diff --git a/_service b/_service
index 31f2211..bc2b1eb 100644
--- a/_service
+++ b/_service
@@ -3,7 +3,7 @@
https://github.com/istio/istio
git
.git
- 1.20.3
+ 1.21.0
@PARENT_TAG@
disable
@@ -16,6 +16,6 @@
gz
- istio-1.20.3.obscpio
+ istio-1.21.0.obscpio
diff --git a/istio-1.20.3.obscpio b/istio-1.20.3.obscpio
deleted file mode 100644
index 3180381..0000000
--- a/istio-1.20.3.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3bb7e27cfc330f137368d98b06d3e517c011edcf79c4fd7f377f5690571f7a76
-size 30283277
diff --git a/istio-1.21.0.obscpio b/istio-1.21.0.obscpio
new file mode 100644
index 0000000..06380aa
--- /dev/null
+++ b/istio-1.21.0.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1ab513317492f94228b4360abfbfd190a5ecb7a5a1090c2b9c218fe9ed9523df
+size 31202829
diff --git a/istio.obsinfo b/istio.obsinfo
index 27e250e..a93819d 100644
--- a/istio.obsinfo
+++ b/istio.obsinfo
@@ -1,4 +1,4 @@
name: istio
-version: 1.20.3
-mtime: 1706836300
-commit: 692e556046b48ebc471205211c68a2c69e74a321
+version: 1.21.0
+mtime: 1710285667
+commit: 2ca3e986a683fbdb82dffcd7b2e8d02076a42468
diff --git a/istioctl.changes b/istioctl.changes
index 77dcb7d..4d3d59f 100644
--- a/istioctl.changes
+++ b/istioctl.changes
@@ -1,3 +1,121 @@
+-------------------------------------------------------------------
+Sat Mar 16 17:26:03 UTC 2024 - Johannes Kastl
+
+- major update to 1.21.0:
+ https://istio.io/latest/news/releases/1.21.x/announcing-1.21/
+ https://istio.io/latest/news/releases/1.21.x/announcing-1.21/change-notes/
+ istioctl-related changes:
+ * Improved injector list to exclude ambient namespaces.
+ * Improved bug-report performance by reducing the amount of calls
+ to the k8s API. The pod/node details included in the report
+ will look different, but contain the same information.
+ * Improved istioctl bug-report to sort gathered events by
+ creation date.
+ * Updated verify-install to not require a IstioOperator file,
+ since it is now removed from the installation process.
+ * Added support for deleting multiple waypoints at once via
+ istioctl experimental waypoint delete
+ ....
+ * Added the --all flag to istioctl experimental waypoint delete
+ to delete all waypoint resources in a given namespace.
+ * Added an analyzer to warn users if they set the selector field
+ instead of the targetRef field for specific Istio resources,
+ which will cause the resource to be ineffective. (Issue #48273)
+ * Added message IST0167 to warn users that policies, such as
+ Sidecar, will have no impact when applied to ambient
+ namespaces. (Issue #48105)
+ * Added bootstrap summary to all config dumps’ summary.
+ * Added completion for Kubernetes pods for some commands that can
+ select pods, such as istioctl proxy-status .
+ * Added --wait option to the istioctl experimental waypoint apply
+ command. (Issue #46297)
+ * Added path_separated_prefix to the MATCH column in the output
+ of proxy-config routes command.
+ * Fixed an issue where sometimes control plane revisions and
+ proxy versions were not obtained in the bug report.
+ * Fixed an issue where istioctl tag list command didn’t accept
+ --output flag. (Issue #47696)
+ * Fixed an issue where the default namespace of Envoy and proxy
+ dashboard command was not set to the actual default namespace.
+ * Fixed an issue where the IST0158 message was incorrectly
+ reported when the imageType field was set to distroless in mesh
+ config. (Issue #47964)
+ * Fixed an issue where istioctl experimental version has no proxy
+ info shown.
+ * Fixed an issue where the IST0158 message was incorrectly
+ reported when the imageType field was set by the ProxyConfig
+ resource, or the resource annotation proxy.istio.io/config.
+ * Fixed an issue where proxy-config ecds didn’t show all of
+ EcdsConfigDump.
+ * Fixed injector list having duplicated namespaces shown for the
+ same injector hook.
+ * Fixed analyze not working correctly when analyzing files
+ containing resources that already exist in the cluster. (Issue
+ #44844)
+ * Fixed analyze where it was reporting errors for empty files.
+ (Issue #45653)
+ * Fixed an issue where the External Control Plane Analyzer was
+ not working in some remote control plane setups.
+ * Fixed an issue where istioctl precheck inaccurately reports the
+ IST0141 message related to resource permissions. (Issue #49379)
+ * Removed the --rps-limit flag for istioctl bug-report and added
+ the --rq-concurrency flag. The bug reporter will now limit
+ request concurrency instead of limiting request rate to the
+ Kube API.
+
+-------------------------------------------------------------------
+Sat Mar 16 17:07:28 UTC 2024 - Johannes Kastl
+
+- update to 1.20.4:
+ https://istio.io/latest/news/releases/1.20.x/announcing-1.20.4/
+ * Added an environment variable COMPLIANCE_POLICY to Istio
+ components for enforcing TLS restriction for compliance with
+ FIPS. When set to fips-140-2 on the Istiod container, the Istio
+ Proxy container, and all other Istio components, the TLS
+ version is restricted to v1.2. The cipher suites are limited to
+ a subset of ECDHE-ECDSA-AES128-GCM-SHA256,
+ ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384,
+ ECDHE-RSA-AES256-GCM-SHA384, and ECDH curves to P-256.
+ These restrictions apply on the following data paths:
+ - mTLS communication between Envoy proxies;
+ - regular TLS on the downstream and the upstream of Envoy
+ proxies (e.g. gateway);
+ - Google gRPC side requests from Envoy proxies (e.g.
+ Stackdriver extensions);
+ - Istiod xDS server;
+ - Istiod injection and validation webhook servers.
+ The restrictions are not applied on the following data paths:
+ - Istiod to Kubernetes API server;
+ - JWK fetch from Istiod;
+ - Wasm image and URL fetch from Istio Proxy containers;
+ - ztunnel.
+ Note that Istio injector will propagate the value of
+ COMPLIANCE_POLICY to the injected proxy container, when set.
+ (Issue #49081)
+ * Fixed an issue where the local client contained incorrect
+ entries in the local DNS name table. (Issue #47340)
+ * Fixed a bug that made PeerAuthentication too restrictive in
+ ambient mode.
+ * Fixed a bug where VirtualService containing wildcard hosts that
+ aren’t present in the service registry are ignored. (Issue
+ #49364)
+ * Fixed an issue where istioctl precheck inaccurately reports the
+ IST0141 message related to resource permissions. (Issue #49379)
+ * Fixed a bug for IPv6 only clusters that prevented
+ ServiceEntry-based listeners from having correct SNI matches.
+ (Issue #49476)
+ * Fixed a bug when there is more than one service with the same
+ host name within the same namespace, a STRICT_DNS cluster
+ without endpoints error could occur. (Issue #49489)
+ * Fixed an issue that when using a delegate in a VirtualService,
+ the effective VirtualService may not be consistent with
+ expectations due to a sorting error. (Issue #49539)
+ * Fixed a bug where specifying a URI regex .* match within a
+ VirtualService HTTP route did not short-circuit the subsequent
+ HTTP routes.
+ * Fixed an issue where Endpoint and Service in the istiod-remote
+ chart did not respect the revision value. (Issue #47552)
+
-------------------------------------------------------------------
Fri Feb 9 19:19:21 UTC 2024 - Johannes Kastl
diff --git a/istioctl.spec b/istioctl.spec
index d9676c9..30abb9f 100644
--- a/istioctl.spec
+++ b/istioctl.spec
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: istioctl
-Version: 1.20.3
+Version: 1.21.0
Release: 0
Summary: CLI for the istio servic mesh in Kubernetes
License: Apache-2.0
diff --git a/vendor.tar.gz b/vendor.tar.gz
index d5b7b12..b7c9749 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:3f511977fbd4f0cd314ab95eb4501fe173a12f830361508caff1ae9ae5204c21
-size 24359808
+oid sha256:2623c34ab982bad2364bce4e7bc0dbe55edbfcd2511748386e0550ec0a6d481e
+size 20089978