feat: Istio version bump, optional support for proxyprotocol for ingress, bugfixes

charts/kubezero-istio-ingress/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: kubezero-istio-ingress
 description: KubeZero Umbrella Chart for Istio based Ingress
 type: application
-version: 0.5.6
+version: 0.6.0
-appVersion: 1.9.3
+appVersion: 1.10.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -16,9 +16,9 @@ dependencies:
     version: ">= 0.1.3"
     repository: https://zero-down-time.github.io/kubezero/
   - name: istio-ingress
-    version: 1.9.3
+    version: 1.10.2
     condition: istio-ingress.enabled
   - name: istio-private-ingress
-    version: 1.9.3
+    version: 1.10.2
     condition: istio-private-ingress.enabled
 kubeVersion: ">= 1.18.0"

charts/kubezero-istio-ingress/README.md

@@ -1,6 +1,6 @@
 # kubezero-istio-ingress
 
-![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
 
 KubeZero Umbrella Chart for Istio based Ingress
 
@@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-|  | istio-ingress | 1.9.3 |
+|  | istio-ingress | 1.10.2 |
-|  | istio-private-ingress | 1.9.3 |
+|  | istio-private-ingress | 1.10.2 |
 | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
 
 ## Values
@@ -30,10 +30,10 @@ Kubernetes: `>= 1.18.0`
 |-----|------|---------|-------------|
 | global.arch.amd64 | int | `2` |  |
 | global.defaultPodDisruptionBudget.enabled | bool | `false` |  |
-| global.jwtPolicy | string | `"first-party-jwt"` |  |
 | global.logAsJson | bool | `true` |  |
 | global.priorityClassName | string | `"system-cluster-critical"` |  |
-| istio-ingress.dnsNames | list | `[]` |  |
+| istio-ingress.certificates[0].dnsNames | list | `[]` |  |
+| istio-ingress.certificates[0].name | string | `"ingress-cert"` |  |
 | istio-ingress.enabled | bool | `false` |  |
 | istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` |  |
 | istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` |  |
@@ -69,10 +69,16 @@ Kubernetes: `>= 1.18.0`
 | istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` |  |
 | istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` |  |
 | istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` |  |
+| istio-ingress.proxyProtocol | bool | `false` |  |
 | istio-ingress.telemetry.enabled | bool | `false` |  |
-| istio-private-ingress.dnsNames | list | `[]` |  |
+| istio-private-ingress.certificates[0].dnsNames | list | `[]` |  |
+| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` |  |
 | istio-private-ingress.enabled | bool | `false` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` |  |
+| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` |  |
+| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` |  |
+| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` |  |
+| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` |  |
@@ -97,16 +103,6 @@ Kubernetes: `>= 1.18.0`
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[3].name | string | `"tcp-istiod"` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[3].nodePort | int | `31012` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[3].port | int | `15012` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[3].targetPort | int | `15012` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[4].name | string | `"tls"` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[4].nodePort | int | `31044` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[4].port | int | `15443` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[4].protocol | string | `"TCP"` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[4].targetPort | int | `15443` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` |  |
@@ -115,6 +111,7 @@ Kubernetes: `>= 1.18.0`
 | istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` |  |
 | istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` |  |
+| istio-private-ingress.proxyProtocol | bool | `false` |  |
 | istio-private-ingress.telemetry.enabled | bool | `false` |  |
 
 ## Resources

charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: istio-ingress
-version: 1.9.3
+version: 1.10.2
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio gateways
 keywords:

charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml

@@ -1,4 +1,3 @@
-
 {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if eq $gateway.injectionTemplate "" }}
 apiVersion: apps/v1
@@ -45,17 +44,14 @@ spec:
         istio.io/rev: {{ .Values.revision | default "default" }}
         install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
         operator.istio.io/component: "IngressGateways"
-        sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
+        sidecar.istio.io/inject: "false"
       annotations:
         {{- if .Values.meshConfig.enablePrometheusMerge }}
         prometheus.io/port: "15020"
         prometheus.io/scrape: "true"
         prometheus.io/path: "/stats/prometheus"
         {{- end }}
-        sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
+        sidecar.istio.io/inject: "false"
-        {{- if ne $gateway.injectionTemplate "" }}
-        inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
-        {{- end}}
 {{- if $gateway.podAnnotations }}
 {{ toYaml $gateway.podAnnotations | indent 8 }}
 {{ end }}
@@ -219,13 +215,13 @@ spec:
           {{- if $.Values.global.meshID }}
           - name: ISTIO_META_MESH_ID
             value: "{{ $.Values.global.meshID }}"
-          {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
+          {{- else if .Values.meshConfig.trustDomain }}
           - name: ISTIO_META_MESH_ID
-            value: "{{ $.Values.global.trustDomain  | default (index .Values.meshConfig "trustDomain") }}"
+            value: "{{ .Values.meshConfig.trustDomain }}"
           {{- end }}
-          {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
+          {{- if .Values.meshConfig.trustDomain }}
           - name: TRUST_DOMAIN
-            value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
+            value: "{{ .Values.meshConfig.trustDomain }}"
           {{- end }}
           {{- if not $gateway.runAsRoot }}
           - name: ISTIO_META_UNPRIVILEGED_POD
@@ -233,7 +229,7 @@ spec:
           {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
-            value: {{ $val }}
+            value: "{{ $val }}"
           {{- end }}
           {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
           - name: {{ $key }}

charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml

@@ -24,17 +24,8 @@ gateways:
       targetPort: 8443
       name: https
       protocol: TCP
-    - port: 15012
-      targetPort: 15012
-      name: tcp-istiod
-      protocol: TCP
-    # This is the port where sni routing happens
-    - port: 15443
-      targetPort: 15443
-      name: tls
-      protocol: TCP
 
-    # Scalability tunning
+    # Scalability tuning
     # replicaCount: 1
     rollingMaxSurge: 100%
     rollingMaxUnavailable: 25%
@@ -174,7 +165,7 @@ global:
   hub: docker.io/istio
 
   # Default tag for Istio images.
-  tag: 1.9.3
+  tag: 1.10.2
 
   # Specify image pull policy if default behavior isn't desired.
   # Default behavior: latest images will be Always else IfNotPresent.
@@ -310,11 +301,14 @@ global:
     # Setting this port to a non-zero value enables STS server.
     servicePort: 0
 
-  # Deprecated, use meshConfig.trustDomain
-  trustDomain: ""
 
 meshConfig:
   enablePrometheusMerge: true
+
+  # The trust domain corresponds to the trust root of a system
+  # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+  trustDomain: "cluster.local"
+
   defaultConfig:
     proxyMetadata: {}
     tracing:

charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: istio-private-ingress
-version: 1.9.3
+version: 1.10.2
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio gateways
 keywords:

charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml

@@ -1,4 +1,3 @@
-
 {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
 {{- if eq $gateway.injectionTemplate "" }}
 apiVersion: apps/v1
@@ -45,17 +44,14 @@ spec:
         istio.io/rev: {{ .Values.revision | default "default" }}
         install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
         operator.istio.io/component: "IngressGateways"
-        sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
+        sidecar.istio.io/inject: "false"
       annotations:
         {{- if .Values.meshConfig.enablePrometheusMerge }}
         prometheus.io/port: "15020"
         prometheus.io/scrape: "true"
         prometheus.io/path: "/stats/prometheus"
         {{- end }}
-        sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
+        sidecar.istio.io/inject: "false"
-        {{- if ne $gateway.injectionTemplate "" }}
-        inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
-        {{- end}}
 {{- if $gateway.podAnnotations }}
 {{ toYaml $gateway.podAnnotations | indent 8 }}
 {{ end }}
@@ -219,13 +215,13 @@ spec:
           {{- if $.Values.global.meshID }}
           - name: ISTIO_META_MESH_ID
             value: "{{ $.Values.global.meshID }}"
-          {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
+          {{- else if .Values.meshConfig.trustDomain }}
           - name: ISTIO_META_MESH_ID
-            value: "{{ $.Values.global.trustDomain  | default (index .Values.meshConfig "trustDomain") }}"
+            value: "{{ .Values.meshConfig.trustDomain }}"
           {{- end }}
-          {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
+          {{- if .Values.meshConfig.trustDomain }}
           - name: TRUST_DOMAIN
-            value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
+            value: "{{ .Values.meshConfig.trustDomain }}"
           {{- end }}
           {{- if not $gateway.runAsRoot }}
           - name: ISTIO_META_UNPRIVILEGED_POD
@@ -233,7 +229,7 @@ spec:
           {{- end }}
           {{- range $key, $val := $gateway.env }}
           - name: {{ $key }}
-            value: {{ $val }}
+            value: "{{ $val }}"
           {{- end }}
           {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
           - name: {{ $key }}

charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml

@@ -24,17 +24,8 @@ gateways:
       targetPort: 8443
       name: https
       protocol: TCP
-    - port: 15012
-      targetPort: 15012
-      name: tcp-istiod
-      protocol: TCP
-    # This is the port where sni routing happens
-    - port: 15443
-      targetPort: 15443
-      name: tls
-      protocol: TCP
 
-    # Scalability tunning
+    # Scalability tuning
     # replicaCount: 1
     rollingMaxSurge: 100%
     rollingMaxUnavailable: 25%
@@ -174,7 +165,7 @@ global:
   hub: docker.io/istio
 
   # Default tag for Istio images.
-  tag: 1.9.3
+  tag: 1.10.2
 
   # Specify image pull policy if default behavior isn't desired.
   # Default behavior: latest images will be Always else IfNotPresent.
@@ -310,11 +301,14 @@ global:
     # Setting this port to a non-zero value enables STS server.
     servicePort: 0
 
-  # Deprecated, use meshConfig.trustDomain
-  trustDomain: ""
 
 meshConfig:
   enablePrometheusMerge: true
+
+  # The trust domain corresponds to the trust root of a system
+  # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+  trustDomain: "cluster.local"
+
   defaultConfig:
     proxyMetadata: {}
     tracing:

charts/kubezero-istio-ingress/templates/bootstrap-config.yaml

@@ -1,6 +1,6 @@
+{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
 # https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
 # https://github.com/istio/istio/issues/24715
-{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
 apiVersion: v1
 kind: ConfigMap
 metadata:

charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml

@@ -1,4 +1,4 @@
-{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
+{{- if index .Values "istio-ingress" "enabled" }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -7,6 +7,47 @@ metadata:
   labels:
 {{ include "kubezero-lib.labels" . | indent 4 }}
 spec:
+  workloadSelector:
+    labels:
+      istio: ingressgateway
+  configPatches:
+  - applyTo: LISTENER
+    patch:
+      operation: MERGE
+      value:
+        socket_options:
+          # SOL_SOCKET = 1
+          # SO_KEEPALIVE = 9
+          - level: 1
+            name: 9
+            int_value: 1
+            state: STATE_LISTENING
+          # IPPROTO_TCP = 6
+          # TCP_KEEPIDLE = 4
+          - level: 6
+            name: 4
+            int_value: 120
+            state: STATE_LISTENING
+          # TCP_KEEPINTVL = 5
+          - level: 6
+            name: 5
+            int_value: 60
+            state: STATE_LISTENING
+{{- end }}
+
+{{- if index .Values "istio-private-ingress" "enabled" }}
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: private-ingressgateway-listener-tcp-keepalive
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "kubezero-lib.labels" . | indent 4 }}
+spec:
+  workloadSelector:
+    labels:
+      istio: private-ingressgateway
   configPatches:
   - applyTo: LISTENER
     patch:

charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml

@@ -0,0 +1,44 @@
+{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }}
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: ingressgateway-proxy-protocol
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "kubezero-lib.labels" . | indent 4 }}
+spec:
+  workloadSelector:
+    labels:
+      istio: ingressgateway
+  configPatches:
+  - applyTo: LISTENER
+    patch:
+      operation: MERGE
+      value:
+        listener_filters:
+        - name: envoy.listener.proxy_protocol
+        - name: envoy.listener.tls_inspector
+{{- end }}
+
+{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }}
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: private-ingressgateway-proxy-protocol
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "kubezero-lib.labels" . | indent 4 }}
+spec:
+  workloadSelector:
+    labels:
+      istio: private-ingressgateway
+  configPatches:
+  - applyTo: LISTENER
+    patch:
+      operation: MERGE
+      value:
+        listener_filters:
+        - name: envoy.listener.proxy_protocol
+        - name: envoy.listener.tls_inspector
+{{- end }}

charts/kubezero-istio-ingress/templates/ingress-certificate.yaml

@@ -1,35 +1,39 @@
-{{- if index .Values "istio-ingress" "dnsNames" }}
+{{- range $cert := (index .Values "istio-ingress" "certificates") }}
+{{- if $cert.dnsNames }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: ingress-cert
+  name: {{ $cert.name }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
   labels:
-{{ include "kubezero-lib.labels" . | indent 4 }}
+{{ include "kubezero-lib.labels" $ | indent 4 }}
 spec:
-  secretName: ingress-cert
+  secretName: {{ $cert.name }}
   issuerRef:
-    name: letsencrypt-dns-prod
+    name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
     kind: ClusterIssuer
   dnsNames:
-{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
+{{ toYaml $cert.dnsNames | indent 4 }}
+---
+{{- end }}
 {{- end }}
 
-{{- if index .Values "istio-private-ingress" "dnsNames" }}
+{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
----
+{{- if $cert.dnsNames }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: private-ingress-cert
+  name: {{ $cert.name }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
   labels:
-{{ include "kubezero-lib.labels" . | indent 4 }}
+{{ include "kubezero-lib.labels" $ | indent 4 }}
 spec:
   secretName: private-ingress-cert
   issuerRef:
-    name: letsencrypt-dns-prod
+    name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
     kind: ClusterIssuer
   dnsNames:
-{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }}
+{{ toYaml $cert.dnsNames | indent 4 }}
+---
+{{- end }}
 {{- end }}
-

charts/kubezero-istio-ingress/templates/ingress-gateway.yaml

@@ -1,6 +1,6 @@
+{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }}
 # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
 
-{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -17,23 +17,25 @@ spec:
       name: http
       protocol: HTTP2
     hosts:
-    {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
+    {{- range $cert := (index .Values "istio-ingress" "certificates") }}
+    {{- toYaml $cert.dnsNames | nindent 4 }}
+    {{- end }}
     tls:
       httpsRedirect: true
+  {{- range $cert := (index .Values "istio-ingress" "certificates") }}
   - port:
       number: 443
       name: https
       protocol: HTTPS
     hosts:
-    {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
+    {{- toYaml $cert.dnsNames | nindent 4 }}
     tls:
       mode: SIMPLE
-      privateKey: /etc/istio/ingressgateway-certs/tls.key
+      credentialName: {{ $cert.name }}
-      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
+  {{- end }}
-      credentialName: ingress-cert
 {{- end }}
 
-{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
+{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }}
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
@@ -51,53 +53,62 @@ spec:
       name: http
       protocol: HTTP2
     hosts:
-    {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
+    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
+    {{- toYaml $certs.dnsNames | nindent 4 }}
+    {{- end }}
     tls:
       httpsRedirect: true
+  # All SSL hosts one entry per ingress-certificate
+  {{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
   - port:
       number: 443
       name: https
       protocol: HTTPS
     hosts:
-    {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
+    {{- toYaml $cert.dnsNames | nindent 4 }}
     tls:
       mode: SIMPLE
-      privateKey: /etc/istio/ingressgateway-certs/tls.key
+      credentialName: {{ $cert.name }}
-      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
-      credentialName: private-ingress-cert
-  - port:
-      number: 5672
-      name: amqp
-      protocol: TCP
-    hosts:
-    {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
-  - port:
-      number: 5671
-      name: amqps
-      protocol: TCP
-    hosts:
-    {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
   - port:
       number: 24224
       name: fluentd-forward
       protocol: TLS
     hosts:
-    {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
+    {{- toYaml $cert.dnsNames | nindent 4 }}
     tls:
       mode: SIMPLE
-      privateKey: /etc/istio/ingressgateway-certs/tls.key
+      credentialName: {{ $cert.name }}
-      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
+  {{- end }}
-      credentialName: private-ingress-cert
+  - port:
+      number: 5672
+      name: amqp
+      protocol: TCP
+    hosts:
+    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
+    {{- toYaml $certs.dnsNames | nindent 4 }}
+    {{- end }}
+  - port:
+      number: 5671
+      name: amqps
+      protocol: TCP
+    hosts:
+    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
+    {{- toYaml $certs.dnsNames | nindent 4 }}
+    {{- end }}
   - port:
       number: 6379
       name: redis
       protocol: TCP
     hosts:
-    {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
+    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
+    {{- toYaml $certs.dnsNames | nindent 4 }}
+    {{- end }}
   - port:
       number: 6380
       name: redis-1
       protocol: TCP
     hosts:
-    {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
+    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
+    {{- toYaml $certs.dnsNames | nindent 4 }}
+    {{- end }}
 {{- end }}

charts/kubezero-istio-ingress/values.yaml

@@ -1,10 +1,9 @@
 # Make sure these values match kuberzero-istio !!!
 global:
   #hub: docker.io/istio
-  #tag: 1.9.3
+  #tag: 1.10.2
 
   logAsJson: true
-  jwtPolicy: first-party-jwt
 
   priorityClassName: "system-cluster-critical"
 
@@ -69,22 +68,14 @@ istio-ingress:
         targetPort: 8443
         nodePort: 30443
         protocol: TCP
-     ## multi-cluster - disabled on public LBs
-     #- name: tcp-istiod
-     #  port: 15012
-     #  targetPort: 15012
-     #  nodePort: 30012
-     #  protocol: TCP
-     ## multi-cluster sni east-west
-     #- name: tls
-     #  port: 15443
-     #  targetPort: 15443
-     #  nodePort: 30044
-     #  protocol: TCP
 
+  certificates:
+  - name: ingress-cert
     dnsNames: []
   #  - '*.example.com'
 
+  proxyProtocol: false
+
   meshConfig:
    defaultConfig:
      proxyMetadata:
@@ -123,8 +114,16 @@ istio-private-ingress:
         values: istio-private-ingressgateway
       type: NodePort
       podAnnotations:
-      #  sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config
         proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
+
+      # custom hardened bootstrap config
+      env:
+        ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
+      configVolumes:
+      - name: custom-bootstrap-volume
+        mountPath: /etc/istio/custom-bootstrap
+        configMapName: istio-gateway-bootstrap-config
+
       nodeSelector:
         node.kubernetes.io/ingress.private: "31080_31443"
         #nodeSelector: "31080_31443_31671_31672_31224"
@@ -143,18 +142,6 @@ istio-private-ingress:
         targetPort: 8443
         nodePort: 31443
         protocol: TCP
-      # multi-cluster
-      - name: tcp-istiod
-        port: 15012
-        targetPort: 15012
-        nodePort: 31012
-        protocol: TCP
-      # multi-cluster sni east-west
-      - name: tls
-        port: 15443
-        targetPort: 15443
-        nodePort: 31044
-        protocol: TCP
       #- name: fluentd-forward
       #  port: 24224
       #  nodePort: 31224
@@ -168,9 +155,13 @@ istio-private-ingress:
       #  port: 6379
       #  nodePort: 31379
 
+  certificates:
+  - name: private-ingress-cert
     dnsNames: []
     #- '*.example.com'
 
+  proxyProtocol: false
+
   meshConfig:
    defaultConfig:
      proxyMetadata:

charts/kubezero-istio/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: kubezero-istio
 description: KubeZero Umbrella Chart for Istio
 type: application
-version: 0.5.6
+version: 0.6.0
-appVersion: 1.9.3
+appVersion: 1.10.2
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -16,7 +16,7 @@ dependencies:
     version: ">= 0.1.3"
     repository: https://zero-down-time.github.io/kubezero/
   - name: base
-    version: 1.9.3
+    version: 1.10.2
   - name: istio-discovery
-    version: 1.9.3
+    version: 1.10.2
 kubeVersion: ">= 1.18.0"

charts/kubezero-istio/README.md

@@ -1,6 +1,6 @@
 # kubezero-istio
 
-![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
 
 KubeZero Umbrella Chart for Istio
 
@@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-|  | base | 1.9.3 |
+|  | base | 1.10.2 |
-|  | istio-discovery | 1.9.3 |
+|  | istio-discovery | 1.10.2 |
 | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
 
 ## Values
@@ -29,7 +29,6 @@ Kubernetes: `>= 1.18.0`
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | global.defaultPodDisruptionBudget.enabled | bool | `false` |  |
-| global.jwtPolicy | string | `"first-party-jwt"` |  |
 | global.logAsJson | bool | `true` |  |
 | global.priorityClassName | string | `"system-cluster-critical"` |  |
 | istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` |  |

charts/kubezero-istio/charts/base/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: base
-version: 1.9.3
+version: 1.10.2
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio cluster resources and CRDs
 keywords:

charts/kubezero-istio/charts/base/crds/crd-operator.yaml

@@ -1,66 +1,48 @@
 # SYNC WITH manifests/charts/istio-operator/templates
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: istiooperators.install.istio.io
   labels:
     release: istio
 spec:
-  additionalPrinterColumns:
+  conversion:
-  - JSONPath: .spec.revision
+    strategy: None
-    description: Istio control plane revision
-    name: Revision
-    type: string
-  - JSONPath: .status.status
-    description: IOP current state
-    type: string
-    name: Status
-  - JSONPath: .metadata.creationTimestamp
-    description: 'CreationTimestamp is a timestamp representing the server time when
-      this object was created. It is not guaranteed to be set in happens-before order
-      across separate operations. Clients may not set this value. It is represented
-      in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
-      lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
-    name: Age
-    type: date
   group: install.istio.io
   names:
     kind: IstioOperator
+    listKind: IstioOperatorList
     plural: istiooperators
     singular: istiooperator
     shortNames:
     - iop
     - io
   scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Istio control plane revision
+      jsonPath: .spec.revision
+      name: Revision
+      type: string
+    - description: IOP current state
+      jsonPath: .status.status
+      name: Status
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
     subresources:
       status: {}
-  validation:
+    name: v1alpha1
+    schema:
       openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values.
-            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase.
-            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        spec:
-          description: 'Specification of the desired state of the istio control plane resource.
-            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
         type: object
-        status:
+        x-kubernetes-preserve-unknown-fields: true
-          description: 'Status describes each of istio control plane component status at the current time.
-            0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
-            More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
-            https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
-          type: object
-  versions:
-  - name: v1alpha1
     served: true
     storage: true
 ---

charts/kubezero-istio/charts/base/templates/clusterrole.yaml

@@ -19,11 +19,11 @@ rules:
   # istio configuration
   # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
   # please proceed with caution
-  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"]
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
     verbs: ["get", "watch", "list"]
     resources: ["*"]
 {{- if .Values.global.istiod.enableAnalysis }}
-  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"]
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
     verbs: ["update"]
     # TODO: should be on just */status but wildcard is not supported
     resources: ["*"]
@@ -97,12 +97,20 @@ rules:
   - apiGroups: ["networking.x-k8s.io"]
     resources: ["*"]
     verbs: ["get", "watch", "list"]
+  - apiGroups: ["networking.x-k8s.io"]
+    resources: ["*"] # TODO: should be on just */status but wildcard is not supported
+    verbs: ["update"]
 
   # Needed for multicluster secret reading, possibly ingress certs in the future
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "watch", "list"]
 
+  # Used for MCS serviceexport management
+  - apiGroups: ["multicluster.x-k8s.io"]
+    resources: ["serviceexports"]
+    verbs: ["get", "watch", "list", "create", "delete"]
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.global.configValidation }}
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: istiod-{{ .Values.global.istioNamespace }}

charts/kubezero-istio/charts/istio-discovery/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: istio-discovery
-version: 1.9.3
+version: 1.10.2
 tillerVersion: ">=2.7.2"
 description: Helm chart for istio control plane
 keywords:

charts/kubezero-istio/charts/istio-discovery/NOTES.txt

@@ -3,3 +3,7 @@ Minimal control plane for Istio. Pilot and mesh config are included.
 MCP and injector should optionally be installed in the same namespace. Alternatively remote
 address of an MCP server can be set.
 
+
+Thank you for installing Istio 1.10.  Please take a few minutes to tell us about your install/upgrade experience!
+    https://forms.gle/KjkrDnMPByq7akrYA"
+

charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml

@@ -8,6 +8,7 @@ metadata:
   annotations: {
     {{- if eq (len $containers) 1 }}
     kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
     {{ end }}
   }
 spec:

charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml

@@ -167,7 +167,6 @@ data:
             "address": ""
           }
         },
-        "trustDomain": "",
         "useMCP": false
       },
       "revision": "",
@@ -183,7 +182,7 @@ data:
         },
         "rewriteAppHTTPProbe": true,
         "templates": {},
-        "useLegacySelectors": true
+        "useLegacySelectors": false
       }
     }
 
@@ -215,6 +214,7 @@ data:
           annotations: {
             {{- if eq (len $containers) 1 }}
             kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+            kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
             {{ end }}
         {{- if .Values.istio_cni.enabled }}
             {{- if not .Values.istio_cni.chained }}
@@ -286,7 +286,7 @@ data:
             - "--run-validation"
             - "--skip-rule-apply"
             {{ end -}}
-            imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
+            {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
           {{- if .ProxyConfig.ProxyMetadata }}
             env:
             {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
@@ -355,7 +355,7 @@ data:
           {{- else }}
             image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
           {{- end }}
-            imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
+            {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
             resources: {}
             securityContext:
               allowPrivilegeEscalation: true
@@ -417,6 +417,10 @@ data:
                   - wait
           {{- end }}
             env:
+            {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
+            - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+              value: "true"
+            {{- end }}
             - name: JWT_POLICY
               value: {{ .Values.global.jwtPolicy }}
             - name: PILOT_CERT_PROVIDER
@@ -519,7 +523,7 @@ data:
             - name: {{ $key }}
               value: "{{ $value }}"
             {{- end }}
-            imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
+            {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
             {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
             readinessProbe:
               httpGet:
@@ -706,6 +710,7 @@ data:
           annotations: {
             {{- if eq (len $containers) 1 }}
             kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+            kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
             {{ end }}
           }
         spec:
@@ -1063,8 +1068,6 @@ spec:
             value: "false"
           - name: CLUSTER_ID
             value: "Kubernetes"
-          - name: EXTERNAL_ISTIOD
-            value: "false"
           resources:
             requests:
               cpu: 500m
@@ -1077,8 +1080,6 @@ spec:
               drop:
               - ALL
           volumeMounts:
-          - name: config-volume
-            mountPath: /etc/istio/config
           - name: istio-token
             mountPath: /var/run/secrets/tokens
             readOnly: true
@@ -1090,9 +1091,6 @@ spec:
           - name: istio-kubeconfig
             mountPath: /var/run/secrets/remote
             readOnly: true
-          - name: inject
-            mountPath: /var/lib/istio/inject
-            readOnly: true
       volumes:
       # Technically not needed on this pod - but it helps debugging/testing SDS
       # Should be removed after everything works.
@@ -1115,13 +1113,6 @@ spec:
         secret:
           secretName: istio-kubeconfig
           optional: true
-      # Optional - image should have
-      - name: inject
-        configMap:
-          name: istio-sidecar-injector
-      - name: config-volume
-        configMap:
-          name: istio
 ---
 # Source: istio-discovery/templates/autoscale.yaml
 apiVersion: autoscaling/v2beta1
@@ -1148,12 +1139,17 @@ spec:
       name: cpu
       targetAverageUtilization: 80
 ---
-# Source: istio-discovery/templates/telemetryv2_1.8.yaml
+# Source: istio-discovery/templates/revision-tags.yaml
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+---
+# Source: istio-discovery/templates/telemetryv2_1.10.yaml
 # Note: metadata exchange filter is wasm enabled only in sidecars.
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: metadata-exchange-1.8
+  name: metadata-exchange-1.10
   namespace: istio-system
   labels:
     istio.io/rev: default
@@ -1165,7 +1161,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -1192,7 +1188,7 @@ spec:
       match:
         context: SIDECAR_OUTBOUND
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -1219,7 +1215,7 @@ spec:
       match:
         context: GATEWAY
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -1243,11 +1239,11 @@ spec:
                     local:
                       inline_string: envoy.wasm.metadata_exchange
 ---
-# Source: istio-discovery/templates/telemetryv2_1.8.yaml
+# Source: istio-discovery/templates/telemetryv2_1.10.yaml
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: tcp-metadata-exchange-1.8
+  name: tcp-metadata-exchange-1.10
   namespace: istio-system
   labels:
     istio.io/rev: default
@@ -1257,7 +1253,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener: {}
       patch:
         operation: INSERT_BEFORE
@@ -1272,7 +1268,7 @@ spec:
       match:
         context: SIDECAR_OUTBOUND
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         cluster: {}
       patch:
         operation: MERGE
@@ -1288,7 +1284,7 @@ spec:
       match:
         context: GATEWAY
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         cluster: {}
       patch:
         operation: MERGE
@@ -1301,12 +1297,12 @@ spec:
               value:
                 protocol: istio-peer-exchange
 ---
-# Source: istio-discovery/templates/telemetryv2_1.8.yaml
+# Source: istio-discovery/templates/telemetryv2_1.10.yaml
 # Note: http stats filter is wasm enabled only in sidecars.
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: stats-filter-1.8
+  name: stats-filter-1.10
   namespace: istio-system
   labels:
     istio.io/rev: default
@@ -1316,7 +1312,7 @@ spec:
       match:
         context: SIDECAR_OUTBOUND
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -1337,6 +1333,8 @@ spec:
                   "@type": "type.googleapis.com/google.protobuf.StringValue"
                   value: |
                     {
+                      "debug": "false",
+                      "stat_prefix": "istio"
                     }
                 vm_config:
                   vm_id: stats_outbound
@@ -1348,7 +1346,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -1369,6 +1367,16 @@ spec:
                   "@type": "type.googleapis.com/google.protobuf.StringValue"
                   value: |
                     {
+                      "debug": "false",
+                      "stat_prefix": "istio",
+                      "metrics": [
+                        {
+                          "dimensions": {
+                            "destination_cluster": "node.metadata['CLUSTER_ID']",
+                            "source_cluster": "downstream_peer.cluster_id"
+                          }
+                        }
+                      ]
                     }
                 vm_config:
                   vm_id: stats_inbound
@@ -1380,7 +1388,7 @@ spec:
       match:
         context: GATEWAY
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -1401,6 +1409,8 @@ spec:
                   "@type": "type.googleapis.com/google.protobuf.StringValue"
                   value: |
                     {
+                      "debug": "false",
+                      "stat_prefix": "istio",
                       "disable_host_header_fallback": true
                     }
                 vm_config:
@@ -1410,12 +1420,12 @@ spec:
                     local:
                       inline_string: envoy.wasm.stats
 ---
-# Source: istio-discovery/templates/telemetryv2_1.8.yaml
+# Source: istio-discovery/templates/telemetryv2_1.10.yaml
 # Note: tcp stats filter is wasm enabled only in sidecars.
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: tcp-stats-filter-1.8
+  name: tcp-stats-filter-1.10
   namespace: istio-system
   labels:
     istio.io/rev: default
@@ -1425,7 +1435,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -1444,6 +1454,16 @@ spec:
                   "@type": "type.googleapis.com/google.protobuf.StringValue"
                   value: |
                     {
+                      "debug": "false",
+                      "stat_prefix": "istio",
+                      "metrics": [
+                        {
+                          "dimensions": {
+                            "destination_cluster": "node.metadata['CLUSTER_ID']",
+                            "source_cluster": "downstream_peer.cluster_id"
+                          }
+                        }
+                      ]
                     }
                 vm_config:
                   vm_id: tcp_stats_inbound
@@ -1455,7 +1475,7 @@ spec:
       match:
         context: SIDECAR_OUTBOUND
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -1474,6 +1494,8 @@ spec:
                   "@type": "type.googleapis.com/google.protobuf.StringValue"
                   value: |
                     {
+                      "debug": "false",
+                      "stat_prefix": "istio"
                     }
                 vm_config:
                   vm_id: tcp_stats_outbound
@@ -1485,7 +1507,7 @@ spec:
       match:
         context: GATEWAY
         proxy:
-          proxyVersion: '^1\.8.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -1504,6 +1526,8 @@ spec:
                   "@type": "type.googleapis.com/google.protobuf.StringValue"
                   value: |
                     {
+                      "debug": "false",
+                      "stat_prefix": "istio"
                     }
                 vm_config:
                   vm_id: tcp_stats_outbound
@@ -1937,7 +1961,7 @@ spec:
                       inline_string: "envoy.wasm.stats"
 ---
 # Source: istio-discovery/templates/mutatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: istio-sidecar-injector
@@ -1948,12 +1972,13 @@ metadata:
     app: sidecar-injector
     release: istio
 webhooks:
-- name: sidecar-injector.istio.io
+- name: rev.namespace.sidecar-injector.istio.io
   clientConfig:
     service:
       name: istiod
       namespace: istio-system
       path: "/inject"
+      port: 443
     caBundle: ""
   sideEffects: None
   rules:
@@ -1964,11 +1989,106 @@ webhooks:
   failurePolicy: Fail
   admissionReviewVersions: ["v1beta1", "v1"]
   namespaceSelector:
-    matchLabels:
+    matchExpressions:
-      istio-injection: enabled
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "default"
+    - key: istio-injection
+      operator: DoesNotExist
   objectSelector:
     matchExpressions:
-    - key: "sidecar.istio.io/inject"
+    - key: sidecar.istio.io/inject
       operator: NotIn
       values:
       - "false"
+- name: rev.object.sidecar-injector.istio.io
+  clientConfig:
+    service:
+      name: istiod
+      namespace: istio-system
+      path: "/inject"
+      port: 443
+    caBundle: ""
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  admissionReviewVersions: ["v1beta1", "v1"]
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "default"
+- name: namespace.sidecar-injector.istio.io
+  clientConfig:
+    service:
+      name: istiod
+      namespace: istio-system
+      path: "/inject"
+      port: 443
+    caBundle: ""
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  admissionReviewVersions: ["v1beta1", "v1"]
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+- name: object.sidecar-injector.istio.io
+  clientConfig:
+    service:
+      name: istiod
+      namespace: istio-system
+      path: "/inject"
+      port: 443
+    caBundle: ""
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  admissionReviewVersions: ["v1beta1", "v1"]
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist

charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml

@@ -9,6 +9,7 @@ metadata:
   annotations: {
     {{- if eq (len $containers) 1 }}
     kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
     {{ end }}
 {{- if .Values.istio_cni.enabled }}
     {{- if not .Values.istio_cni.chained }}
@@ -80,7 +81,7 @@ spec:
     - "--run-validation"
     - "--skip-rule-apply"
     {{ end -}}
-    imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
   {{- if .ProxyConfig.ProxyMetadata }}
     env:
     {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
@@ -149,7 +150,7 @@ spec:
   {{- else }}
     image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
   {{- end }}
-    imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
     resources: {}
     securityContext:
       allowPrivilegeEscalation: true
@@ -211,6 +212,10 @@ spec:
           - wait
   {{- end }}
     env:
+    {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
     - name: JWT_POLICY
       value: {{ .Values.global.jwtPolicy }}
     - name: PILOT_CERT_PROVIDER
@@ -313,7 +318,7 @@ spec:
     - name: {{ $key }}
       value: "{{ $value }}"
     {{- end }}
-    imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
     {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
     readinessProbe:
       httpGet:

charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml

@@ -1,8 +1,7 @@
-
 {{- define "mesh" }}
     # The trust domain corresponds to the trust root of a system.
     # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
-    trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }}
+    trustDomain: "cluster.local"
 
     # The namespace to treat as the administrative root namespace for Istio configuration.
     # When processing a leaf namespace Istio will search for declarations in that namespace first
@@ -13,8 +12,6 @@
     defaultConfig:
       {{- if .Values.global.meshID }}
       meshId: {{ .Values.global.meshID }}
-      {{- else if .Values.global.trustDomain }}
-      meshId: {{ .Values.global.trustDomain }}
       {{- end }}
       tracing:
       {{- if eq .Values.global.proxy.tracer "lightstep" }}
@@ -50,8 +47,8 @@
           maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
         {{- end }}
       {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
-      {{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}}
+      {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
-        {{ toYaml $.Values.meshConfig.defaultConfig.tracing }}
+{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
       {{- end }}
       {{- if .Values.global.remotePilotAddress }}
       {{- if .Values.pilot.enabled }}

charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml

@@ -39,10 +39,10 @@ spec:
         install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
         sidecar.istio.io/inject: "false"
         operator.istio.io/component: "Pilot"
-        {{- if eq .Values.revision ""}}
+        {{- if ne .Values.revision "" }}
-        istio: pilot
-        {{- else }}
         istio: istiod
+        {{- else }}
+        istio: pilot
         {{- end }}
       annotations:
         {{- if .Values.meshConfig.enablePrometheusMerge }}
@@ -153,8 +153,6 @@ spec:
             value: "{{ .Values.global.istiod.enableAnalysis }}"
           - name: CLUSTER_ID
             value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
-          - name: EXTERNAL_ISTIOD
-            value: "{{ $.Values.global.externalIstiod | default "false" }}"
 {{- if not .Values.telemetry.v2.enabled }}
           - name: PILOT_ENDPOINT_TELEMETRY_LABEL
             value: "false"
@@ -173,8 +171,6 @@ spec:
               drop:
               - ALL
           volumeMounts:
-          - name: config-volume
-            mountPath: /etc/istio/config
           {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
           - name: istio-token
             mountPath: /var/run/secrets/tokens
@@ -188,9 +184,6 @@ spec:
           - name: istio-kubeconfig
             mountPath: /var/run/secrets/remote
             readOnly: true
-          - name: inject
-            mountPath: /var/lib/istio/inject
-            readOnly: true
           {{- if .Values.pilot.jwksResolverExtraRootCA }}
           - name: extracacerts
             mountPath: /cacerts
@@ -219,13 +212,6 @@ spec:
         secret:
           secretName: istio-kubeconfig
           optional: true
-      # Optional - image should have
-      - name: inject
-        configMap:
-          name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
-      - name: config-volume
-        configMap:
-          name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- if .Values.pilot.jwksResolverExtraRootCA }}
       - name: extracacerts
         configMap:

charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml

@@ -11,6 +11,7 @@ a unique prefix to each. */}}
       name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
       namespace: {{ .Release.Namespace }}
       path: "/inject"
+      port: 443
     {{- end }}
     caBundle: ""
   sideEffects: None
@@ -24,7 +25,7 @@ a unique prefix to each. */}}
 {{- end }}
 {{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
 {{- if not .Values.global.operatorManageWebhooks }}
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
 {{- if eq .Release.Namespace "istio-system"}}
@@ -41,7 +42,7 @@ metadata:
 webhooks:
 {{- if .Values.sidecarInjectorWebhook.useLegacySelectors}}
 {{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}}
-{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "")) }}
+{{- include "core" . }}
   namespaceSelector:
   {{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
     matchExpressions:
@@ -93,17 +94,20 @@ webhooks:
 {{- else }}
 
   {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
-{{- if .Values.revision }}
 
 {{- /* Case 1: namespace selector matches, and object doesn't disable */}}
 {{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
-{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
+{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }}
   namespaceSelector:
     matchExpressions:
     - key: istio.io/rev
       operator: In
       values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
       - "{{ .Values.revision }}"
+      {{- end }}
     - key: istio-injection
       operator: DoesNotExist
   objectSelector:
@@ -114,7 +118,7 @@ webhooks:
       - "false"
 
 {{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
-{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }}
+{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }}
   namespaceSelector:
     matchExpressions:
     - key: istio.io/rev
@@ -130,10 +134,15 @@ webhooks:
     - key: istio.io/rev
       operator: In
       values:
-      - "{{ .Values.revision }}"
+      {{- if (eq .Values.revision "") }}
-
+      - "default"
       {{- else }}
-{{- /* "default" revision */}}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
 
 {{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
 {{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}

charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml

@@ -0,0 +1,113 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+{{- define "core" }}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .Values.istiodRemote.injectionURL }}
+    url: {{ .Values.istiodRemote.injectionURL }}
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+      namespace: {{ .Release.Namespace }}
+      path: "/inject"
+    {{- end }}
+    caBundle: ""
+  sideEffects: None
+  rules:
+    - operations: [ "CREATE" ]
+      apiGroups: [""]
+      apiVersions: ["v1"]
+      resources: ["pods"]
+  failurePolicy: Fail
+  admissionReviewVersions: ["v1beta1", "v1"]
+{{- end }}
+
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" }}
+    install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- end }}
+{{- end }}

charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml

@@ -3,7 +3,7 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- if .Values.meshConfig.rootNamespace }}
   namespace: {{ .Values.meshConfig.rootNamespace }}
   {{- else }}
@@ -19,7 +19,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -54,7 +54,7 @@ spec:
       match:
         context: SIDECAR_OUTBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -89,7 +89,7 @@ spec:
       match:
         context: GATEWAY
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -124,7 +124,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: tcp-metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- if .Values.meshConfig.rootNamespace }}
   namespace: {{ .Values.meshConfig.rootNamespace }}
   {{- else }}
@@ -138,7 +138,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener: {}
       patch:
         operation: INSERT_BEFORE
@@ -153,7 +153,7 @@ spec:
       match:
         context: SIDECAR_OUTBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         cluster: {}
       patch:
         operation: MERGE
@@ -169,7 +169,7 @@ spec:
       match:
         context: GATEWAY
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         cluster: {}
       patch:
         operation: MERGE
@@ -187,7 +187,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- if .Values.meshConfig.rootNamespace }}
   namespace: {{ .Values.meshConfig.rootNamespace }}
   {{- else }}
@@ -201,7 +201,7 @@ spec:
       match:
         context: SIDECAR_OUTBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -224,15 +224,7 @@ spec:
                     {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
                     {
                       "debug": "false",
-                      "stat_prefix": "istio",
+                      "stat_prefix": "istio"
-                      "metrics": [
-                        {
-                          "dimensions": {
-                            "source_cluster": "node.metadata['CLUSTER_ID']",
-                            "destination_cluster": "upstream_peer.cluster_id"
-                          }
-                        }
-                      ]
                     }
                     {{- else }}
                     {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
@@ -255,7 +247,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -309,7 +301,7 @@ spec:
       match:
         context: GATEWAY
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -333,15 +325,7 @@ spec:
                     {
                       "debug": "false",
                       "stat_prefix": "istio",
-                      "disable_host_header_fallback": true,
+                      "disable_host_header_fallback": true
-                      "metrics": [
-                        {
-                          "dimensions": {
-                            "source_cluster": "node.metadata['CLUSTER_ID']",
-                            "destination_cluster": "upstream_peer.cluster_id"
-                          }
-                        }
-                      ]
                     }
                     {{- else }}
                     {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
@@ -365,7 +349,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: tcp-stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- if .Values.meshConfig.rootNamespace }}
   namespace: {{ .Values.meshConfig.rootNamespace }}
   {{- else }}
@@ -379,7 +363,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -431,7 +415,7 @@ spec:
       match:
         context: SIDECAR_OUTBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -452,15 +436,7 @@ spec:
                     {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
                     {
                       "debug": "false",
-                      "stat_prefix": "istio",
+                      "stat_prefix": "istio"
-                      "metrics": [
-                        {
-                          "dimensions": {
-                            "source_cluster": "node.metadata['CLUSTER_ID']",
-                            "destination_cluster": "upstream_peer.cluster_id"
-                          }
-                        }
-                      ]
                     }
                     {{- else }}
                     {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
@@ -483,7 +459,7 @@ spec:
       match:
         context: GATEWAY
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -504,15 +480,7 @@ spec:
                     {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
                     {
                       "debug": "false",
-                      "stat_prefix": "istio",
+                      "stat_prefix": "istio"
-                      "metrics": [
-                        {
-                          "dimensions": {
-                            "source_cluster": "node.metadata['CLUSTER_ID']",
-                            "destination_cluster": "upstream_peer.cluster_id"
-                          }
-                        }
-                      ]
                     }
                     {{- else }}
                     {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
@@ -537,7 +505,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- if .Values.meshConfig.rootNamespace }}
   namespace: {{ .Values.meshConfig.rootNamespace }}
   {{- else }}
@@ -552,7 +520,7 @@ spec:
       match:
         context: SIDECAR_OUTBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -573,7 +541,7 @@ spec:
                   "@type": "type.googleapis.com/google.protobuf.StringValue"
                   value: |
                     {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
-                    {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"}
+                    {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
                     {{- else }}
                     {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
                     {{- end }}
@@ -587,7 +555,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -608,7 +576,7 @@ spec:
                   "@type": "type.googleapis.com/google.protobuf.StringValue"
                   value: |
                     {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
-                    {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
+                    {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
                     {{- else }}
                     {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
                     {{- end }}
@@ -621,7 +589,7 @@ spec:
       match:
         context: GATEWAY
         proxy:
-          proxyVersion: '^1\.9.*'
+          proxyVersion: '^1\.10.*'
         listener:
           filterChain:
             filter:
@@ -642,7 +610,7 @@ spec:
                   "@type": "type.googleapis.com/google.protobuf.StringValue"
                   value: |
                     {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
-                    {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
+                    {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
                     {{- else }}
                     {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
                     {{- end }}
@@ -655,7 +623,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: tcp-stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- if .Values.meshConfig.rootNamespace }}
   namespace: {{ .Values.meshConfig.rootNamespace }}
   {{- else }}
@@ -670,7 +638,7 @@ spec:
     match:
       context: SIDECAR_OUTBOUND
       proxy:
-        proxyVersion: '^1\.9.*'
+        proxyVersion: '^1\.10.*'
       listener:
         filterChain:
           filter:
@@ -703,7 +671,7 @@ spec:
     match:
       context: SIDECAR_INBOUND
       proxy:
-        proxyVersion: '^1\.9.*'
+        proxyVersion: '^1\.10.*'
       listener:
         filterChain:
           filter:
@@ -735,7 +703,7 @@ spec:
     match:
       context: GATEWAY
       proxy:
-        proxyVersion: '^1\.9.*'
+        proxyVersion: '^1\.10.*'
       listener:
         filterChain:
           filter:
@@ -768,7 +736,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: stackdriver-sampling-accesslog-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   {{- if .Values.meshConfig.rootNamespace }}
   namespace: {{ .Values.meshConfig.rootNamespace }}
   {{- else }}
@@ -782,7 +750,7 @@ spec:
       match:
         context: SIDECAR_INBOUND
         proxy:
-          proxyVersion: '1\.9.*'
+          proxyVersion: '1\.10.*'
         listener:
           filterChain:
             filter:

charts/kubezero-istio/charts/istio-discovery/values.yaml

@@ -68,7 +68,7 @@ sidecarInjectorWebhook:
   # If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
   # requests in Istiod, rather than at the webhook selection level.
   # This is option is intended for migration purposes only and will be removed in Istio 1.10.
-  useLegacySelectors: true
+  useLegacySelectors: false
   # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
   # always skip the injection on pods that match that label selector, regardless of the global policy.
   # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
@@ -157,15 +157,13 @@ telemetry:
       enabled: false
       logging: false
       monitoring: false
-      topology: false
+      topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
       disableOutbound: false
       #  configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
 
       configOverride: {}
       #  e.g.
-      #  enable_mesh_edges_reporting: true
       #  disable_server_access_logging: false
-      #  meshEdgesReportingDuration: 500s
       #  disable_host_header_fallback: true
     # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
     accessLogPolicy:
@@ -176,6 +174,9 @@ telemetry:
 # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
 revision: ""
 
+# Revision tags are aliases to Istio control plane revisions
+revisionTags: []
+
 # For Helm compatibility.
 ownerName: ""
 
@@ -197,6 +198,10 @@ meshConfig:
 
   rootNamespace:
 
+  # The trust domain corresponds to the trust root of a system
+  # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+  trustDomain: "cluster.local"
+
   # TODO: the intent is to eventually have this enabled by default when security is used.
   # It is not clear if user should normally need to configure - the metadata is typically
   # used as an escape and to control testing and rollout, but it is not intended as a long-term
@@ -232,7 +237,7 @@ global:
   # Dev builds from prow are on gcr.io
   hub: docker.io/istio
   # Default tag for Istio images.
-  tag: 1.9.3
+  tag: 1.10.2
 
   # Specify image pull policy if default behavior isn't desired.
   # Default behavior: latest images will be Always else IfNotPresent.
@@ -505,8 +510,6 @@ global:
   # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
   useMCP: false
 
-  # Deprecated, use meshConfig.trustDomain
-  trustDomain: ""
 base:
   # For istioctl usage to disable istio config crds in base
   enableIstioConfigCRDs: true

charts/kubezero-istio/update.sh

@@ -4,14 +4,14 @@ set -ex
 ### TODO
 # - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
 
-export ISTIO_VERSION=1.9.3
+export ISTIO_VERSION=1.10.2
 
 rm -rf istio
 curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
 mv istio-${ISTIO_VERSION} istio
 
 # remove unused old telemetry filters
-rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[678].yaml
+rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml
 
 # Patch
 patch -p0 -i zdt.patch --no-backup-if-mismatch

charts/kubezero-istio/values.yaml

@@ -1,9 +1,8 @@
 global:
   # hub: docker.io/istio
-  # tag: 1.9.3
+  # tag: 1.10.2
 
   logAsJson: true
-  jwtPolicy: first-party-jwt
 
   defaultPodDisruptionBudget:
     enabled: false