Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump Istio to 1.24 #1149

Merged
merged 16 commits into from
Dec 2, 2024
7 changes: 4 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,10 @@ Istio is an open-source service mesh that provides a uniform way to manage, conn

The Istio module installs and manages Istio in your Kyma cluster. The latest release includes the following versions of Istio and Envoy:

**Istio version:** 1.23.2

**Envoy version:** 1.31.2
| **Component** | **Version** |
|---------------|-------------|
| Istio | 1.24.1 |
| Envoy | 1.32.2 |

> [!NOTE]
> If you want to enable compatibility with the previous minor version of Istio, see [Compatibility Mode](./docs/user/00-10-istio-version.md#compatibility-mode).
Expand Down
10 changes: 7 additions & 3 deletions api/v1alpha2/compatibility_mode.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,11 @@ import (
)

var pilotCompatibilityEnvVars = map[string]string{
"ENABLE_DELIMITED_STATS_TAG_REGEX": "false",
"ENABLE_INBOUND_RETRY_POLICY": "false",
"EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY": "false",
"PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES": "false",
"ENABLE_ENHANCED_DESTINATIONRULE_MERGE": "false",
"PILOT_UNIFIED_SIDECAR_SCOPE": "false",
}

func setCompatibilityMode(op iopv1alpha1.IstioOperator) (iopv1alpha1.IstioOperator, error) {
Expand Down Expand Up @@ -39,8 +43,8 @@ func setCompatibilityPilot(op iopv1alpha1.IstioOperator) iopv1alpha1.IstioOperat
}

var ProxyMetaDataCompatibility = map[string]string{
"ENABLE_DEFERRED_CLUSTER_CREATION": "false",
"ENABLE_DELIMITED_STATS_TAG_REGEX": "false",
"ENABLE_DEFERRED_STATS_CREATION": "false",
"BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS": "false",
}

func setCompatibilityProxyMetadata(op iopv1alpha1.IstioOperator) (iopv1alpha1.IstioOperator, error) {
Expand Down
32 changes: 15 additions & 17 deletions api/v1alpha2/compatibility_mode_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,12 +124,12 @@ var _ = Describe("Compatibility Mode", func() {

//then
Expect(err).ShouldNot(HaveOccurred())
field := getProxyMetadataField(out, "ENABLE_DEFERRED_CLUSTER_CREATION")
Expect(field).ToNot(BeNil())
Expect(field.GetStringValue()).To(Equal("false"))
fieldTwo := getProxyMetadataField(out, "ENABLE_DELIMITED_STATS_TAG_REGEX")
Expect(fieldTwo).ToNot(BeNil())
Expect(fieldTwo.GetStringValue()).To(Equal("false"))

for fieldName, value := range ProxyMetaDataCompatibility {
field := getProxyMetadataField(out, fieldName)
Expect(field).ToNot(BeNil())
Expect(field.GetStringValue()).To(Equal(value))
}
})

It("should set compatibility variables in proxyMetadata without overwriting existing variables", func() {
Expand Down Expand Up @@ -162,13 +162,11 @@ var _ = Describe("Compatibility Mode", func() {
//then
Expect(err).ShouldNot(HaveOccurred())

clusterCreation := getProxyMetadataField(out, "ENABLE_DEFERRED_CLUSTER_CREATION")
Expect(clusterCreation).ToNot(BeNil())
Expect(clusterCreation.GetStringValue()).To(Equal("false"))

stats := getProxyMetadataField(out, "ENABLE_DELIMITED_STATS_TAG_REGEX")
Expect(stats).ToNot(BeNil())
Expect(stats.GetStringValue()).To(Equal("false"))
for fieldName, value := range ProxyMetaDataCompatibility {
field := getProxyMetadataField(out, fieldName)
Expect(field).ToNot(BeNil())
Expect(field.GetStringValue()).To(Equal(value))
}
})

It("should not set compatibility variables when compatibility mode is off", func() {
Expand Down Expand Up @@ -201,10 +199,10 @@ var _ = Describe("Compatibility Mode", func() {
//then
Expect(err).ShouldNot(HaveOccurred())

field := getProxyMetadataField(out, "ENABLE_DEFERRED_CLUSTER_CREATION")
Expect(field).To(BeNil())
fieldTwo := getProxyMetadataField(out, "ENABLE_DELIMITED_STATS_TAG_REGEX")
Expect(fieldTwo).To(BeNil())
for fieldName, _ := range ProxyMetaDataCompatibility {
field := getProxyMetadataField(out, fieldName)
Expect(field).To(BeNil())
}
})
})
})
Expand Down
33 changes: 33 additions & 0 deletions docs/release-notes/1.12.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
## New Features

### Istio Updated to Version 1.24.1

| **Component** | **Version** |
|---------------|-------------|
| Istio | 1.24.1 |
| Envoy | 1.32.2 |

We've updated the Istio version to 1.24.1 ([#1024](https://github.com/kyma-project/istio/pull/1024)).
Read the Istio 1.24.1 [release announcement](https://istio.io/latest/news/releases/1.24.x/announcing-1.24.1/)
and [Istio 1.24.0 Change Notes](https://istio.io/latest/news/releases/1.24.x/announcing-1.24/change-notes/).

This version includes the following changes to compatibility version parameters.

The parameters for the previous compatibility version switched from 'false' to 'true':

| Parameter | Description |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ENABLE\_DELIMITED\_STATS\_TAG\_REGEX | If true, pilot uses the new delimited stat tag regex to generate Envoy stats tags. |
| ENABLE\_DEFERRED\_CLUSTER\_CREATION | If enabled, Istio creates clusters only when there are requests. This saves memory and CPU cycles in cases where there are lots of inactive clusters and more than one worker thread. |

This compatibility version applies the new parameters set to `false`:

| Parameter | Description |
|-------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
| ENABLE\_INBOUND\_RETRY\_POLICY | If true, enables retry policy for inbound routes, which automatically retries any requests that were reset before reaching the intended service. |
| EXCLUDE\_UNSAFE\_503\_FROM\_DEFAULT\_RETRY | If true, excludes unsafe retry on `503` from the default retry policy. |
| PREFER\_DESTINATIONRULE\_TLS\_FOR\_EXTERNAL\_SERVICES | If true, external services prefer the TLS settings from DestinationRules over the metadata TLS settings. |
| ENABLE\_ENHANCED\_DESTINATIONRULE\_MERGE | If enabled, Istio merges DestinationRules considering their **exportTo** fields. The DestinationRules are then kept as independent rules if the **exportTo** fields are not equal. |
| PILOT\_UNIFIED\_SIDECAR\_SCOPE | If true, unified SidecarScope creation is used. This is only intended as a temporary feature flag for backward compatibility. |
| ENABLE\_DEFERRED\_STATS\_CREATION | If enabled, Istio lazily initializes a subset of the stats. |
| BYPASS\_OVERLOAD\_MANAGER\_FOR\_STATIC\_LISTENERS | If enabled, the overload manager is not applied to static listeners. |
4 changes: 2 additions & 2 deletions docs/user/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ The Istio module installs and manages Istio in your Kyma cluster. By default, th

The latest release includes the following versions of Istio and Envoy:

**Istio version:** 1.23.2
**Istio version:** 1.24.1

**Envoy version:** 1.31.2
**Envoy version:** 1.32.2

## Features

Expand Down
2 changes: 1 addition & 1 deletion internal/istiooperator/istio-operator-light.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
kyma-project.io/module: istio
spec:
hub: europe-docker.pkg.dev/kyma-project/prod/external/istio
tag: "1.23.2-distroless"
tag: "1.24.1-distroless"
components:
base:
enabled: true
Expand Down
2 changes: 1 addition & 1 deletion internal/istiooperator/istio-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
kyma-project.io/module: istio
spec:
hub: europe-docker.pkg.dev/kyma-project/prod/external/istio
tag: "1.23.2-distroless"
tag: "1.24.1-distroless"
components:
base:
enabled: true
Expand Down
6 changes: 3 additions & 3 deletions sec-scanners-config.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
module-name: istio
protecode:
- europe-docker.pkg.dev/kyma-project/prod/istio/main/istio-manager:2a78400126b8cea98c422d390c8e03249c5299df
- europe-docker.pkg.dev/kyma-project/prod/external/istio/install-cni:1.23.2-distroless
- europe-docker.pkg.dev/kyma-project/prod/external/istio/proxyv2:1.23.2-distroless
- europe-docker.pkg.dev/kyma-project/prod/external/istio/pilot:1.23.2-distroless
- europe-docker.pkg.dev/kyma-project/prod/external/istio/install-cni:1.24.1-distroless
- europe-docker.pkg.dev/kyma-project/prod/external/istio/proxyv2:1.24.1-distroless
- europe-docker.pkg.dev/kyma-project/prod/external/istio/pilot:1.24.1-distroless
whitesource:
language: golang-mod
subprojects: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ Feature: Observability
Scenario: Istio calls OpenTelemetry API on default service configured in kyma-traces extension provider
Given Tracing is enabled for the mesh using provider "kyma-traces"
# For a simpler setup we use a tcp-echo as OpenTelemetry collector mock, because we only want to verify that the OpenTelemetry API is called by checking the echoed request logs.
And Istio gateway "test-gateway" is configured in namespace "default"
And Httpbin application "httpbin" deployment is created in namespace "default"
And Virtual service "httpbin" exposing service "httpbin.default.svc.cluster.local" with port "8000" by gateway "default/test-gateway" is configured in namespace "default"
And OTEL Collector mock "otel-collector-mock" deployment is created in namespace "kyma-system"
And Service is created for the otel collector "otel-collector-mock" in namespace "kyma-system"
When Request to path "/ip" should have response code "200"
Then Log of container "otel-collector-mock" in deployment "otel-collector-mock" in namespace "kyma-system" contains "POST /opentelemetry.proto.collector.trace.v1.TraceService/Export"
16 changes: 6 additions & 10 deletions tests/integration/steps/logs.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ package steps
import (
"bytes"
"context"
"fmt"
"github.com/avast/retry-go"
"github.com/kyma-project/istio/operator/tests/testcontext"
"github.com/pkg/errors"
"io"
v1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
Expand Down Expand Up @@ -42,22 +42,18 @@ func ContainerLogContainsString(ctx context.Context, containerName, depName, dep
return err
}

found := false
var str = ""
var logStr = ""
for _, pod := range pods.Items {
str, err = getLogsFromPodsContainer(ctx, pod, containerName)
logStr, err = getLogsFromPodsContainer(ctx, pod, containerName)
if err != nil {
return err
}
if sub := strings.Contains(str, expectedString); sub {
found = true
if sub := strings.Contains(logStr, expectedString); sub {
return nil
}
}
if !found {
return errors.New("log entry not found" + str)
}

return nil
return fmt.Errorf("log entry not found. got log: %s", logStr)
}, testcontext.GetRetryOpts()...)
return ctx, err
}
Expand Down
2 changes: 2 additions & 0 deletions tests/integration/steps/observability.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package steps

import (
"context"
"google.golang.org/protobuf/types/known/wrapperspb"
"strconv"

"github.com/avast/retry-go"
Expand Down Expand Up @@ -59,6 +60,7 @@ func EnableTracing(ctx context.Context, tracingProvider string) (context.Context
Spec: apitelemetryv1.Telemetry{
Tracing: []*apitelemetryv1.Tracing{
{
RandomSamplingPercentage: &wrapperspb.DoubleValue{Value: 100},
Providers: []*apitelemetryv1.ProviderRef{
{Name: tracingProvider},
},
Expand Down
Loading