Update Ironbank to v1.21.2

253423b0 · bigbang bot · Greg M · fef84d38 · 253423b0 · 253423b0
Commit 253423b0 authored 10 months ago by bigbang bot Committed by Greg M 10 months ago
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ---
+## [1.21.2-bb.0] - 2024-05-16
+### Changed
+- Updated repo1 image to `1.21.2`
+- Updated TID image to `1.21.2`
+- Added default value for `operatorNamespace` so helm lint passes
+- Documented existing modifications to upstream chart in `docs/DEVELOPMENT_MAINTENANCE.md`
+
 ## [1.21.1-bb.0] - 2024-05-03
 ### Changed
 - Updated repo1 image to `1.21.1`

--- a/README.md
+++ b/README.md
 # istio-operator

-![Version: 1.21.1-bb.0](https://img.shields.io/badge/Version-1.21.1--bb.0-informational?style=flat-square) ![AppVersion: 1.21.1](https://img.shields.io/badge/AppVersion-1.21.1-informational?style=flat-square)
+![Version: 1.21.2-bb.0](https://img.shields.io/badge/Version-1.21.2--bb.0-informational?style=flat-square) ![AppVersion: 1.21.2](https://img.shields.io/badge/AppVersion-1.21.2-informational?style=flat-square)

 Helm chart for deploying Istio operator

@@ -34,32 +34,33 @@ helm install istio-operator chart/

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| hub | string | `"registry1.dso.mil/ironbank/opensource/istio"` |  |
-| image | string | `"operator"` |  |
-| tag | string | `"1.21.2"` |  |
+| defaults.hub | string | `"registry1.dso.mil/ironbank/opensource/istio"` |  |
+| defaults.image | string | `"operator"` |  |
+| defaults.tag | string | `"1.21.2"` |  |
+| defaults.imagePullSecrets | list | `[]` |  |
+| defaults.imagePullPolicy | string | `""` |  |
+| defaults.watchedNamespaces | string | `"istio-system"` |  |
+| defaults.waitForResourcesTimeout | string | `"300s"` |  |
+| defaults.enableCRDTemplates | bool | `false` |  |
+| defaults.revision | string | `""` |  |
+| defaults.deploymentHistory | int | `10` |  |
+| defaults.operator.monitoring.host | string | `"0.0.0.0"` |  |
+| defaults.operator.monitoring.port | int | `8383` |  |
+| defaults.operator.resources.limits.cpu | string | `"200m"` |  |
+| defaults.operator.resources.limits.memory | string | `"256Mi"` |  |
+| defaults.operator.resources.requests.cpu | string | `"200m"` |  |
+| defaults.operator.resources.requests.memory | string | `"256Mi"` |  |
+| defaults.operator.seccompProfile | object | `{}` |  |
+| defaults.nodeSelector | object | `{}` |  |
+| defaults.tolerations | list | `[]` |  |
+| defaults.affinity | object | `{}` |  |
+| defaults.podLabels | object | `{}` |  |
+| defaults.podAnnotations | object | `{}` |  |
+| createNamespace | bool | `true` |  |
+| operatorNamespace | string | `"istio-operator"` |  |
 | enterprise | bool | `false` | Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support, validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription |
 | tidHub | string | `"registry1.dso.mil/ironbank/tetrate/istio"` |  |
-| tidTag | string | `"1.21.1-tetratefips-v0"` |  |
-| imagePullSecrets | list | `[]` |  |
-| imagePullPolicy | string | `""` |  |
-| watchedNamespaces | string | `"istio-system"` |  |
-| waitForResourcesTimeout | string | `"300s"` |  |
-| enableCRDTemplates | bool | `false` |  |
-| revision | string | `""` |  |
-| deploymentHistory | int | `10` |  |
-| operator.monitoring.host | string | `"0.0.0.0"` |  |
-| operator.monitoring.port | int | `8383` |  |
-| operator.resources.limits.cpu | string | `"200m"` |  |
-| operator.resources.limits.memory | string | `"256Mi"` |  |
-| operator.resources.requests.cpu | string | `"200m"` |  |
-| operator.resources.requests.memory | string | `"256Mi"` |  |
-| operator.seccompProfile | object | `{}` |  |
-| nodeSelector | object | `{}` |  |
-| tolerations | list | `[]` |  |
-| affinity | object | `{}` |  |
-| podLabels | object | `{}` |  |
-| podAnnotations | object | `{}` |  |
-| createNamespace | bool | `true` |  |
+| tidTag | string | `"1.21.2-tetratefips-v0"` |  |
 | monitoring.enabled | bool | `false` |  |
 | networkPolicies.enabled | bool | `false` |  |
 | networkPolicies.controlPlaneCidr | string | `"0.0.0.0/0"` |  |

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v1
 name: istio-operator
 # This version is never actually shipped. istio/release-builder will replace it at build-time
 # with the appropriate version
-version: 1.21.1-bb.0
-appVersion: 1.21.1
+version: 1.21.2-bb.0
+appVersion: 1.21.2
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio operator
 keywords:
@@ -16,10 +16,10 @@ icon: https://istio.io/latest/favicons/android-192x192.png
 annotations:
  bigbang.dev/applicationVersions: |
    - Istio Operator: 1.21.2
-    - Tetrate Istio Distro Operator: 1.21.1
+    - Tetrate Istio Distro Operator: 1.21.2
  helm.sh/images: |
    - name: operator
      image: registry1.dso.mil/ironbank/opensource/istio/operator:1.21.2
    - name: tetrate-operator
      condition: enterprise
-      image: registry1.dso.mil/ironbank/tetrate/istio/operator:1.21.1-tetratefips-v0
+      image: registry1.dso.mil/ironbank/tetrate/istio/operator:1.21.2-tetratefips-v0
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
 upstream:
  type: git
  git:
-    commit: ff333a3512ba8321f40d90b6fc041db04fcb280b
+    commit: ed90e14d3473bc3fe54f98298eb16664002d14d1
    repo: https://github.com/istio/istio
    directory: /manifests/charts/istio-operator
-    ref: 1.20.4
+    ref: 1.21.2
--- a/chart/crds/customresourcedefinitions.gen.yaml
+++ b/chart/crds/customresourcedefinitions.gen.yaml
--- a/chart/files/profile-ambient.yaml
+++ b/chart/files/profile-ambient.yaml
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+  variant: distroless
+  env:
+    # Setup more secure default that is off in 'default' only for backwards compatibility
+    VERIFY_CERTIFICATE_AT_CLIENT: "true"
+    ENABLE_AUTO_SNI: "true"
+
+    PILOT_ENABLE_HBONE: "true"
+    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+    PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+  logLevel: info
+  privileged: true
+  ambient:
+    enabled: true
+
+  # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+  excludeNamespaces:
+    - kube-system
--- a/chart/files/profile-compatibility-version-1.20.yaml
+++ b/chart/files/profile-compatibility-version-1.20.yaml
+pilot:
+  env:
+    ENABLE_EXTERNAL_NAME_ALIAS: "false"
+    PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+    VERIFY_CERTIFICATE_AT_CLIENT: "false"
+    ENABLE_AUTO_SNI: "false"
--- a/chart/files/profile-demo.yaml
+++ b/chart/files/profile-demo.yaml
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.istio-system.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
--- a/chart/files/profile-openshift.yaml
+++ b/chart/files/profile-openshift.yaml
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  excludeNamespaces:
+    - istio-system
+    - kube-system
+  logLevel: info
+  privileged: true
+  provider: "multus"
+global:
+  platform: openshift
+istio_cni:
+  enabled: true
+  chained: false
\ No newline at end of file
--- a/chart/files/profile-preview.yaml
+++ b/chart/files/profile-preview.yaml
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
--- a/chart/templates/bigbang/networkpolicies/default-deny.yaml
+++ b/chart/templates/bigbang/networkpolicies/default-deny.yaml
@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: default-deny-istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: default-deny-istio-operator{{- if not (eq .Values.defaults.revision "") }}-{{ .Values.defaults.revision }}{{- end }}
  namespace: {{.Values.operatorNamespace}}
 spec:
  podSelector: {}

--- a/chart/templates/bigbang/networkpolicies/egress-kube-api.yaml
+++ b/chart/templates/bigbang/networkpolicies/egress-kube-api.yaml
@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-egress-api-istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: allow-egress-api-istio-operator{{- if not (eq .Values.defaults.revision "") }}-{{ .Values.defaults.revision }}{{- end }}
  namespace: {{.Values.operatorNamespace}}
 spec:
  podSelector: {}

--- a/chart/templates/zzz_profile.yaml
+++ b/chart/templates/zzz_profile.yaml
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
-hub: registry1.dso.mil/ironbank/opensource/istio
-## Added by Big Bang
-image: operator
-tag: 1.21.2
+defaults:
+  hub: registry1.dso.mil/ironbank/opensource/istio
+  ## Added by Big Bang
+  image: operator
+  tag: 1.21.2

-# -- Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support,
-# validated through the FIPs Boring Crypto module.
-# Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription
-enterprise: false
-tidHub: registry1.dso.mil/ironbank/tetrate/istio
-tidTag: 1.21.1-tetratefips-v0
-
-# ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace
-# used to pull operator image. Must be set for any cluster configured with private docker registry.
-imagePullSecrets: []
+  # ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace
+  # used to pull operator image. Must be set for any cluster configured with private docker registry.
+  imagePullSecrets: []

-# Specify image pull policy if default behavior isn't desired.
-# Default behavior: latest images will be Always else IfNotPresent.
-imagePullPolicy: ""
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent.
+  imagePullPolicy: ""

-# Used to replace istioNamespace to support operator watch multiple namespaces.
-watchedNamespaces: istio-system
-waitForResourcesTimeout: 300s
+  # Used to replace istioNamespace to support operator watch multiple namespaces.
+  watchedNamespaces: istio-system
+  waitForResourcesTimeout: 300s

-# Used for helm2 to add the CRDs to templates.
-enableCRDTemplates: false
+  # Used for helm2 to add the CRDs to templates.
+  enableCRDTemplates: false

-# revision for the operator resources
-revision: ""
+  # revision for the operator resources
+  revision: ""

-# The number of old ReplicaSets to retain in operator deployment
-deploymentHistory: 10
+  # The number of old ReplicaSets to retain in operator deployment
+  deploymentHistory: 10

-# Operator resource defaults
-operator:
-  monitoring:
-    host: 0.0.0.0
-    port: 8383
-  resources:
-    limits:
-      cpu: 200m
-      memory: 256Mi
-    requests:
-      cpu: 200m
-      memory: 256Mi
-  # Set to `type: RuntimeDefault` to use the default profile if available.
-  seccompProfile: {}
+  # Operator resource defaults
+  operator:
+    monitoring:
+      host: 0.0.0.0
+      port: 8383
+    resources:
+      limits:
+        cpu: 200m
+        memory: 256Mi
+      requests:
+        cpu: 200m
+        memory: 256Mi
+    # Set to `type: RuntimeDefault` to use the default profile if available.
+    seccompProfile: {}

-# Node labels for pod assignment
-nodeSelector: {}
+  # Node labels for pod assignment
+  nodeSelector: {}

-# Tolerations for pod assignment
-tolerations: []
+  # Tolerations for pod assignment
+  tolerations: []

-# Affinity for pod assignment
-affinity: {}
+  # Affinity for pod assignment
+  affinity: {}

-# Additional labels and annotations to apply on the pod level for monitoring and logging configuration.
-podLabels: {}
-podAnnotations: {}
+  # Additional labels and annotations to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+  podAnnotations: {}

 ## Big Bang Additions below this line ##
 createNamespace: true
+operatorNamespace: istio-operator  # needed for helm lint to pass with createNamespace=true
+
+# -- Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support,
+# validated through the FIPs Boring Crypto module.
+# Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription
+enterprise: false
+tidHub: registry1.dso.mil/ironbank/tetrate/istio
+tidTag: 1.21.2-tetratefips-v0

 # Future: Toggles deployment of serviceMonitor + networkPolicy
 # Only toggles networkPolicy right now

--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -15,3 +15,14 @@ Generally the operator should be tested alongside the new controlplane version.
 Renovate may remove the two keys listed here. Make sure that they are present and that their values are set to 1337:
 - spec.template.spec.containers.securityContext.runAsGroup
 - spec.template.spec.containers.securityContext.runAsUser
+
+Added `.Values.enterprise` boolean gate to determine use of tetrate images. Make sure this is not removed and is updated if needed to reflect values changes.
+- spec.template.spec.containers[0].image
+
+## /chart/values.yaml
+Changes to default values:
+- defaults.operator.monitoring.host should be `0.0.0.0`
+- defaults.operator.monitoring.port should be `8383`
+- defaults.hub should be ironbank image path
+
+Added `## Big Bang Additions below this line ##` section at bottom of file
\ No newline at end of file
--- a/tests/images.txt
+++ b/tests/images.txt
-registry1.dso.mil/ironbank/tetrate/istio/operator:1.21.1-tetratefips-v0
+registry1.dso.mil/ironbank/tetrate/istio/operator:1.21.2-tetratefips-v0