Istio 1.22.1 (#887)

* Update Istio and Envoy version in README

* Update Istio to 1.22.1 and adapt code to changes

* Remove oneNamespace, since it was removed from Istio as it does nothing

* Fix Istio logging to not override all global log configs

* Revert changes due to logging update

* Add release notes

* Update versions of Istio resources to v1

* Update compatibility mode to support 1.22.1

* Update istio apis to v1

* Restart sidecar pods when compatibility mode configuration changed

* Add test to verify that multiple matching predicates will not add the same pod multiple times

* Fix int test import

* Update documentation

* Add missing klog logging config

* Apply suggestions from code review

README.md

@@ -13,9 +13,9 @@ Kyma Istio Operator is a component of the Kyma runtime that handles the manageme
 
 The latest release includes the following versions of Istio and Envoy:
 
-**Istio version:** 1.21.3
+**Istio version:** 1.22.1
 
-**Envoy version:** 1.29.5
+**Envoy version:** 1.30.2
 
 > [!NOTE]
 > If you want to enable compatibility with the previous minor version of Istio, see [Compatibility Mode](https://kyma-project.io/#/istio/user/00-10-overview-istio-controller?id=compatibility-mode).

api/v1alpha2/compatibility_mode.go

@@ -5,18 +5,14 @@ import (
 	iopv1alpha1 "istio.io/istio/operator/pkg/apis/istio/v1alpha1"
 )
 
-// the following map contains Istio compatibility environment variables, that are not included in the compatibilityVersion of istioctl install
-// should be updated with every Istio bump according to the release notes
-// current env comes from: Istio 1.21, compatibilityVersion 1.20
 var pilotCompatibilityEnvVars = map[string]string{
-	"PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING": "true",
-	"VERIFY_CERTIFICATE_AT_CLIENT":                                     "false",
-	"ENABLE_AUTO_SNI":                                                  "false",
+	"ENABLE_ENHANCED_RESOURCE_SCOPING":   "false",
+	"ENABLE_RESOLUTION_NONE_TARGET_PORT": "false",
 }
 
-func setCompatibilityMode(op iopv1alpha1.IstioOperator) iopv1alpha1.IstioOperator {
+func setCompatibilityMode(op iopv1alpha1.IstioOperator) (iopv1alpha1.IstioOperator, error) {
 	pilotIop := setCompatibilityPilot(op)
-	return pilotIop
+	return setCompatibilityProxyMetadata(pilotIop)
 }
 
 func setCompatibilityPilot(op iopv1alpha1.IstioOperator) iopv1alpha1.IstioOperator {
@@ -42,3 +38,32 @@ func setCompatibilityPilot(op iopv1alpha1.IstioOperator) iopv1alpha1.IstioOperat
 
 	return op
 }
+
+var ProxyMetaDataCompatibility = map[string]string{
+	"ISTIO_DELTA_XDS": "false",
+}
+
+func setCompatibilityProxyMetadata(op iopv1alpha1.IstioOperator) (iopv1alpha1.IstioOperator, error) {
+	if op.Spec == nil {
+		op.Spec = &v1alpha1.IstioOperatorSpec{}
+	}
+
+	mcb, err := newMeshConfigBuilder(op)
+	if err != nil {
+		return op, err
+	}
+
+	for k, v := range ProxyMetaDataCompatibility {
+		mcb.AddProxyMetadata(k, v)
+	}
+	newMeshConfig := mcb.Build()
+
+	updatedConfig, err := marshalMeshConfig(newMeshConfig)
+	if err != nil {
+		return op, err
+	}
+
+	op.Spec.MeshConfig = updatedConfig
+
+	return op, nil
+}

api/v1alpha2/compatibility_mode_test.go

@@ -3,8 +3,10 @@ package v1alpha2
 import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"google.golang.org/protobuf/types/known/structpb"
 	operatorv1alpha1 "istio.io/api/operator/v1alpha1"
 	iopv1alpha1 "istio.io/istio/operator/pkg/apis/istio/v1alpha1"
+	"istio.io/istio/pkg/config/mesh"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -131,4 +133,107 @@ var _ = Describe("Compatibility Mode", func() {
 			Expect(variableCounter).To(Equal(0))
 		})
 	})
+	Context("MeshConfig ProxyMetadata", func() {
+		It("should set compatibility variables in proxyMetadata when no meshConfig is defined", func() {
+			//given
+			iop := iopv1alpha1.IstioOperator{
+				Spec: &operatorv1alpha1.IstioOperatorSpec{},
+			}
+			istioCR := Istio{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{},
+				},
+				Spec: IstioSpec{
+					CompatibilityMode: true,
+				},
+			}
+
+			// when
+			out, err := istioCR.MergeInto(iop)
+
+			//then
+			Expect(err).ShouldNot(HaveOccurred())
+			field := getProxyMetadataField(out, "ISTIO_DELTA_XDS")
+			Expect(field).ToNot(BeNil())
+			Expect(field.GetStringValue()).To(Equal("false"))
+		})
+
+		It("should set compatibility variables in proxyMetadata without overwriting existing variables", func() {
+			//given
+			m := mesh.DefaultMeshConfig()
+			m.DefaultConfig.ProxyMetadata = map[string]string{
+				"BOOTSTRAP_XDS_AGENT": "true",
+			}
+
+			meshConfig := convert(m)
+
+			iop := iopv1alpha1.IstioOperator{
+				Spec: &operatorv1alpha1.IstioOperatorSpec{
+					MeshConfig: meshConfig,
+				},
+			}
+
+			istioCR := Istio{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{},
+				},
+				Spec: IstioSpec{
+					CompatibilityMode: true,
+				},
+			}
+
+			// when
+			out, err := istioCR.MergeInto(iop)
+
+			//then
+			Expect(err).ShouldNot(HaveOccurred())
+
+			xdsAgent := getProxyMetadataField(out, "BOOTSTRAP_XDS_AGENT")
+			Expect(xdsAgent).ToNot(BeNil())
+			Expect(xdsAgent.GetStringValue()).To(Equal("true"))
+
+			deltaXds := getProxyMetadataField(out, "ISTIO_DELTA_XDS")
+			Expect(deltaXds).ToNot(BeNil())
+			Expect(deltaXds.GetStringValue()).To(Equal("false"))
+		})
+
+		It("should not set compatibility variables when compatibility mode is off", func() {
+			//given
+			m := mesh.DefaultMeshConfig()
+			m.DefaultConfig.ProxyMetadata = map[string]string{
+				"BOOTSTRAP_XDS_AGENT": "true",
+			}
+
+			meshConfig := convert(m)
+
+			iop := iopv1alpha1.IstioOperator{
+				Spec: &operatorv1alpha1.IstioOperatorSpec{
+					MeshConfig: meshConfig,
+				},
+			}
+
+			istioCR := Istio{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{},
+				},
+				Spec: IstioSpec{
+					CompatibilityMode: false,
+				},
+			}
+
+			// when
+			out, err := istioCR.MergeInto(iop)
+
+			//then
+			Expect(err).ShouldNot(HaveOccurred())
+
+			field := getProxyMetadataField(out, "ISTIO_DELTA_XDS")
+			Expect(field).To(BeNil())
+		})
+	})
 })
+
+func getProxyMetadataField(iop iopv1alpha1.IstioOperator, fieldName string) *structpb.Value {
+	return iop.Spec.MeshConfig.Fields["defaultConfig"].GetStructValue().
+		Fields["proxyMetadata"].GetStructValue().Fields[fieldName]
+}

api/v1alpha2/istio_merge.go

@@ -41,7 +41,10 @@ func (i *Istio) MergeInto(op iopv1alpha1.IstioOperator) (iopv1alpha1.IstioOperat
 	externalNameAliasAnnotationFixOp := manageExternalNameAlias(i, mergedResourcesOp)
 
 	if i.Spec.CompatibilityMode {
-		compatibleIop := setCompatibilityMode(externalNameAliasAnnotationFixOp)
+		compatibleIop, err := setCompatibilityMode(externalNameAliasAnnotationFixOp)
+		if err != nil {
+			return op, err
+		}
 		return compatibleIop, nil
 	}
 
@@ -132,6 +135,16 @@ func (m *meshConfigBuilder) BuildNumTrustedProxies(numTrustedProxiesPtr *int) *m
 	return m
 }
 
+func (m *meshConfigBuilder) AddProxyMetadata(key, value string) *meshConfigBuilder {
+
+	if m.c.DefaultConfig.ProxyMetadata == nil {
+		m.c.DefaultConfig.ProxyMetadata = make(map[string]string)
+	}
+	m.c.DefaultConfig.ProxyMetadata[key] = value
+
+	return m
+}
+
 func (m *meshConfigBuilder) Build() *meshv1alpha1.MeshConfig {
 	return m.c
 }

cmd/istio-install/main.go

@@ -4,38 +4,26 @@
 package main
 
 import (
+	istioclient "github.com/kyma-project/istio/operator/internal/reconciliations/istio"
 	"os"
 	"time"
 
 	"istio.io/istio/istioctl/pkg/install/k8sversion"
 	istio "istio.io/istio/operator/cmd/mesh"
-	"istio.io/istio/operator/pkg/util/clog"
 	"istio.io/istio/pkg/kube"
-	istiolog "istio.io/istio/pkg/log"
 	"k8s.io/client-go/rest"
 )
 
-func initializeLog() *istiolog.Options {
-	logoptions := istiolog.DefaultOptions()
-	logoptions.SetOutputLevel("validation", istiolog.ErrorLevel)
-	logoptions.SetOutputLevel("processing", istiolog.ErrorLevel)
-	logoptions.SetOutputLevel("analysis", istiolog.WarnLevel)
-	logoptions.SetOutputLevel("installation", istiolog.WarnLevel)
-	logoptions.SetOutputLevel("translator", istiolog.WarnLevel)
-	logoptions.SetOutputLevel("adsc", istiolog.WarnLevel)
-	logoptions.SetOutputLevel("default", istiolog.WarnLevel)
-	logoptions.SetOutputLevel("klog", istiolog.WarnLevel)
-	logoptions.SetOutputLevel("kube", istiolog.ErrorLevel)
-
-	return logoptions
-}
-
 func main() {
 	iopFileNames := []string{os.Args[1]}
 
-	istioLogOptions := initializeLog()
-	registeredScope := istiolog.RegisterScope("installation", "installation")
-	consoleLogger := clog.NewConsoleLogger(os.Stdout, os.Stderr, registeredScope)
+	consoleLogger := istioclient.CreateIstioLibraryLogger()
+
+	if err := istioclient.ConfigureIstioLogScopes(); err != nil {
+		consoleLogger.LogAndError("Failed to configure Istio log: ", err)
+		os.Exit(1)
+	}
+
 	printer := istio.NewPrinterForWriter(os.Stdout)
 
 	rc, err := kube.DefaultRestConfig("", "", func(config *rest.Config) {
@@ -47,7 +35,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	cliClient, err := kube.NewCLIClient(kube.NewClientConfigForRestConfig(rc), "")
+	cliClient, err := kube.NewCLIClient(kube.NewClientConfigForRestConfig(rc))
 	if err != nil {
 		consoleLogger.LogAndError("Failed to create Istio CLI client: ", err)
 		os.Exit(1)
@@ -61,7 +49,7 @@ func main() {
 	// We don't want to verify after installation, because it is unreliable
 	installArgs := &istio.InstallArgs{ReadinessTimeout: 150 * time.Second, SkipConfirmation: true, Verify: false, InFilenames: iopFileNames}
 
-	if err := istio.Install(cliClient, &istio.RootArgs{}, installArgs, istioLogOptions, os.Stdout, consoleLogger, printer); err != nil {
+	if err := istio.Install(cliClient, &istio.RootArgs{}, installArgs, os.Stdout, consoleLogger, printer); err != nil {
 		consoleLogger.LogAndError("Istio install error: ", err)
 		os.Exit(1)
 	}