Bump Istio to 1.24 (#1149)

* Dummy update * Bump Istio to 1.24.1 * Update docs * Update 1.12.0.md * Update 1.12.0.md * Adapt test * Fix experimental * Fix experimental * Configure sample percentage * Add step to actually make a call before checking traces * Update docs/user/README.md Co-authored-by: Tim Riffer <[email protected]> * Apply suggestions from code review Co-authored-by: Natalia Sitko <[email protected]> * Update docs/release-notes/1.12.0.md Co-authored-by: Natalia Sitko <[email protected]> --------- Co-authored-by: Tim Riffer <[email protected]> Co-authored-by: Natalia Sitko <[email protected]>
kyma-project · Dec 2, 2024 · 3557761 · 3557761
1 parent 0b8feae
commit 3557761
Show file tree

Hide file tree

Showing 11 changed files with 78 additions and 40 deletions.
diff --git a/README.md b/README.md
@@ -9,9 +9,10 @@ Istio is an open-source service mesh that provides a uniform way to manage, conn
 
 The Istio module installs and manages Istio in your Kyma cluster. The latest release includes the following versions of Istio and Envoy:
 
-**Istio version:** 1.23.2
-
-**Envoy version:** 1.31.2
+| **Component** | **Version** |
+|---------------|-------------|
+| Istio         | 1.24.1      |
+| Envoy         | 1.32.2      |
 
 > [!NOTE]
 > If you want to enable compatibility with the previous minor version of Istio, see [Compatibility Mode](./docs/user/00-10-istio-version.md#compatibility-mode).

diff --git a/api/v1alpha2/compatibility_mode.go b/api/v1alpha2/compatibility_mode.go
@@ -6,7 +6,11 @@ import (
 )
 
 var pilotCompatibilityEnvVars = map[string]string{
-	"ENABLE_DELIMITED_STATS_TAG_REGEX": "false",
+	"ENABLE_INBOUND_RETRY_POLICY":                      "false",
+	"EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY":            "false",
+	"PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES": "false",
+	"ENABLE_ENHANCED_DESTINATIONRULE_MERGE":            "false",
+	"PILOT_UNIFIED_SIDECAR_SCOPE":                      "false",
 }
 
 func setCompatibilityMode(op iopv1alpha1.IstioOperator) (iopv1alpha1.IstioOperator, error) {
@@ -39,8 +43,8 @@ func setCompatibilityPilot(op iopv1alpha1.IstioOperator) iopv1alpha1.IstioOperat
 }
 
 var ProxyMetaDataCompatibility = map[string]string{
-	"ENABLE_DEFERRED_CLUSTER_CREATION": "false",
-	"ENABLE_DELIMITED_STATS_TAG_REGEX": "false",
+	"ENABLE_DEFERRED_STATS_CREATION":               "false",
+	"BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS": "false",
 }
 
 func setCompatibilityProxyMetadata(op iopv1alpha1.IstioOperator) (iopv1alpha1.IstioOperator, error) {

diff --git a/api/v1alpha2/compatibility_mode_test.go b/api/v1alpha2/compatibility_mode_test.go
@@ -124,12 +124,12 @@ var _ = Describe("Compatibility Mode", func() {
 
 			//then
 			Expect(err).ShouldNot(HaveOccurred())
-			field := getProxyMetadataField(out, "ENABLE_DEFERRED_CLUSTER_CREATION")
-			Expect(field).ToNot(BeNil())
-			Expect(field.GetStringValue()).To(Equal("false"))
-			fieldTwo := getProxyMetadataField(out, "ENABLE_DELIMITED_STATS_TAG_REGEX")
-			Expect(fieldTwo).ToNot(BeNil())
-			Expect(fieldTwo.GetStringValue()).To(Equal("false"))
+
+			for fieldName, value := range ProxyMetaDataCompatibility {
+				field := getProxyMetadataField(out, fieldName)
+				Expect(field).ToNot(BeNil())
+				Expect(field.GetStringValue()).To(Equal(value))
+			}
 		})
 
 		It("should set compatibility variables in proxyMetadata without overwriting existing variables", func() {
@@ -162,13 +162,11 @@ var _ = Describe("Compatibility Mode", func() {
 			//then
 			Expect(err).ShouldNot(HaveOccurred())
 
-			clusterCreation := getProxyMetadataField(out, "ENABLE_DEFERRED_CLUSTER_CREATION")
-			Expect(clusterCreation).ToNot(BeNil())
-			Expect(clusterCreation.GetStringValue()).To(Equal("false"))
-
-			stats := getProxyMetadataField(out, "ENABLE_DELIMITED_STATS_TAG_REGEX")
-			Expect(stats).ToNot(BeNil())
-			Expect(stats.GetStringValue()).To(Equal("false"))
+			for fieldName, value := range ProxyMetaDataCompatibility {
+				field := getProxyMetadataField(out, fieldName)
+				Expect(field).ToNot(BeNil())
+				Expect(field.GetStringValue()).To(Equal(value))
+			}
 		})
 
 		It("should not set compatibility variables when compatibility mode is off", func() {
@@ -201,10 +199,10 @@ var _ = Describe("Compatibility Mode", func() {
 			//then
 			Expect(err).ShouldNot(HaveOccurred())
 
-			field := getProxyMetadataField(out, "ENABLE_DEFERRED_CLUSTER_CREATION")
-			Expect(field).To(BeNil())
-			fieldTwo := getProxyMetadataField(out, "ENABLE_DELIMITED_STATS_TAG_REGEX")
-			Expect(fieldTwo).To(BeNil())
+			for fieldName, _ := range ProxyMetaDataCompatibility {
+				field := getProxyMetadataField(out, fieldName)
+				Expect(field).To(BeNil())
+			}
 		})
 	})
 })

diff --git a/docs/release-notes/1.12.0.md b/docs/release-notes/1.12.0.md
@@ -0,0 +1,33 @@
+## New Features
+
+### Istio Updated to Version 1.24.1 
+
+| **Component** | **Version** |
+|---------------|-------------|
+| Istio         | 1.24.1      |
+| Envoy         | 1.32.2      |
+
+We've updated the Istio version to 1.24.1 ([#1024](https://github.com/kyma-project/istio/pull/1024)).
+Read the Istio 1.24.1 [release announcement](https://istio.io/latest/news/releases/1.24.x/announcing-1.24.1/)
+and [Istio 1.24.0 Change Notes](https://istio.io/latest/news/releases/1.24.x/announcing-1.24/change-notes/).
+
+This version includes the following changes to compatibility version parameters.
+
+The parameters for the previous compatibility version switched from 'false' to 'true':
+
+| Parameter                            | Description                                                                                                                                                                         |
+|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| ENABLE\_DELIMITED\_STATS\_TAG\_REGEX | If true, pilot uses the new delimited stat tag regex to generate Envoy stats tags.                                                                                              |
+| ENABLE\_DEFERRED\_CLUSTER\_CREATION  | If enabled, Istio creates clusters only when there are requests. This saves memory and CPU cycles in cases where there are lots of inactive clusters and more than one worker thread. |
+
+This compatibility version applies the new parameters set to `false`:
+
+| Parameter                                             | Description                                                                                                                                        |
+|-------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
+| ENABLE\_INBOUND\_RETRY\_POLICY       | If true, enables retry policy for inbound routes, which automatically retries any requests that were reset before reaching the intended service.                                                |
+| EXCLUDE\_UNSAFE\_503\_FROM\_DEFAULT\_RETRY            | If true, excludes unsafe retry on `503` from the default retry policy.                                                                                   |
+| PREFER\_DESTINATIONRULE\_TLS\_FOR\_EXTERNAL\_SERVICES | If true, external services prefer the TLS settings from DestinationRules over the metadata TLS settings.                                      |
+| ENABLE\_ENHANCED\_DESTINATIONRULE\_MERGE              | If enabled, Istio merges DestinationRules considering their **exportTo** fields. The DestinationRules are then kept as independent rules if the **exportTo** fields are not equal. |
+| PILOT\_UNIFIED\_SIDECAR\_SCOPE                        | If true, unified SidecarScope creation is used. This is only intended as a temporary feature flag for backward compatibility.                |
+| ENABLE\_DEFERRED\_STATS\_CREATION                     | If enabled, Istio lazily initializes a subset of the stats.                                                                                    |
+| BYPASS\_OVERLOAD\_MANAGER\_FOR\_STATIC\_LISTENERS     | If enabled, the overload manager is not applied to static listeners.                                                                              |
diff --git a/docs/user/README.md b/docs/user/README.md
@@ -9,9 +9,9 @@ The Istio module installs and manages Istio in your Kyma cluster. By default, th
 
 The latest release includes the following versions of Istio and Envoy:  
 
-**Istio version:** 1.23.2
+**Istio version:** 1.24.1
 
-**Envoy version:** 1.31.2
+**Envoy version:** 1.32.2
 
 ## Features
 

diff --git a/internal/istiooperator/istio-operator-light.yaml b/internal/istiooperator/istio-operator-light.yaml
@@ -7,7 +7,7 @@ metadata:
     kyma-project.io/module: istio
 spec:
   hub: europe-docker.pkg.dev/kyma-project/prod/external/istio
-  tag: "1.23.2-distroless"
+  tag: "1.24.1-distroless"
   components:
     base:
       enabled: true

diff --git a/internal/istiooperator/istio-operator.yaml b/internal/istiooperator/istio-operator.yaml
@@ -7,7 +7,7 @@ metadata:
     kyma-project.io/module: istio
 spec:
   hub: europe-docker.pkg.dev/kyma-project/prod/external/istio
-  tag: "1.23.2-distroless"
+  tag: "1.24.1-distroless"
   components:
     base:
       enabled: true

diff --git a/sec-scanners-config.yaml b/sec-scanners-config.yaml
@@ -1,9 +1,9 @@
 module-name: istio
 protecode:
   - europe-docker.pkg.dev/kyma-project/prod/istio/main/istio-manager:2a78400126b8cea98c422d390c8e03249c5299df
-  - europe-docker.pkg.dev/kyma-project/prod/external/istio/install-cni:1.23.2-distroless
-  - europe-docker.pkg.dev/kyma-project/prod/external/istio/proxyv2:1.23.2-distroless
-  - europe-docker.pkg.dev/kyma-project/prod/external/istio/pilot:1.23.2-distroless
+  - europe-docker.pkg.dev/kyma-project/prod/external/istio/install-cni:1.24.1-distroless
+  - europe-docker.pkg.dev/kyma-project/prod/external/istio/proxyv2:1.24.1-distroless
+  - europe-docker.pkg.dev/kyma-project/prod/external/istio/pilot:1.24.1-distroless
 whitesource:
   language: golang-mod
   subprojects: false

diff --git a/tests/integration/features/observability-suite/observability.feature b/tests/integration/features/observability-suite/observability.feature
@@ -46,6 +46,10 @@ Feature: Observability
   Scenario: Istio calls OpenTelemetry API on default service configured in kyma-traces extension provider
     Given Tracing is enabled for the mesh using provider "kyma-traces"
     # For a simpler setup we use a tcp-echo as OpenTelemetry collector mock, because we only want to verify that the OpenTelemetry API is called by checking the echoed request logs.
+    And Istio gateway "test-gateway" is configured in namespace "default"
+    And Httpbin application "httpbin" deployment is created in namespace "default"
+    And Virtual service "httpbin" exposing service "httpbin.default.svc.cluster.local" with port "8000" by gateway "default/test-gateway" is configured in namespace "default"
     And OTEL Collector mock "otel-collector-mock" deployment is created in namespace "kyma-system"
     And Service is created for the otel collector "otel-collector-mock" in namespace "kyma-system"
+    When Request to path "/ip" should have response code "200"
     Then Log of container "otel-collector-mock" in deployment "otel-collector-mock" in namespace "kyma-system" contains "POST /opentelemetry.proto.collector.trace.v1.TraceService/Export"
diff --git a/tests/integration/steps/logs.go b/tests/integration/steps/logs.go
@@ -3,9 +3,9 @@ package steps
 import (
 	"bytes"
 	"context"
+	"fmt"
 	"github.com/avast/retry-go"
 	"github.com/kyma-project/istio/operator/tests/testcontext"
-	"github.com/pkg/errors"
 	"io"
 	v1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -42,22 +42,18 @@ func ContainerLogContainsString(ctx context.Context, containerName, depName, dep
 			return err
 		}
 
-		found := false
-		var str = ""
+		var logStr = ""
 		for _, pod := range pods.Items {
-			str, err = getLogsFromPodsContainer(ctx, pod, containerName)
+			logStr, err = getLogsFromPodsContainer(ctx, pod, containerName)
 			if err != nil {
 				return err
 			}
-			if sub := strings.Contains(str, expectedString); sub {
-				found = true
+			if sub := strings.Contains(logStr, expectedString); sub {
+				return nil
 			}
 		}
-		if !found {
-			return errors.New("log entry not found" + str)
-		}
 
-		return nil
+		return fmt.Errorf("log entry not found. got log: %s", logStr)
 	}, testcontext.GetRetryOpts()...)
 	return ctx, err
 }

diff --git a/tests/integration/steps/observability.go b/tests/integration/steps/observability.go
@@ -2,6 +2,7 @@ package steps
 
 import (
 	"context"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 	"strconv"
 
 	"github.com/avast/retry-go"
@@ -59,6 +60,7 @@ func EnableTracing(ctx context.Context, tracingProvider string) (context.Context
 			Spec: apitelemetryv1.Telemetry{
 				Tracing: []*apitelemetryv1.Tracing{
 					{
+						RandomSamplingPercentage: &wrapperspb.DoubleValue{Value: 100},
 						Providers: []*apitelemetryv1.ProviderRef{
 							{Name: tracingProvider},
 						},