @lgomez2 @jimmy.bourque @kipten @jeremy.hulick @dbaker1298
diff --git a/README.md b/README.md
index 0e8d731..09e4c4b 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
<!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
# gateway
-   
+   
Helm chart for deploying Istio gateways
@@ -11,7 +11,7 @@ Helm chart for deploying Istio gateways
## Upstream Release Notes
-- [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.23.2/announcing-1.23.2)
+- [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.25.x/announcing-1.25)
## Learn More
@@ -41,71 +41,74 @@ helm install gateway chart/
| Key | Type | Default | Description |
|-----|------|---------|-------------|
-| defaults.name | string | `""` | |
-| defaults.revision | string | `""` | |
-| defaults.replicaCount | string | `nil` | |
-| defaults.kind | string | `"Deployment"` | |
-| defaults.rbac.enabled | bool | `true` | |
-| defaults.serviceAccount.create | bool | `true` | |
-| defaults.serviceAccount.annotations | object | `{}` | |
-| defaults.serviceAccount.name | string | `""` | |
-| defaults.podAnnotations."prometheus.io/port" | string | `"15020"` | |
-| defaults.podAnnotations."prometheus.io/scrape" | string | `"true"` | |
-| defaults.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` | |
-| defaults.podAnnotations."inject.istio.io/templates" | string | `"gateway"` | |
-| defaults.podAnnotations."sidecar.istio.io/inject" | string | `"true"` | |
-| defaults.securityContext | object | `{}` | |
-| defaults.containerSecurityContext | object | `{}` | |
-| defaults.service.type | string | `"LoadBalancer"` | |
-| defaults.service.ports[0].name | string | `"tcp-status-port"` | |
-| defaults.service.ports[0].port | int | `15021` | |
-| defaults.service.ports[0].protocol | string | `"TCP"` | |
-| defaults.service.ports[0].targetPort | int | `15021` | |
-| defaults.service.ports[1].name | string | `"http2"` | |
-| defaults.service.ports[1].port | int | `80` | |
-| defaults.service.ports[1].protocol | string | `"TCP"` | |
-| defaults.service.ports[1].targetPort | int | `8080` | |
-| defaults.service.ports[2].name | string | `"https"` | |
-| defaults.service.ports[2].port | int | `443` | |
-| defaults.service.ports[2].protocol | string | `"TCP"` | |
-| defaults.service.ports[2].targetPort | int | `8443` | |
-| defaults.service.annotations | object | `{}` | |
-| defaults.service.loadBalancerIP | string | `""` | |
-| defaults.service.loadBalancerSourceRanges | list | `[]` | |
-| defaults.service.externalTrafficPolicy | string | `""` | |
-| defaults.service.externalIPs | list | `[]` | |
-| defaults.service.ipFamilyPolicy | string | `""` | |
-| defaults.service.ipFamilies | list | `[]` | |
-| defaults.resources.requests.cpu | string | `"100m"` | |
-| defaults.resources.requests.memory | string | `"128Mi"` | |
-| defaults.resources.limits.cpu | string | `"2000m"` | |
-| defaults.resources.limits.memory | string | `"1024Mi"` | |
-| defaults.autoscaling.enabled | bool | `true` | |
-| defaults.autoscaling.minReplicas | int | `1` | |
-| defaults.autoscaling.maxReplicas | int | `5` | |
-| defaults.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
-| defaults.autoscaling.targetMemoryUtilizationPercentage | object | `{}` | |
-| defaults.autoscaling.autoscaleBehavior | object | `{}` | |
-| defaults.env | object | `{}` | |
-| defaults.labels | object | `{}` | |
-| defaults.annotations | object | `{}` | |
-| defaults.nodeSelector | object | `{}` | |
-| defaults.tolerations | list | `[]` | |
-| defaults.topologySpreadConstraints | list | `[]` | |
-| defaults.affinity | object | `{}` | |
-| defaults.networkGateway | string | `""` | |
-| defaults.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
-| defaults.image.tag | string | `"1.23.3"` | |
-| defaults.imagePullPolicy | string | `""` | |
-| defaults.imagePullSecrets[0].name | string | `"private-registry"` | |
-| defaults.podDisruptionBudget | object | `{}` | |
-| defaults.terminationGracePeriodSeconds | int | `30` | |
-| defaults.volumes | list | `[]` | |
-| defaults.volumeMounts | list | `[]` | |
-| defaults.priorityClassName | string | `""` | |
-| defaults.enterprise | bool | `false` | |
-| defaults.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
-| defaults.tidTag | string | `"1.23.3-tetratefips-v0"` | |
+| _internal_defaults_do_not_set.name | string | `""` | |
+| _internal_defaults_do_not_set.revision | string | `""` | |
+| _internal_defaults_do_not_set.replicaCount | string | `nil` | |
+| _internal_defaults_do_not_set.kind | string | `"Deployment"` | |
+| _internal_defaults_do_not_set.rbac.enabled | bool | `true` | |
+| _internal_defaults_do_not_set.serviceAccount.create | bool | `true` | |
+| _internal_defaults_do_not_set.serviceAccount.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.serviceAccount.name | string | `""` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/port" | string | `"15020"` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/scrape" | string | `"true"` | |
+| _internal_defaults_do_not_set.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` | |
+| _internal_defaults_do_not_set.podAnnotations."inject.istio.io/templates" | string | `"gateway"` | |
+| _internal_defaults_do_not_set.podAnnotations."sidecar.istio.io/inject" | string | `"true"` | |
+| _internal_defaults_do_not_set.securityContext | object | `{}` | |
+| _internal_defaults_do_not_set.containerSecurityContext | object | `{}` | |
+| _internal_defaults_do_not_set.service.type | string | `"LoadBalancer"` | |
+| _internal_defaults_do_not_set.service.ports[0].name | string | `"tcp-status-port"` | |
+| _internal_defaults_do_not_set.service.ports[0].port | int | `15021` | |
+| _internal_defaults_do_not_set.service.ports[0].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[0].targetPort | int | `15021` | |
+| _internal_defaults_do_not_set.service.ports[1].name | string | `"http2"` | |
+| _internal_defaults_do_not_set.service.ports[1].port | int | `80` | |
+| _internal_defaults_do_not_set.service.ports[1].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[1].targetPort | int | `8080` | |
+| _internal_defaults_do_not_set.service.ports[2].name | string | `"https"` | |
+| _internal_defaults_do_not_set.service.ports[2].port | int | `443` | |
+| _internal_defaults_do_not_set.service.ports[2].protocol | string | `"TCP"` | |
+| _internal_defaults_do_not_set.service.ports[2].targetPort | int | `8443` | |
+| _internal_defaults_do_not_set.service.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.service.loadBalancerIP | string | `""` | |
+| _internal_defaults_do_not_set.service.loadBalancerSourceRanges | list | `[]` | |
+| _internal_defaults_do_not_set.service.externalTrafficPolicy | string | `""` | |
+| _internal_defaults_do_not_set.service.externalIPs | list | `[]` | |
+| _internal_defaults_do_not_set.service.ipFamilyPolicy | string | `""` | |
+| _internal_defaults_do_not_set.service.ipFamilies | list | `[]` | |
+| _internal_defaults_do_not_set.resources.requests.cpu | string | `"100m"` | |
+| _internal_defaults_do_not_set.resources.requests.memory | string | `"128Mi"` | |
+| _internal_defaults_do_not_set.resources.limits.cpu | string | `"2000m"` | |
+| _internal_defaults_do_not_set.resources.limits.memory | string | `"1024Mi"` | |
+| _internal_defaults_do_not_set.autoscaling.enabled | bool | `true` | |
+| _internal_defaults_do_not_set.autoscaling.minReplicas | int | `1` | |
+| _internal_defaults_do_not_set.autoscaling.maxReplicas | int | `5` | |
+| _internal_defaults_do_not_set.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
+| _internal_defaults_do_not_set.autoscaling.targetMemoryUtilizationPercentage | object | `{}` | |
+| _internal_defaults_do_not_set.autoscaling.autoscaleBehavior | object | `{}` | |
+| _internal_defaults_do_not_set.env | object | `{}` | |
+| _internal_defaults_do_not_set.strategy | object | `{}` | |
+| _internal_defaults_do_not_set.minReadySeconds | string | `nil` | |
+| _internal_defaults_do_not_set.readinessProbe | object | `{}` | |
+| _internal_defaults_do_not_set.labels."istio.io/dataplane-mode" | string | `"none"` | |
+| _internal_defaults_do_not_set.annotations | object | `{}` | |
+| _internal_defaults_do_not_set.nodeSelector | object | `{}` | |
+| _internal_defaults_do_not_set.tolerations | list | `[]` | |
+| _internal_defaults_do_not_set.topologySpreadConstraints | list | `[]` | |
+| _internal_defaults_do_not_set.affinity | object | `{}` | |
+| _internal_defaults_do_not_set.networkGateway | string | `""` | |
+| _internal_defaults_do_not_set.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
+| _internal_defaults_do_not_set.image.tag | string | `"1.25.0"` | |
+| _internal_defaults_do_not_set.imagePullPolicy | string | `""` | |
+| _internal_defaults_do_not_set.imagePullSecrets[0].name | string | `"private-registry"` | |
+| _internal_defaults_do_not_set.podDisruptionBudget | object | `{}` | |
+| _internal_defaults_do_not_set.terminationGracePeriodSeconds | int | `30` | |
+| _internal_defaults_do_not_set.volumes | list | `[]` | |
+| _internal_defaults_do_not_set.volumeMounts | list | `[]` | |
+| _internal_defaults_do_not_set.priorityClassName | string | `""` | |
+| _internal_defaults_do_not_set.enterprise | bool | `false` | |
+| _internal_defaults_do_not_set.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
+| _internal_defaults_do_not_set.tidTag | string | `"1.25.0-tetratefips0"` | |
| mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
| networkPolicies.enabled | bool | `true` | |
| networkPolicies.additionalPolicies | list | `[]` | |
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 0b62eb7..a232c6a 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
name: gateway
description: Helm chart for deploying Istio gateways
type: application
-version: 1.23.3-bb.3
-appVersion: 1.23.3
+version: 1.25.0-bb.0
+appVersion: 1.25.0
sources:
- https://github.com/istio/istio
icon: https://istio.io/latest/favicons/android-192x192.png
@@ -13,4 +13,4 @@ keywords:
annotations:
bigbang.dev/maintenanceTrack: bb_integrated
bigbang.dev/upstreamReleaseNotesMarkdown: |
- - [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.23.2/announcing-1.23.2)
+ - [Find our upstream chart's CHANGELOG here](https://istio.io/latest/news/releases/1.25.x/announcing-1.25)
diff --git a/chart/Kptfile b/chart/Kptfile
index 150e5f7..d11d943 100644
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
- commit: 33af1b65afe2780bc2bc7c94ccd8a6f6281215e4
+ commit: 57e59c2e5d6b757a68d867491d9c9c09694e1522
repo: https://github.com/istio/istio
directory: /manifests/charts/gateway
- ref: 1.23.3
+ ref: 1.25.0
diff --git a/chart/files/profile-ambient.yaml b/chart/files/profile-ambient.yaml
index 22db033..2805fe4 100644
--- a/chart/files/profile-ambient.yaml
+++ b/chart/files/profile-ambient.yaml
@@ -15,6 +15,3 @@ pilot:
cni:
ambient:
enabled: true
-
-# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel
-variant: distroless
diff --git a/chart/files/profile-compatibility-version-1.22.yaml b/chart/files/profile-compatibility-version-1.22.yaml
index b091e2b..62420fe 100644
--- a/chart/files/profile-compatibility-version-1.22.yaml
+++ b/chart/files/profile-compatibility-version-1.22.yaml
@@ -6,7 +6,14 @@ pilot:
env:
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
-
+
+ # 1.24 behavioral changes
+ ENABLE_INBOUND_RETRY_POLICY: "false"
+ EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+ PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+ ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+ PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
meshConfig:
defaultConfig:
proxyMetadata:
@@ -14,3 +21,10 @@ meshConfig:
ENABLE_DEFERRED_CLUSTER_CREATION: "false"
# 1.23 behavioral changes
ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+ # 1.24 behaviour changes
+ ENABLE_DEFERRED_STATS_CREATION: "false"
+ BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+
+# Not present in <1.24, defaults to `true` in 1.25+
+ambient:
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-compatibility-version-1.23.yaml b/chart/files/profile-compatibility-version-1.23.yaml
new file mode 100644
index 0000000..6b636e6
--- /dev/null
+++ b/chart/files/profile-compatibility-version-1.23.yaml
@@ -0,0 +1,23 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+ env:
+ # 1.24 behavioral changes
+ ENABLE_INBOUND_RETRY_POLICY: "false"
+ EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+ PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+ ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+ PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # 1.24 behaviour changes
+ ENABLE_DEFERRED_STATS_CREATION: "false"
+ BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+
+# Not present in <1.24, defaults to `true` in 1.25+
+ambient:
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-compatibility-version-1.24.yaml b/chart/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000..a2dc354
--- /dev/null
+++ b/chart/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+ env:
+ # 1.24 behavioral changes
+ PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+ambient:
+ dnsCapture: false
+ reconcileIptablesOnStartup: false
diff --git a/chart/files/profile-demo.yaml b/chart/files/profile-demo.yaml
index 83b9d6b..d6dc36d 100644
--- a/chart/files/profile-demo.yaml
+++ b/chart/files/profile-demo.yaml
@@ -21,6 +21,22 @@ meshConfig:
opentelemetry:
port: 4317
service: opentelemetry-collector.observability.svc.cluster.local
+ - name: jaeger
+ opentelemetry:
+ port: 4317
+ service: jaeger-collector.istio-system.svc.cluster.local
+
+cni:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+ztunnel:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
global:
proxy:
@@ -28,6 +44,11 @@ global:
requests:
cpu: 10m
memory: 40Mi
+ waypoint:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
pilot:
autoscaleEnabled: false
diff --git a/chart/files/profile-platform-gke.yaml b/chart/files/profile-platform-gke.yaml
new file mode 100644
index 0000000..521bf1b
--- /dev/null
+++ b/chart/files/profile-platform-gke.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
diff --git a/chart/files/profile-platform-k3d.yaml b/chart/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000..cd86d9e
--- /dev/null
+++ b/chart/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+ cniBinDir: /bin
diff --git a/chart/files/profile-platform-k3s.yaml b/chart/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000..0782010
--- /dev/null
+++ b/chart/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+ cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/chart/files/profile-platform-microk8s.yaml b/chart/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000..57d7f5e
--- /dev/null
+++ b/chart/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniConfDir: /var/snap/microk8s/current/args/cni-network
+ cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/chart/files/profile-platform-minikube.yaml b/chart/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000..fa9992e
--- /dev/null
+++ b/chart/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+ cniNetnsDir: /var/run/docker/netns
diff --git a/chart/files/profile-platform-openshift.yaml b/chart/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000..8ddc5e1
--- /dev/null
+++ b/chart/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ provider: "multus"
+pilot:
+ cni:
+ enabled: true
+ provider: "multus"
+seLinuxOptions:
+ type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/chart/files/profile-remote.yaml b/chart/files/profile-remote.yaml
new file mode 100644
index 0000000..d17b9a8
--- /dev/null
+++ b/chart/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+ enabled: true
+configMap: false
+telemetry:
+ enabled: false
+global:
+ # TODO BML maybe a different profile for a configcluster/revisit this
+ omitSidecarInjectorConfigMap: true
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 6ef392d..56a6f17 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -6,19 +6,8 @@
{{- end -}}
{{- end }}
-{{/*
-Create chart name and version as used by the helm.sh/chart label.
-*/}}
-{{- define "gateway.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
{{- define "gateway.labels" -}}
-helm.sh/chart: {{ include "gateway.chart" . }}
{{ include "gateway.selectorLabels" . }}
-app.kubernetes.io/name: {{ include "gateway.name" . }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 330dca0..bee05f3 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -4,6 +4,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
@@ -13,6 +15,13 @@ spec:
replicas: {{ . }}
{{- end }}
{{- end }}
+ {{- with .Values.strategy }}
+ strategy:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.minReadySeconds }}
+ minReadySeconds: {{ . }}
+ {{- end }}
selector:
matchLabels:
{{- include "gateway.selectorLabels" . | nindent 6 }}
@@ -26,7 +35,7 @@ spec:
{{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
{{- include "gateway.selectorLabels" . | nindent 8 }}
app.kubernetes.io/name: {{ include "gateway.name" . }}
- app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+ {{- include "istio.labels" . | nindent 8}}
{{- range $key, $val := .Values.labels }}
{{- if and (ne $key "app") (ne $key "istio") }}
{{ $key | quote }}: {{ $val | quote }}
@@ -72,7 +81,7 @@ spec:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
- {{- if not (eq .Values.platform "openshift") }}
+ {{- if not (eq (.Values.platform | default "") "openshift") }}
runAsUser: 1337
runAsGroup: 1337
{{- end }}
@@ -100,7 +109,11 @@ spec:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.volumeMounts }}
volumeMounts:
- {{ toYaml . | nindent 12 }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.readinessProbe }}
+ readinessProbe:
+ {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
diff --git a/chart/templates/hpa.yaml b/chart/templates/hpa.yaml
index 1b0f936..64ecb6a 100644
--- a/chart/templates/hpa.yaml
+++ b/chart/templates/hpa.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
diff --git a/chart/templates/poddisruptionbudget.yaml b/chart/templates/poddisruptionbudget.yaml
index 77f71e7..b0155cd 100644
--- a/chart/templates/poddisruptionbudget.yaml
+++ b/chart/templates/poddisruptionbudget.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
spec:
selector:
diff --git a/chart/templates/role.yaml b/chart/templates/role.yaml
index c8a25cb..3d16079 100644
--- a/chart/templates/role.yaml
+++ b/chart/templates/role.yaml
@@ -6,6 +6,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
@@ -20,6 +22,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4}}
annotations:
{{- .Values.annotations | toYaml | nindent 4 }}
diff --git a/chart/templates/service.yaml b/chart/templates/service.yaml
index 9177d2a..25ce3bc 100644
--- a/chart/templates/service.yaml
+++ b/chart/templates/service.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.name" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.networkGateway }}
topology.istio.io/network: "{{.}}"
diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml
index e5b2304..c88afea 100644
--- a/chart/templates/serviceaccount.yaml
+++ b/chart/templates/serviceaccount.yaml
@@ -5,6 +5,8 @@ metadata:
name: {{ include "gateway.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
+ app.kubernetes.io/name: {{ include "gateway.name" . }}
+ {{- include "istio.labels" . | nindent 4}}
{{- include "gateway.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
diff --git a/chart/templates/zzz_profile.yaml b/chart/templates/zzz_profile.yaml
index 2d0bd4a..ded66c5 100644
--- a/chart/templates/zzz_profile.yaml
+++ b/chart/templates/zzz_profile.yaml
@@ -15,15 +15,20 @@ However, we can workaround this by placing all of (1) under a specific key (.Val
We can then merge the profile onto the defaults, then the user settings onto that.
Finally, we can set all of that under .Values so the chart behaves without awareness.
*/}}
-{{- $globals := $.Values.global | default dict | deepCopy }}
-{{- $defaults := $.Values.defaults }}
-{{- $_ := unset $.Values "defaults" }}
+{{- if $.Values.defaults}}
+{{ fail (cat
+ "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+ ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
{{- $profile := dict }}
-{{- with .Values.profile }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
{{- $profile = (. | fromYaml) }}
{{- else }}
-{{ fail (cat "unknown profile" $.Values.profile) }}
+{{ fail (cat "unknown profile" .) }}
{{- end }}
{{- end }}
{{- with .Values.compatibilityVersion }}
@@ -33,11 +38,37 @@ Finally, we can set all of that under .Values so the chart behaves without aware
{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
{{- end }}
{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
{{- if $profile }}
{{- $a := mustMergeOverwrite $defaults $profile }}
{{- end }}
# Flatten globals, if defined on a per-chart basis
-{{- if false }}
-{{- $a := mustMergeOverwrite $defaults $globals }}
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }}
{{- end }}
{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/chart/values.schema.json b/chart/values.schema.json
index 4c4f083..c43b8ef 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -60,6 +60,15 @@
"env": {
"type": "object"
},
+ "strategy": {
+ "type": "object"
+ },
+ "minReadySeconds": {
+ "type": [ "null", "integer" ]
+ },
+ "readinessProbe": {
+ "type": [ "null", "object" ]
+ },
"labels": {
"type": "object"
},
@@ -237,17 +246,6 @@
"Never"
]
},
- "imagePullSecrets": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "name": {
- "type": "string"
- }
- }
- }
- },
"podDisruptionBudget": {
"type": "object",
"properties": {
diff --git a/chart/values.yaml b/chart/values.yaml
index df29075..b39a675 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1,6 +1,6 @@
-# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
-# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
-defaults:
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
# Name allows overriding the release name. Generally this should not be set
name: ""
# revision declares which revision this gateway is a part of
@@ -84,8 +84,21 @@ defaults:
# Pod environment variables
env: {}
+ # Deployment Update strategy
+ strategy: {}
+
+ # Sets the Deployment minReadySeconds value
+ minReadySeconds:
+
+ # Optionally configure a custom readinessProbe. By default the control plane
+ # automatically injects the readinessProbe. If you wish to override that
+ # behavior, you may define your own readinessProbe here.
+ readinessProbe: {}
+
# Labels to apply to all resources
- labels: {}
+ labels:
+ # By default, don't enroll gateways into the ambient dataplane
+ "istio.io/dataplane-mode": none
# Annotations to apply to all resources
annotations: {}
@@ -104,7 +117,7 @@ defaults:
# Setting ironbank image
image:
repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
- tag: 1.23.3
+ tag: 1.25.0
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent
@@ -143,6 +156,7 @@ defaults:
#
podDisruptionBudget: {}
+ # Sets the per-pod terminationGracePeriodSeconds setting.
terminationGracePeriodSeconds: 30
# A list of `Volumes` added into the Gateway Pods. See
@@ -162,7 +176,7 @@ defaults:
# If enterprise is set to true FIPs Tetrate Image Distro images are used
enterprise: false
tidHub: registry1.dso.mil/ironbank/tetrate/istio
- tidTag: 1.23.3-tetratefips-v0
+ tidTag: 1.25.0-tetratefips0
mtls:
# -- STRICT = Allow only mutual TLS traffic,
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index c346b7b..ec7710b 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -4,14 +4,14 @@
1. Update via `kpt`:
```bash
# update to VERSION of the upstream chart auto-merging in changes
- kpt pkg update chart@1.23.2 --strategy alpha-git-patch
+ kpt pkg update chart@1.25.0 --strategy alpha-git-patch
```
Or if you'd like to pull down upstream to a fresh `DIR` and manually merge in the changes yourself:
```bash
# get a fresh VERSION of the upstream chart to DIR
- kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.23.2" ./fresh
+ kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.25.0" ./fresh
```
-1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.22.2-bb.0`) and `appVersion` should be `<version>` (ex: `1.22.2`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
+1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.25.0-bb.0`) and `appVersion` should be `<version>` (ex: `1.25.0`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
1. Add a changelog entry for the update. At minimum mention updating the image versions.
1. Update the readme following the [steps in Gluon](https://repo1.dso.mil/platform-one/big-bang/apps/library-charts/gluon/-/blob/master/docs/bb-package-readme.md).
1. Open MR (or check the one that Renovate created for you) and validate that the pipeline is successful. Also follow the testing steps below for some manual confirmations.
@@ -40,7 +40,12 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
```
## chart/templates/deployment.yaml
-- Added templating for Tetrate FIPs image integration lines 56-60.
+- Added templating for Tetrate FIPs image integration lines 65-67.
+```
+ {{- if .Values.enterprise }}
+ image: "{{ .Values.tidHub }}/{{ "proxyv2" }}:{{ .Values.tidTag }}"
+ {{- else }}
+```
- Modified the following section under `spec.template.spec.containers.ports` to suppress warnings from Kiali as the gateway deployment was not listening on the same ports as its associated service:
```
@@ -50,17 +55,87 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
name: {{ $ports.name }}
{{- end }}
```
+- Modified `spec.containers.image` away from using `auto` to speed up deployment
+```
+ image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
+```
## chart/values.yaml
-- Added enterprise boolean, tidHub and tidTag for Tetrate FIPs image integraton lines 157-160.
-- Prepended default `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
-- Added gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
+- Specified the `image` to use instead of using `auto`
+```
+ # Setting ironbank image
+ image:
+ repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
+ tag: 1.25.0
+```
+- Changed `imagePullSecrets` to `private-registry`
+```
+ imagePullSecrets:
+ - name: private-registry
+```
+
+- Added `defaults.enterprise` boolean, tidHub and tidTag for Tetrate FIPs image integraton around line 176.
+```
+ # If enterprise is set to true FIPs Tetrate Image Distro images are used
+ enterprise: false
+ tidHub: registry1.dso.mil/ironbank/tetrate/istio
+ tidTag: 1.25.0-tetratefips0
+```
+
+- Changed `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
+- Changed the `targetPort`s under `service.ports` from 80 and 443 to 8080 and 8443.
+
+
+- Added default gateway which is used to pass down required values into `chart/templates/bigbang/gateway.yaml`.
+```
+# Settings for istio gateway
+gateway:
+ servers:
+ - hosts:
+ - '*.dev.bigbang.mil'
+ port:
+ name: http
+ number: 8080
+ protocol: HTTP
+ tls:
+ httpsRedirect: true
+ - hosts:
+ - '*.dev.bigbang.mil'
+ port:
+ name: https
+ number: 8443
+ protocol: HTTPS
+ tls:
+ credentialName: public-cert
+ mode: SIMPLE
+```
+
- Added `networkPolicies` section to enable default network policies and allow custom additional network policies to be added.
-- Added the following `mtls` section to enable mutual TLS used in `chart/templates/bigbang/peerAuthentication.yaml`:
+```
+networkPolicies:
+ enabled: true
+ additionalPolicies: []
+```
+- Added the following `mtls` section to enable mutual TLS used in `chart/templates/bigbang/peerAuthentication.yaml`:
```
mtls:
# -- STRICT = Allow only mutual TLS traffic,
# PERMISSIVE = Allow both plain text and mutual TLS traffic
mode: STRICT
-```
\ No newline at end of file
+```
+
+## chart/templates/_helpers.tpl
+Replaced:
+```
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .) }}
+{{- else }}
+```
+...with...
+```
+{{- if .Values.serviceAccount.create }}
+{{- $defaultSericeAccount := printf "%s-%s" (include "gateway.name" .) "ingressgateway-service-account" -}}
+{{- .Values.serviceAccount.name | default $defaultSericeAccount }}
+{{- else }}
+```
--
GitLab
From bf81bfaec51f2a52b07fbb2e1d7b1a79f4dc2c5c Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Fri, 21 Mar 2025 21:28:49 -0500
Subject: [PATCH 02/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CODEOWNERS | Bin 77 -> 77 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/CODEOWNERS b/CODEOWNERS
index d6ded0fc2a1c7c3b29352a98f280aaf74921c478..6a7daf20495e5059b997134d9cc19689a3c4011f 100644
GIT binary patch
delta 31
mcmebEonS1Ll9ZU8T4ZQsX`$dym7JK9lbDg1$Hm3KzyJW9?g-Za
delta 31
mcmebEonS1Lm0FaVTd9{(nv<EFt>BQ7l$f1bWN2h*!36-XhzeN%
--
GitLab
From 75e0923e9d6c0295f249a6396fbe5352ef5eda8d Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Fri, 21 Mar 2025 21:30:49 -0500
Subject: [PATCH 03/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CODEOWNERS | Bin 77 -> 74 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/CODEOWNERS b/CODEOWNERS
index 6a7daf20495e5059b997134d9cc19689a3c4011f..946c372b0454ef70d3183cfb8347dcbb2926c3d0 100644
GIT binary patch
delta 4
LcmebEn&1Th1AqZ?
delta 8
PcmebBo#4gHz`y_i2~h!c
--
GitLab
From 20beb0243106da8724c63fd62b8b9ded0180bfdd Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Wed, 26 Mar 2025 11:18:10 -0500
Subject: [PATCH 04/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CHANGELOG.md | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c8f44ee..271cfb6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,9 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
-## [1.25.0-bb.0] - 2024-03-18
-Changed
-- Updated to v1.25.0
+## [1.25.0-bb.0] - 2025-03-26
+
+### Added
+
+- Updated to match upstream v1.25.0 of istio-gateway
## [1.23.3-bb.3] - 2024-02-13
--
GitLab
From f7a9cda4d8ba1acb90589b3fd7043d65434d2100 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Wed, 26 Mar 2025 17:25:42 -0500
Subject: [PATCH 05/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CODEOWNERS | 3 +--
chart/values.schema.json | 11 +++++++++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/CODEOWNERS b/CODEOWNERS
index 946c372..af41340 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,2 +1 @@
-* @stephen.galamb @lgomez2 @jimmy.bourque @kipten @dbaker1298 @zcallahan
-
+* @zcallahan @kipten @lgomez2 @stephen.galamb @jimmy.bourque
\ No newline at end of file
diff --git a/chart/values.schema.json b/chart/values.schema.json
index c43b8ef..3108259 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -246,6 +246,17 @@
"Never"
]
},
+ "imagePullSecrets": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ }
+ }
+ },
"podDisruptionBudget": {
"type": "object",
"properties": {
--
GitLab
From c38b1b787c65b94ea5da9397e7d932b195cdfe8a Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 09:55:13 -0500
Subject: [PATCH 06/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../bigbang/networkPolicies/allow-ingressgateway-ingress.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chart/templates/bigbang/networkPolicies/allow-ingressgateway-ingress.yaml b/chart/templates/bigbang/networkPolicies/allow-ingressgateway-ingress.yaml
index 1bcc11d..b453893 100644
--- a/chart/templates/bigbang/networkPolicies/allow-ingressgateway-ingress.yaml
+++ b/chart/templates/bigbang/networkPolicies/allow-ingressgateway-ingress.yaml
@@ -13,7 +13,7 @@ spec:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- {{- range $servicePorts := .Values.defaults.service.ports }}
+ {{- range $servicePorts := .Values.service.ports }}
- port: {{ $servicePorts.targetPort }}
protocol: {{ $servicePorts.protocol }}
{{- end }}
--
GitLab
From 452f00c003a6e921098f04c439bf9e02907241dd Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 18:33:31 -0500
Subject: [PATCH 07/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.yaml | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/chart/values.yaml b/chart/values.yaml
index b39a675..50040b5 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -206,4 +206,30 @@ gateway:
protocol: HTTPS
tls:
credentialName: public-cert
- mode: SIMPLE
\ No newline at end of file
+ mode: SIMPLE
+
+service:
+ # Type of service. Set to "None" to disable the service entirely
+ type: LoadBalancer
+ ports:
+ - name: tcp-status-port
+ port: 15021
+ protocol: TCP
+ targetPort: 15021
+ - name: http2
+ port: 80
+ protocol: TCP
+ targetPort: 8080
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ annotations: {}
+ loadBalancerIP: ""
+ loadBalancerSourceRanges: []
+ externalTrafficPolicy: ""
+ externalIPs: []
+ ipFamilyPolicy: ""
+ ipFamilies: []
+ ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+ # allocateLoadBalancerNodePorts: false
\ No newline at end of file
--
GitLab
From dc32670937532fb8ad2630750de71bc277fa26ba Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 19:44:08 -0500
Subject: [PATCH 08/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.yaml | 26 --------------------------
1 file changed, 26 deletions(-)
diff --git a/chart/values.yaml b/chart/values.yaml
index 50040b5..b207e99 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -207,29 +207,3 @@ gateway:
tls:
credentialName: public-cert
mode: SIMPLE
-
-service:
- # Type of service. Set to "None" to disable the service entirely
- type: LoadBalancer
- ports:
- - name: tcp-status-port
- port: 15021
- protocol: TCP
- targetPort: 15021
- - name: http2
- port: 80
- protocol: TCP
- targetPort: 8080
- - name: https
- port: 443
- protocol: TCP
- targetPort: 8443
- annotations: {}
- loadBalancerIP: ""
- loadBalancerSourceRanges: []
- externalTrafficPolicy: ""
- externalIPs: []
- ipFamilyPolicy: ""
- ipFamilies: []
- ## Whether to automatically allocate NodePorts (only for LoadBalancers).
- # allocateLoadBalancerNodePorts: false
\ No newline at end of file
--
GitLab
From 4968480034b3212091e3977a9dbfeff431be4d97 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:00:17 -0500
Subject: [PATCH 09/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.yaml | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/chart/values.yaml b/chart/values.yaml
index b207e99..4b3b700 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -207,3 +207,27 @@ gateway:
tls:
credentialName: public-cert
mode: SIMPLE
+
+service:
+ # Type of service. Set to "None" to disable the service entirely
+ type: LoadBalancer
+ ports:
+ - name: tcp-status-port
+ port: 15021
+ protocol: TCP
+ targetPort: 15021
+ - name: http2
+ port: 80
+ protocol: TCP
+ targetPort: 8080
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ annotations: {}
+ loadBalancerIP: ""
+ loadBalancerSourceRanges: []
+ externalTrafficPolicy: ""
+ externalIPs: []
+ ipFamilyPolicy: ""
+ ipFamilies: []
\ No newline at end of file
--
GitLab
From b03c71a03adcf152f0576233596c96f9757e1d8e Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:02:59 -0500
Subject: [PATCH 10/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.yaml | 26 --------------------------
1 file changed, 26 deletions(-)
diff --git a/chart/values.yaml b/chart/values.yaml
index 4b3b700..b7d3ab9 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -39,32 +39,6 @@ _internal_defaults_do_not_set:
securityContext: {}
containerSecurityContext: {}
- service:
- # Type of service. Set to "None" to disable the service entirely
- type: LoadBalancer
- ports:
- - name: tcp-status-port
- port: 15021
- protocol: TCP
- targetPort: 15021
- - name: http2
- port: 80
- protocol: TCP
- targetPort: 8080
- - name: https
- port: 443
- protocol: TCP
- targetPort: 8443
- annotations: {}
- loadBalancerIP: ""
- loadBalancerSourceRanges: []
- externalTrafficPolicy: ""
- externalIPs: []
- ipFamilyPolicy: ""
- ipFamilies: []
- ## Whether to automatically allocate NodePorts (only for LoadBalancers).
- # allocateLoadBalancerNodePorts: false
-
resources:
requests:
cpu: 100m
--
GitLab
From 1b2515d1d3ffe75089afe534668666e197f62e12 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:04:46 -0500
Subject: [PATCH 11/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.yaml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/chart/values.yaml b/chart/values.yaml
index b7d3ab9..c5cbae5 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -182,6 +182,7 @@ gateway:
credentialName: public-cert
mode: SIMPLE
+# bb defaults
service:
# Type of service. Set to "None" to disable the service entirely
type: LoadBalancer
@@ -204,4 +205,4 @@ service:
externalTrafficPolicy: ""
externalIPs: []
ipFamilyPolicy: ""
- ipFamilies: []
\ No newline at end of file
+ ipFamilies: []
--
GitLab
From 9fc49eab6899390ec3cc6de5ea49ac6ee69afc63 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:18:27 -0500
Subject: [PATCH 12/26] update "gateway" (https://github.com/istio/istio) from
"1.25.0" (57e59c2e5d6b757a68d867491d9c9c09694e1522) to "1.25.1"
(be4b14ad8be844c5f876a41ad4437217a2e03cf8)
---
chart/Kptfile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/chart/Kptfile b/chart/Kptfile
index d11d943..eb14fd4 100644
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
- commit: 57e59c2e5d6b757a68d867491d9c9c09694e1522
+ commit: be4b14ad8be844c5f876a41ad4437217a2e03cf8
repo: https://github.com/istio/istio
directory: /manifests/charts/gateway
- ref: 1.25.0
+ ref: 1.25.1
--
GitLab
From 92864c413864c92e086d5e89e6e46f49f609e0b8 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:19:54 -0500
Subject: [PATCH 13/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/Chart.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index a232c6a..08cf87d 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
name: gateway
description: Helm chart for deploying Istio gateways
type: application
-version: 1.25.0-bb.0
-appVersion: 1.25.0
+version: 1.25.1-bb.0
+appVersion: 1.25.1
sources:
- https://github.com/istio/istio
icon: https://istio.io/latest/favicons/android-192x192.png
--
GitLab
From f0303f66c28eee372d2753bbc94dfb8ff95a57fd Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:22:46 -0500
Subject: [PATCH 14/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CHANGELOG.md | 6 ++++++
README.md | 42 +++++++++++++++++++++---------------------
2 files changed, 27 insertions(+), 21 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 271cfb6..598521b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
+## [1.25.1-bb.0] - 2025-03-27
+
+### Added
+
+- Updated to match upstream v1.25.1 of istio-gateway
+
## [1.25.0-bb.0] - 2025-03-26
### Added
diff --git a/README.md b/README.md
index 09e4c4b..995f6ef 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
<!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
# gateway
-   
+   
Helm chart for deploying Istio gateways
@@ -56,26 +56,6 @@ helm install gateway chart/
| _internal_defaults_do_not_set.podAnnotations."sidecar.istio.io/inject" | string | `"true"` | |
| _internal_defaults_do_not_set.securityContext | object | `{}` | |
| _internal_defaults_do_not_set.containerSecurityContext | object | `{}` | |
-| _internal_defaults_do_not_set.service.type | string | `"LoadBalancer"` | |
-| _internal_defaults_do_not_set.service.ports[0].name | string | `"tcp-status-port"` | |
-| _internal_defaults_do_not_set.service.ports[0].port | int | `15021` | |
-| _internal_defaults_do_not_set.service.ports[0].protocol | string | `"TCP"` | |
-| _internal_defaults_do_not_set.service.ports[0].targetPort | int | `15021` | |
-| _internal_defaults_do_not_set.service.ports[1].name | string | `"http2"` | |
-| _internal_defaults_do_not_set.service.ports[1].port | int | `80` | |
-| _internal_defaults_do_not_set.service.ports[1].protocol | string | `"TCP"` | |
-| _internal_defaults_do_not_set.service.ports[1].targetPort | int | `8080` | |
-| _internal_defaults_do_not_set.service.ports[2].name | string | `"https"` | |
-| _internal_defaults_do_not_set.service.ports[2].port | int | `443` | |
-| _internal_defaults_do_not_set.service.ports[2].protocol | string | `"TCP"` | |
-| _internal_defaults_do_not_set.service.ports[2].targetPort | int | `8443` | |
-| _internal_defaults_do_not_set.service.annotations | object | `{}` | |
-| _internal_defaults_do_not_set.service.loadBalancerIP | string | `""` | |
-| _internal_defaults_do_not_set.service.loadBalancerSourceRanges | list | `[]` | |
-| _internal_defaults_do_not_set.service.externalTrafficPolicy | string | `""` | |
-| _internal_defaults_do_not_set.service.externalIPs | list | `[]` | |
-| _internal_defaults_do_not_set.service.ipFamilyPolicy | string | `""` | |
-| _internal_defaults_do_not_set.service.ipFamilies | list | `[]` | |
| _internal_defaults_do_not_set.resources.requests.cpu | string | `"100m"` | |
| _internal_defaults_do_not_set.resources.requests.memory | string | `"128Mi"` | |
| _internal_defaults_do_not_set.resources.limits.cpu | string | `"2000m"` | |
@@ -123,6 +103,26 @@ helm install gateway chart/
| gateway.servers[1].port.protocol | string | `"HTTPS"` | |
| gateway.servers[1].tls.credentialName | string | `"public-cert"` | |
| gateway.servers[1].tls.mode | string | `"SIMPLE"` | |
+| service.type | string | `"LoadBalancer"` | |
+| service.ports[0].name | string | `"tcp-status-port"` | |
+| service.ports[0].port | int | `15021` | |
+| service.ports[0].protocol | string | `"TCP"` | |
+| service.ports[0].targetPort | int | `15021` | |
+| service.ports[1].name | string | `"http2"` | |
+| service.ports[1].port | int | `80` | |
+| service.ports[1].protocol | string | `"TCP"` | |
+| service.ports[1].targetPort | int | `8080` | |
+| service.ports[2].name | string | `"https"` | |
+| service.ports[2].port | int | `443` | |
+| service.ports[2].protocol | string | `"TCP"` | |
+| service.ports[2].targetPort | int | `8443` | |
+| service.annotations | object | `{}` | |
+| service.loadBalancerIP | string | `""` | |
+| service.loadBalancerSourceRanges | list | `[]` | |
+| service.externalTrafficPolicy | string | `""` | |
+| service.externalIPs | list | `[]` | |
+| service.ipFamilyPolicy | string | `""` | |
+| service.ipFamilies | list | `[]` | |
## Contributing
--
GitLab
From 355f97ec086fb732baa85ed67f005672dbc6b26a Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:26:01 -0500
Subject: [PATCH 15/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index ec7710b..a47abf7 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -125,6 +125,8 @@ mtls:
mode: STRICT
```
+- Move the `service:` section out from the top level `_internal_defaults_do_not_set:` to be it's own top-level section.
+
## chart/templates/_helpers.tpl
Replaced:
```
--
GitLab
From 917f1f2b5dc93c3f6f00095a451f85511af7f241 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:29:57 -0500
Subject: [PATCH 16/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index a47abf7..0da9e17 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -125,7 +125,9 @@ mtls:
mode: STRICT
```
-- Move the `service:` section out from the top level `_internal_defaults_do_not_set:` to be it's own top-level section.
+- Move the `service:` section out from the top level `_internal_defaults_do_not_set:` to be it's own top-level section. See below for an explanation:
+ - https://github.com/istio/istio/commit/be032022974479aa27a9a669b9f535ddf4743937
+ - https://github.com/istio/istio/issues/51458
## chart/templates/_helpers.tpl
Replaced:
--
GitLab
From c14c59aa01aa8640ec5e8cbc305543b530676464 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:33:29 -0500
Subject: [PATCH 17/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
file | 0
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 file
diff --git a/file b/file
new file mode 100644
index 0000000..e69de29
--
GitLab
From 916937e38673f7cd8deca4d4c8a2227a727102c8 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 27 Mar 2025 20:33:36 -0500
Subject: [PATCH 18/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
file | 0
1 file changed, 0 insertions(+), 0 deletions(-)
delete mode 100644 file
diff --git a/file b/file
deleted file mode 100644
index e69de29..0000000
--
GitLab
From e19264d05681e7e2f277a20b3c660721a93cca14 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Wed, 2 Apr 2025 09:15:33 -0500
Subject: [PATCH 19/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CHANGELOG.md | 2 +-
README.md | 4 ++--
chart/values.yaml | 4 ++--
docs/DEVELOPMENT_MAINTENANCE.md | 10 +++++-----
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 598521b..d08d2f3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
-## [1.25.1-bb.0] - 2025-03-27
+## [1.25.1-bb.0] - 2025-04-02
### Added
diff --git a/README.md b/README.md
index 995f6ef..d127c60 100644
--- a/README.md
+++ b/README.md
@@ -78,7 +78,7 @@ helm install gateway chart/
| _internal_defaults_do_not_set.affinity | object | `{}` | |
| _internal_defaults_do_not_set.networkGateway | string | `""` | |
| _internal_defaults_do_not_set.image.repo | string | `"registry1.dso.mil/ironbank/opensource/istio/proxyv2"` | |
-| _internal_defaults_do_not_set.image.tag | string | `"1.25.0"` | |
+| _internal_defaults_do_not_set.image.tag | string | `"1.25.1"` | |
| _internal_defaults_do_not_set.imagePullPolicy | string | `""` | |
| _internal_defaults_do_not_set.imagePullSecrets[0].name | string | `"private-registry"` | |
| _internal_defaults_do_not_set.podDisruptionBudget | object | `{}` | |
@@ -88,7 +88,7 @@ helm install gateway chart/
| _internal_defaults_do_not_set.priorityClassName | string | `""` | |
| _internal_defaults_do_not_set.enterprise | bool | `false` | |
| _internal_defaults_do_not_set.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
-| _internal_defaults_do_not_set.tidTag | string | `"1.25.0-tetratefips0"` | |
+| _internal_defaults_do_not_set.tidTag | string | `"1.25.1-tetratefips0"` | |
| mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
| networkPolicies.enabled | bool | `true` | |
| networkPolicies.additionalPolicies | list | `[]` | |
diff --git a/chart/values.yaml b/chart/values.yaml
index c5cbae5..ba7d2ea 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -91,7 +91,7 @@ _internal_defaults_do_not_set:
# Setting ironbank image
image:
repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
- tag: 1.25.0
+ tag: 1.25.1
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent
@@ -150,7 +150,7 @@ _internal_defaults_do_not_set:
# If enterprise is set to true FIPs Tetrate Image Distro images are used
enterprise: false
tidHub: registry1.dso.mil/ironbank/tetrate/istio
- tidTag: 1.25.0-tetratefips0
+ tidTag: 1.25.1-tetratefips0
mtls:
# -- STRICT = Allow only mutual TLS traffic,
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index 0da9e17..fe04a23 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -4,14 +4,14 @@
1. Update via `kpt`:
```bash
# update to VERSION of the upstream chart auto-merging in changes
- kpt pkg update chart@1.25.0 --strategy alpha-git-patch
+ kpt pkg update chart@1.25.10 --strategy alpha-git-patch
```
Or if you'd like to pull down upstream to a fresh `DIR` and manually merge in the changes yourself:
```bash
# get a fresh VERSION of the upstream chart to DIR
- kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.25.0" ./fresh
+ kpt pkg get "https://github.com/istio/istio.git/manifests/charts/gateway@1.25.1" ./fresh
```
-1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.25.0-bb.0`) and `appVersion` should be `<version>` (ex: `1.25.0`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
+1. Update version references for the Chart. `version` should be `<version>-bb.0` (ex: `1.25.1-bb.0`) and `appVersion` should be `<version>` (ex: `1.25.1`). Also validate that the BB annotation for the main Istio version is updated (leave the Tetrate version as-is unless you are updating those images).
1. Add a changelog entry for the update. At minimum mention updating the image versions.
1. Update the readme following the [steps in Gluon](https://repo1.dso.mil/platform-one/big-bang/apps/library-charts/gluon/-/blob/master/docs/bb-package-readme.md).
1. Open MR (or check the one that Renovate created for you) and validate that the pipeline is successful. Also follow the testing steps below for some manual confirmations.
@@ -66,7 +66,7 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
# Setting ironbank image
image:
repo: registry1.dso.mil/ironbank/opensource/istio/proxyv2
- tag: 1.25.0
+ tag: 1.25.1
```
- Changed `imagePullSecrets` to `private-registry`
```
@@ -79,7 +79,7 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
# If enterprise is set to true FIPs Tetrate Image Distro images are used
enterprise: false
tidHub: registry1.dso.mil/ironbank/tetrate/istio
- tidTag: 1.25.0-tetratefips0
+ tidTag: 1.25.1-tetratefips0
```
- Changed `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
--
GitLab
From a5321691969f79396af75567ff2cfbff7cf527f8 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Wed, 2 Apr 2025 09:20:00 -0500
Subject: [PATCH 20/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
CHANGELOG.md | 6 ------
1 file changed, 6 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d08d2f3..66c2e56 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,12 +10,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Updated to match upstream v1.25.1 of istio-gateway
-## [1.25.0-bb.0] - 2025-03-26
-
-### Added
-
-- Updated to match upstream v1.25.0 of istio-gateway
-
## [1.23.3-bb.3] - 2024-02-13
### Added
--
GitLab
From d64843398d481bb5567116603e30841b66aebd92 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Wed, 2 Apr 2025 17:05:57 -0500
Subject: [PATCH 21/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/DEVELOPMENT_MAINTENANCE.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index fe04a23..a062d64 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -4,7 +4,7 @@
1. Update via `kpt`:
```bash
# update to VERSION of the upstream chart auto-merging in changes
- kpt pkg update chart@1.25.10 --strategy alpha-git-patch
+ kpt pkg update chart@1.25.1 --strategy alpha-git-patch
```
Or if you'd like to pull down upstream to a fresh `DIR` and manually merge in the changes yourself:
```bash
--
GitLab
From aa4289908a633505dd85ee4c69662f73ef4ffd06 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 3 Apr 2025 19:31:03 -0500
Subject: [PATCH 22/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.yaml | 8 ++++----
docs/DEVELOPMENT_MAINTENANCE.md | 10 +++++-----
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/chart/values.yaml b/chart/values.yaml
index ba7d2ea..939a13b 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -147,10 +147,10 @@ _internal_defaults_do_not_set:
# for more detail.
priorityClassName: ""
- # If enterprise is set to true FIPs Tetrate Image Distro images are used
- enterprise: false
- tidHub: registry1.dso.mil/ironbank/tetrate/istio
- tidTag: 1.25.1-tetratefips0
+# If enterprise is set to true FIPs Tetrate Image Distro images are used
+enterprise: false
+tidHub: registry1.dso.mil/ironbank/tetrate/istio
+tidTag: 1.25.1-tetratefips0
mtls:
# -- STRICT = Allow only mutual TLS traffic,
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index a062d64..7d69808 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -74,12 +74,12 @@ This is a high-level list of modifications that Big Bang has made to the upstrea
- name: private-registry
```
-- Added `defaults.enterprise` boolean, tidHub and tidTag for Tetrate FIPs image integraton around line 176.
+- Added `enterprise` boolean, tidHub and tidTag for Tetrate FIPs image integration
```
- # If enterprise is set to true FIPs Tetrate Image Distro images are used
- enterprise: false
- tidHub: registry1.dso.mil/ironbank/tetrate/istio
- tidTag: 1.25.1-tetratefips0
+# If enterprise is set to true FIPs Tetrate Image Distro images are used
+enterprise: false
+tidHub: registry1.dso.mil/ironbank/tetrate/istio
+tidTag: 1.25.1-tetratefips0
```
- Changed `status-port` to `tcp-status-port` under `service.ports` section to appease Kiali warning.
--
GitLab
From f6f54c6e356ce600b416c5e9ac321b645fd87b34 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 3 Apr 2025 19:43:03 -0500
Subject: [PATCH 23/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
README.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index d127c60..7c1222a 100644
--- a/README.md
+++ b/README.md
@@ -86,9 +86,9 @@ helm install gateway chart/
| _internal_defaults_do_not_set.volumes | list | `[]` | |
| _internal_defaults_do_not_set.volumeMounts | list | `[]` | |
| _internal_defaults_do_not_set.priorityClassName | string | `""` | |
-| _internal_defaults_do_not_set.enterprise | bool | `false` | |
-| _internal_defaults_do_not_set.tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
-| _internal_defaults_do_not_set.tidTag | string | `"1.25.1-tetratefips0"` | |
+| enterprise | bool | `false` | |
+| tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` | |
+| tidTag | string | `"1.25.1-tetratefips0"` | |
| mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
| networkPolicies.enabled | bool | `true` | |
| networkPolicies.additionalPolicies | list | `[]` | |
--
GitLab
From 16e6d275b96427f3ce06407e18f2a012845563b7 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Thu, 3 Apr 2025 20:04:21 -0500
Subject: [PATCH 24/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chart/values.yaml b/chart/values.yaml
index 939a13b..e3933c6 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -150,7 +150,7 @@ _internal_defaults_do_not_set:
# If enterprise is set to true FIPs Tetrate Image Distro images are used
enterprise: false
tidHub: registry1.dso.mil/ironbank/tetrate/istio
-tidTag: 1.25.1-tetratefips0
+tidTag: 1.25.1-tetratefipslatest1
mtls:
# -- STRICT = Allow only mutual TLS traffic,
--
GitLab
From 84823482862fd931f73ec379f30b2029d2717d4e Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Fri, 4 Apr 2025 09:16:01 -0500
Subject: [PATCH 25/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../profile-compatibility-version-1.20.yaml | 26 ---------------
.../profile-compatibility-version-1.21.yaml | 23 -------------
chart/files/profile-openshift-ambient.yaml | 33 -------------------
chart/files/profile-openshift.yaml | 20 -----------
chart/templates/_helpers.tpl | 2 +-
5 files changed, 1 insertion(+), 103 deletions(-)
delete mode 100644 chart/files/profile-compatibility-version-1.20.yaml
delete mode 100644 chart/files/profile-compatibility-version-1.21.yaml
delete mode 100644 chart/files/profile-openshift-ambient.yaml
delete mode 100644 chart/files/profile-openshift.yaml
diff --git a/chart/files/profile-compatibility-version-1.20.yaml b/chart/files/profile-compatibility-version-1.20.yaml
deleted file mode 100644
index 72fdd5b..0000000
--- a/chart/files/profile-compatibility-version-1.20.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
-# The original version of this file is located at /manifests/helm-profiles directory.
-# If you want to make a change in this file, edit the original one and run "make gen".
-
-pilot:
- env:
- # 1.21 behavioral changes
- ENABLE_EXTERNAL_NAME_ALIAS: "false"
- PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
- VERIFY_CERTIFICATE_AT_CLIENT: "false"
- ENABLE_AUTO_SNI: "false"
-
- # 1.22 behavioral changes
- ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
- ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
-
-meshConfig:
- defaultConfig:
- proxyMetadata:
- # 1.22 behavioral changes
- ISTIO_DELTA_XDS: "false"
- # 1.23 behavioral changes
- ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
- tracing:
- zipkin:
- address: zipkin.istio-system:9411
diff --git a/chart/files/profile-compatibility-version-1.21.yaml b/chart/files/profile-compatibility-version-1.21.yaml
deleted file mode 100644
index d11c242..0000000
--- a/chart/files/profile-compatibility-version-1.21.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
-# The original version of this file is located at /manifests/helm-profiles directory.
-# If you want to make a change in this file, edit the original one and run "make gen".
-
-pilot:
- env:
- # 1.22 behavioral changes
- ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
- ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
-
- # 1.23 behavioral changes
- ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
-
-meshConfig:
- # 1.22 behavioral changes
- defaultConfig:
- proxyMetadata:
- ISTIO_DELTA_XDS: "false"
- # 1.23 behavioral changes
- ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
- tracing:
- zipkin:
- address: zipkin.istio-system:9411
diff --git a/chart/files/profile-openshift-ambient.yaml b/chart/files/profile-openshift-ambient.yaml
deleted file mode 100644
index df4532d..0000000
--- a/chart/files/profile-openshift-ambient.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
-# The original version of this file is located at /manifests/helm-profiles directory.
-# If you want to make a change in this file, edit the original one and run "make gen".
-
-meshConfig:
- defaultConfig:
- proxyMetadata:
- ISTIO_META_ENABLE_HBONE: "true"
-global:
- platform: openshift
-cni:
- ambient:
- enabled: true
- cniBinDir: /var/lib/cni/bin
- cniConfDir: /etc/cni/multus/net.d
- chained: false
- cniConfFileName: "istio-cni.conf"
- logLevel: info
- provider: "multus"
-pilot:
- cni:
- enabled: true
- provider: "multus"
- variant: distroless
- env:
- PILOT_ENABLE_AMBIENT: "true"
- # Allow sidecars/ingress to send/receive HBONE. This is required for interop.
- PILOT_ENABLE_SENDING_HBONE: "true"
- PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true"
-platform: openshift
-variant: distroless
-seLinuxOptions:
- type: spc_t
diff --git a/chart/files/profile-openshift.yaml b/chart/files/profile-openshift.yaml
deleted file mode 100644
index 18f61b8..0000000
--- a/chart/files/profile-openshift.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
-# The original version of this file is located at /manifests/helm-profiles directory.
-# If you want to make a change in this file, edit the original one and run "make gen".
-
-# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
-# CNI must be installed.
-cni:
- cniBinDir: /var/lib/cni/bin
- cniConfDir: /etc/cni/multus/net.d
- chained: false
- cniConfFileName: "istio-cni.conf"
- logLevel: info
- provider: "multus"
-global:
- platform: openshift
-pilot:
- cni:
- enabled: true
- provider: "multus"
-platform: openshift
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 56a6f17..17aeec3 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -41,4 +41,4 @@ Bigbang defined to remain consistent with previously existing authorization poli
{{- else }}
{{- .Values.serviceAccount.name | default "default" }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
--
GitLab
From 66189358fc57c71e2ec0174a38a674cb3bf1684e Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Fri, 4 Apr 2025 12:54:01 -0500
Subject: [PATCH 26/26] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
chart/templates/deployment.yaml | 4 ----
chart/values.yaml | 5 -----
2 files changed, 9 deletions(-)
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index bee05f3..db51701 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -62,12 +62,8 @@ spec:
{{- end }}
containers:
- name: istio-proxy
- {{- if .Values.enterprise }}
- image: "{{ .Values.tidHub }}/{{ "proxyv2" }}:{{ .Values.tidTag }}"
- {{- else }}
# "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
- {{- end }}
{{- with .Values.imagePullPolicy }}
imagePullPolicy: {{ . }}
{{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index e3933c6..90d5bc6 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -147,11 +147,6 @@ _internal_defaults_do_not_set:
# for more detail.
priorityClassName: ""
-# If enterprise is set to true FIPs Tetrate Image Distro images are used
-enterprise: false
-tidHub: registry1.dso.mil/ironbank/tetrate/istio
-tidTag: 1.25.1-tetratefipslatest1
-
mtls:
# -- STRICT = Allow only mutual TLS traffic,
# PERMISSIVE = Allow both plain text and mutual TLS traffic
--
GitLab