Version bump Istio to 1.7.1

charts/kubezero-istio/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: kubezero-istio
 description: KubeZero Umbrella Chart for Istio
 type: application
-version: 0.2.5
+version: 0.3.0
-appVersion: 1.6.9
+appVersion: 1.7.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@@ -16,5 +16,5 @@ dependencies:
     version: ">= 0.1.3"
     repository: https://zero-down-time.github.io/kubezero/
   - name: istio-operator
-    version: ">= 1.6"
+    version: ">= 1.7"
 kubeVersion: ">= 1.16.0"

charts/kubezero-istio/README.md

@@ -5,7 +5,7 @@ KubeZero Umbrella Chart for Istio
 Installs Istio Operator and KubeZero Istio profile
 
 
-Current chart version is `0.2.4`
+Current chart version is `0.3.0`
 
 Source code can be found [here](https://kubezero.com)
 
@@ -13,7 +13,7 @@ Source code can be found [here](https://kubezero.com)
 
 | Repository | Name | Version |
 |------------|------|---------|
-|  | istio-operator | >= 1.6 |
+|  | istio-operator | >= 1.7 |
 | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
 
 ## KubeZero default configuration
@@ -30,10 +30,12 @@ Source code can be found [here](https://kubezero.com)
 | ingress.replicaCount | int | `2` |  |
 | ingress.type | string | `"NodePort"` |  |
 | istio-operator.hub | string | `"docker.io/istio"` |  |
-| istio-operator.tag | string | `"1.6.7"` |  |
+| istio-operator.tag | string | `"1.7.1"` |  |
 | istiod.autoscaleEnabled | bool | `false` |  |
 | istiod.replicaCount | int | `1` |  |
 
 ## Resources
 
+- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
+- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
 - https://istio.io/latest/docs/setup/install/standalone-operator/

charts/kubezero-istio/charts/istio-operator/Chart.yaml

@@ -1,12 +1,12 @@
 apiVersion: v1
 name: istio-operator
-version: 1.6.0
+version: 1.7.0
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio operator
 keywords:
   - istio
   - operator
 sources:
-  - http://github.com/istio/istio/operator
+  - https://github.com/istio/istio/tree/master/operator
 engine: gotpl
-icon: https://istio.io/favicons/android-192x192.png
+icon: https://istio.io/latest/favicons/android-192x192.png

charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml

@@ -0,0 +1,74 @@
+# SYNC WITH manifests/charts/base/files
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: istiooperators.install.istio.io
+  labels:
+    release: istio
+spec:
+  group: install.istio.io
+  names:
+    kind: IstioOperator
+    plural: istiooperators
+    singular: istiooperator
+    shortNames:
+      - iop
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - description: Istio control plane revision
+          jsonPath: .spec.revision
+          name: Revision
+          type: string
+        - description: IOP current state
+          jsonPath: .status.status
+          type: string
+          name: Status
+        - jsonPath: .metadata.creationTimestamp
+          description:
+            "CreationTimestamp is a timestamp representing the server time when
+            this object was created. It is not guaranteed to be set in happens-before order
+            across separate operations. Clients may not set this value. It is represented
+            in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+            lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
+          name: Age
+          type: date
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              description:
+                "APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values.
+                More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description:
+                "Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase.
+                More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            spec:
+              description:
+                "Specification of the desired state of the istio control plane resource.
+                More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+              x-kubernetes-preserve-unknown-fields: true
+              type: object
+            status:
+              description:
+                "Status describes each of istio control plane component status at the current time.
+                0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
+                More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
+                https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+              x-kubernetes-preserve-unknown-fields: true
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+

charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 rules:
 # istio groups
 - apiGroups:
@@ -29,12 +29,6 @@ rules:
   - '*'
   verbs:
   - '*'
-- apiGroups:
-  - rbac.istio.io
-  resources:
-  - '*'
-  verbs:
-  - '*'
 - apiGroups:
   - security.istio.io
   resources:

charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml

@@ -1,13 +1,13 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 subjects:
 - kind: ServiceAccount
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   namespace: {{.Values.operatorNamespace}}
 roleRef:
   kind: ClusterRole
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
   apiGroup: rbac.authorization.k8s.io
 ---

charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml

@@ -1,46 +0,0 @@
-# SYNC WITH manifests/charts/base/files
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: istiooperators.install.istio.io
-spec:
-  group: install.istio.io
-  names:
-    kind: IstioOperator
-    plural: istiooperators
-    singular: istiooperator
-    shortNames:
-    - iop
-  scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values.
-            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase.
-            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        spec:
-          description: 'Specification of the desired state of the istio control plane resource.
-            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
-          type: object
-        status:
-          description: 'Status describes each of istio control plane component status at the current time.
-            0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
-            More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
-            https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
-          type: object
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----

charts/kubezero-istio/charts/istio-operator/templates/crds.yaml

@@ -0,0 +1,6 @@
+{{- if .Values.enableCRDTemplates -}}
+{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}}
+---
+{{ $.Files.Get $path }}
+{{- end -}}
+{{- end -}}

charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   namespace: {{.Values.operatorNamespace}}
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 spec:
   replicas: 1
   selector:
@@ -13,7 +13,7 @@ spec:
       labels:
         name: istio-operator
     spec:
-      serviceAccountName: istio-operator
+      serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
@@ -26,14 +26,19 @@ spec:
           command:
           - operator
           - server
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1337
+            runAsUser: 1337
+            runAsNonRoot: true
           imagePullPolicy: IfNotPresent
           resources:
-            limits:
+{{ toYaml .Values.operator.resources | trim | indent 12 }}
-              cpu: 200m
-              memory: 256Mi
-            requests:
-              cpu: 50m
-              memory: 128Mi
           env:
             - name: WATCH_NAMESPACE
               value: {{.Values.watchedNamespaces | quote}}
@@ -45,4 +50,8 @@ spec:
                   fieldPath: metadata.name
             - name: OPERATOR_NAME
               value: {{.Values.operatorNamespace | quote}}
+            - name: WAIT_FOR_RESOURCES_TIMEOUT
+              value: {{.Values.waitForResourcesTimeout | quote}}
+            - name: REVISION
+              value: {{.Values.revision | quote}}
 ---

charts/kubezero-istio/charts/istio-operator/templates/service.yaml

@@ -4,7 +4,7 @@ metadata:
   namespace: {{.Values.operatorNamespace}}
   labels:
     name: istio-operator
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 spec:
   ports:
   - name: http-metrics

charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml

@@ -2,5 +2,5 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   namespace: {{.Values.operatorNamespace}}
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 ---

charts/kubezero-istio/charts/istio-operator/values.yaml

@@ -1,5 +1,25 @@
 hub: gcr.io/istio-testing
-tag: 1.6-dev
+tag: latest
+
 operatorNamespace: istio-operator
+
 # Used to replace istioNamespace to support operator watch multiple namespaces.
 watchedNamespaces: istio-system
+waitForResourcesTimeout: 300s
+
+# Used for helm2 to add the CRDs to templates.
+enableCRDTemplates: false
+
+# revision for the operator resources
+revision: ""
+
+# Operator resource defaults
+operator:
+  resources:
+    limits:
+      cpu: 200m
+      memory: 256Mi
+    requests:
+      cpu: 50m
+      memory: 128Mi
+

charts/kubezero-istio/istio-operator.patch

@@ -1,11 +1,9 @@
-diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml
+--- charts/istio-operator/templates/deployment.yaml	2020-09-11 14:57:25.007439918 +0100
-index 5ef7848..8350dd5 100644
++++ charts/istio-operator/templates/deployment.yaml	2020-09-11 14:59:57.998019251 +0100
---- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml
+@@ -14,6 +14,12 @@
-+++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml
-@@ -14,6 +14,12 @@ spec:
          name: istio-operator
      spec:
-       serviceAccountName: istio-operator
+       serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 +      nodeSelector:
 +        kubernetes.io/os: linux
 +        node-role.kubernetes.io/master: ""

charts/kubezero-istio/templates/istio-base.yaml

@@ -5221,6 +5221,67 @@ spec:
 ---
 
 
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: istiooperators.install.istio.io
+  labels:
+    release: istio
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.revision
+    description: Istio control plane revision
+    name: Revision
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: 'CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+      lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+    name: Age
+    type: date
+  group: install.istio.io
+  names:
+    kind: IstioOperator
+    plural: istiooperators
+    singular: istiooperator
+    shortNames:
+    - iop
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        spec:
+          description: 'Specification of the desired state of the istio control plane resource.
+            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+          type: object
+        status:
+          description: 'Status describes each of istio control plane component status at the current time.
+            0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
+            More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
+            https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+          type: object
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+---
+
 # Cni component is disabled.
 
 # EgressGateways istio-egressgateway component is disabled.

charts/kubezero-istio/update.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -ex
 
-ISTIO_VERSION=1.6.9
+ISTIO_VERSION=1.7.1
 
 NAME="istio-$ISTIO_VERSION"
 URL="https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz"
@@ -15,7 +15,7 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts
 rm -rf istio-${ISTIO_VERSION}
 
 # Apply our patch
-patch  -i istio-operator.patch -p3
+patch  -i istio-operator.patch -p0
 
 # Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs
 istioctl manifest generate --set profile=empty --set components.base.enabled=true > templates/istio-base.yaml

charts/kubezero-istio/values.yaml

@@ -14,4 +14,4 @@ ingress:
 
 istio-operator:
   hub: docker.io/istio
-  tag: 1.6.9
+  tag: 1.7.1