------------------------------------------------------------------- Tue Dec 12 21:41:43 UTC 2023 - kastl@b1-systems.de - Update to version 1.20.1: https://istio.io/latest/news/releases/1.20.x/announcing-1.20.1/ * Security update - Changes to Istio CNI Permissions as described in ISTIO-SECURITY-2023-005 * Changes - Fixed an issue where the webhook generated by istioctl tag set was unexpectedly being removed by the installer. (Issue #47423) - Fixed an issue where the istioctl tag list command did not accept the --output flag. (Issue #47696) - Fixed an issue where custom injection of the istio-proxy container was not working on OpenShift, due to how OpenShift sets the pod’s SecurityContext.RunAs field. - Fixed an issue where VirtualService HTTP header present match was not working when header-name: {} was set. (Issue #47341) - Fixed multi-cluster leader election not being able to prioritize local over remote leaders. (Issue #47901) - Fixed a memory leak when hostNetwork pods scaled up and down. (Issue #47893) - Fixed a memory leak when WorkloadEntries changed their IP address. (Issue #47893) - Fixed a memory leak when a ServiceEntry was removed. (Issue #47893) - Improved istioctl bug-report performance by reducing the number of calls to the Kubernetes API. The included pod/node details in the report remain comprehensive but will be presented differently. - Removed the --rps-limit flag for istioctl bug-report and added the --rq-concurrency flag. This change enables the bug reporter to limit request concurrency rather than the request rate to the Kubernetes API. ------------------------------------------------------------------- Thu Nov 16 12:10:47 UTC 2023 - kastl@b1-systems.de - Update to version 1.20.0: https://istio.io/latest/news/releases/1.20.x/announcing-1.20/ * Deprecation Notices - There are no new deprecations in Istio 1.20.0. * Istioctl - Added a new istioctl dashboard proxy command, which can be used to show the admin UI of different proxy pods, like Envoy, Ztunnel, Waypoint. - Added an output format option for the istioctl experimental pre-check command. Valid options are log, json or yaml. - Added the --output-threshold flag in istioctl experimental precheck to control the message output threshold. The default threshold is now warning, which replaces the previous default of info. - Added support for auto-detecting the pilot’s monitoring port if it is not set to the default value of 15014. (Issue #46652) - Added lazy loading for default namespace detection in istioctl to avoid checking the kubeconfig for commands that do not require a Kubernetes environment. (Issue #47159) - Added support for setting loggers’ levels of istio-proxy in the istioctl proxy-config log command with --level or --level level=. - Added an analyzer for showing warning messages about incorrect/missing information related to Istio installations using an External Control Plane. (Issue #47269) - Added IST0162 GatewayPortNotDefinedOnService message to detect an issue where a Gateway port was not exposed by Service. - Fixed istioctl operator remove command to not remove all revisions of the operator controller when the revision is “default” or not specified. (Issue #45242) - Fixed an issue where verify-install had incorrect results when installed deployments were not healthy. - Fixed the istioctl experimental describe command to provide correct Gateway information when using the injected gateway. - Fixed an issue where istioctl analyze would analyze irrelevant configmaps. (Issue #46563) - Fixed istioctl analyze incorrectly showing an error when ServiceEntry hosts are used in a VirtualService destination across a namespace boundary. (Issue #46597) - Fixed an issue where istioctl proxy-config failed to process a config dump from a file if EDS endpoints were not provided. (Issue #47505) - Removed the istioctl experimental revision tag command, which was graduated to istioctl tag. ------------------------------------------------------------------- Tue Nov 14 11:14:52 UTC 2023 - kastl@b1-systems.de - Update to version 1.19.4: * Automator: update ztunnel@release-1.19 in istio/istio@release-1.19 (#47794) * Update deps for 1.19.4 (#47796) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47795) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47790) * Automator: update istio/client-go@release-1.19 dependency in istio/istio@release-1.19 (#47788) * Automator: update common-files@release-1.19 in istio/istio@release-1.19 (#47787) * Update BASE_VERSION to 1.19-2023-11-06T19-02-47 (#47765) * Fix header present match (#47704) (#47736) * [release-1.19] Fix tag list output command not working (#47710) * [release-1.19] Sidecar resources using defaultEndpoint can use ::1 in all cases (#47676) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47663) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47635) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47594) * [release-1.19] fix multiple header matches in root vs (#47274) * prevent running crdclient twice, this will cause crdClient.queue stop… (#47399) (#47597) * Fix traffic to terminating headless services (#47379) (#47589) * Update BASE_VERSION to 1.19-2023-10-25T19-03-30 (#47586) * [release-1.19] istioctl: allow file configdump missing eds for `proxy-config` (#47554) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47570) * Skip+Warn instead of NACK on invalid TLS gateway (#47560) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47557) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47542) * reduce logging level to DEBUG when td don't match but SkipValidateTrustDomain is enabled (#47528) * Allow setting priorityClassName in Istio gateway helm chart (#47460) * 1.19: Bump iptables image to fix glibc (#47339) (#47497) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47485) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47452) * [release-1.19] Fix multicluster secret filtering (#47438) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47421) * [release-1.19] Gated feature flag to add a secondary outbound bind for IPv6-only clusters (#47408) * cni: 1.19 cherrypicks (#47392) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47387) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47365) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47363) * [release-1.19] Clarify telemetry deployment namespace (#47360) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47345) * Update BASE_VERSION to 1.19-2023-10-13T03-27-30 (#47343) * # Adjust DNS Proxy CNAME wildcard response to be compatible with glibc and musl (#47323) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47317) * Automator: update ztunnel@release-1.19 in istio/istio@release-1.19 (#47314) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47296) ------------------------------------------------------------------- Thu Oct 12 05:30:26 UTC 2023 - kastl@b1-systems.de - Update to version 1.19.3: * Automator: update istio/client-go@release-1.19 dependency in istio/istio@release-1.19 (#47293) * Update golang.org/x/net and grpc-go (#47287) * Automator: update common-files@release-1.19 in istio/istio@release-1.19 (#47291) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47289) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47271) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47243) * Automator: update ztunnel@release-1.19 in istio/istio@release-1.19 (#47240) * Automator: update istio/client-go@release-1.19 dependency in istio/istio@release-1.19 (#47232) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47233) * Automator: update common-files@release-1.19 in istio/istio@release-1.19 (#47231) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47186) - skipping non-existent release 1.19.2 ------------------------------------------------------------------- Wed Oct 04 09:40:21 UTC 2023 - kastl@b1-systems.de - Update to version 1.19.1: * Update deps for 1.19.1 (#47129) * Automator: update istio/client-go@release-1.19 dependency in istio/istio@release-1.19 (#47123) * [release-1.19] Push back invalid secret to prevent sds fetching timeout (#47110) * Autheticate crane with DefaultKeychain (#47100) * [release-1.19] Fix issue with dual-stack iptables6 rules when using istio-cni plugin… (#47108) * Automator: update ztunnel@release-1.19 in istio/istio@release-1.19 (#47075) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#47062) * Fix issue with emiting uninitialized Guage metrics (#46980) * [release-1.19] fix DNSNoEndpointClusters metric (#46966) * [release-1.19] dedup addressInfo (#46949) * [release-1.19] Add endpoints to proxy-config all output (#46940) * [release-1.19] Gateway API cherrypicks (#46938) * [release-1.19] Fix verify install kinds for kind NetworkAttachmentDefinition (#46944) * Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#46889) * Automator: update ztunnel@release-1.19 in istio/istio@release-1.19 (#46900) * Cherrypick 46579 (#46896) * Automator: update istio/client-go@release-1.19 dependency in istio/istio@release-1.19 (#46888) * [release-1.19] Update sigs.k8s.io/gateway-api to 0.8.0 (#46677) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#46878) * Automator: update istio/client-go@release-1.19 dependency in istio/istio@release-1.19 (#46873) * Automator: update proxy@release-1.19 in istio/istio@release-1.19 (#46872) * Automator: update common-files@release-1.19 in istio/istio@release-1.19 (#46871) * [release-1.19] Cherrypick 46429 (#46784) * Automator: update istio/client-go@release-1.19 dependency in istio/istio@release-1.19 (#46853) * [release-1.19] install: fix warning with wrong control plane (#46739) * [release-1.19] Ambient: fix incorrect updates when ambient namespace label is changed (#46715) * [release-1.19] Add ability to install gateway helm chart with dual-stack service def… (#46683) * Remove conditional cleanup from traffic test. (#46819) * respect meshConfig.defaultConfig.sampling (#46735) * Report networkpolicies in bug-report (#46843) ------------------------------------------------------------------- Wed Sep 06 05:22:41 UTC 2023 - kastl@b1-systems.de - Update to version 1.19.0: very large changelog, please find it at https://github.com/istio/istio/releases/tag/1.19.0 and https://istio.io/news/releases/1.19.x/announcing-1.19/ ------------------------------------------------------------------- Tue Jul 25 17:22:24 UTC 2023 - kastl@b1-systems.de - Update to version 1.18.2: * Add validation of workload entry identity (#117) * Bump proxy version (#122) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#46039) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#46025) * Fix nil map for cluster builder (#46024) * fix concurrent map access in endpoint metadata (#44473) (#46021) * fix conflict (#46017) * Exit if sds socket not found (#45941) (#46014) ------------------------------------------------------------------- Mon Jul 17 04:59:39 UTC 2023 - kastl@b1-systems.de - Update to version 1.18.1: * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#46007) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (#46000) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (#45996) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (#45995) * Update image from (#45958) * [release-1.18] prevent port conflict with sidecar static listener like 15021 15090 (#45966) * [release-1.18] Set inject true for compatibility tests (#45928) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (#45948) * Add release note for #45632 (#45927) * [release-1.18] Fix health probe port overwrite (#45873) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (#45938) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (#45936) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (#45892) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (#45875) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (#45876) * [release-1.18] Fix bug report include option not working as expected (#45860) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (#45857) * [release-1.18] Fix a potential nil panic of endpointindex (#45808) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#45834) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#45771) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#45769) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#45747) * gcp metadata: compute GCPClusterURL from metadata (#45741) * Fix auth header syntax (#45711) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (#45702) * Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 (#45684) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (#45690) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (#45660) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#45667) * prow: move to use WI for auth_header in private (#45609) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#45587) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (#45579) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (#45570) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (#45569) * [release-1.18] improve accesslog mode e2e tests (#45519) * Update BASE_VERSION to 1.18-2023-06-15T19-02-54 (#45495) * [release-1.18] cherry-pick: add debug info when generating certs for workloads (#45194) * [release-1.18] Update min supported k8s version to 1.24 (#45444) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (#45450) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (#45381) * [release-1.18] Check the disabled status when adding a log provider (#45373) * Change to use Node instead of RawMeta (#45359) * [release-1.18] Fix istioctl pc secret cert validity not accurate (#45343) * Add rolling update max unavailable to CNI chart to speed up deploys (cherry pick to release-1.18) (#44934) * Fix Telemetry disablement matching (#45303) * Fix invalid XDS configuration for wildcard Ingress HTTP path (#44898) (#45168) * Adding LRS support (#45165) * [release-1.18] Certificate Revocation List support (#45130) * [release-1.18]Manual cherry-pick of 44481 and 44775 (#45081) * precise-errorcode-debuggen (#45164) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (#45333) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (#45326) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (#45325) ------------------------------------------------------------------- Tue Jun 13 06:13:18 UTC 2023 - kastl@b1-systems.de - Update to version 1.18.0: very large changelog, please see https://istio.io/latest/news/releases/1.18.x/announcing-1.18/ ------------------------------------------------------------------- Tue Jun 13 06:08:03 UTC 2023 - kastl@b1-systems.de - Update to version 1.17.3: * Update BASE_VERSION to 1.17-2023-05-31T19-02-43 (#45227) * Revert "[release-1.17] Operator: Fix webhooks reconciled by operator are inconsistent with istioctl install's (#45121)" (#45205) * 1.17: bump docker dep (#45198) * cherry-pick: add debug info when generating certs for workloads #45183 (#45189) * [release-1.17] Run update_deps.sh (#45177) * [release-1.17] Operator: Fix webhooks reconciled by operator are inconsistent with istioctl install's (#45121) * RetryWithContext should use the new NextBackOff() (#45122) * Update BASE_VERSION to 1.17-2023-05-24T19-03-36 (#45110) * [release-1.17] fix backoff and read ca file interval (#45039) * [release-1.17]Manual cherry-pick of 44481 and 44775 (#45082) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#45017) * Automator: update istio/client-go@release-1.17 dependency in istio/istio@release-1.17 (#45070) * Automator: update common-files@release-1.17 in istio/istio@release-1.17 (#45069) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44989) * remove file from file certs before triggering call backs (#44908) * [release-1.17] Fix MaybeApplyTLSModeLabel function (#44939) * spiffe: fix handling of trust bundles with multiple keys (#44909) * [release-1.17] inject: remove unknown fields from template (#44858) * add support for security.istio.io/v1beta1 api in authz tests when testing multiple istio versions (#44447) (#44808) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44782) * [release-1.17] Fix persistent sessions scale down with envoy (#44652) * [release-1.17] Fix verify-install to work with multi iops (#44753) * Skip runtime resources when analyzing files (#44506) (#44733) * [release-1.17] Fix pilot using wrong readinessprobe check, should check if /validate and /inject endpoints are ready. (#44750) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44745) * Fix multi-cluster issue by increasing the timeout of listing CRDs (#44715) (#44739) * Automator: update istio/client-go@release-1.17 dependency in istio/istio@release-1.17 (#44734) * Automator: update common-files@release-1.17 in istio/istio@release-1.17 (#44732) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44718) * Use safer dedupe for config (#44502) (#44535) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44618) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44598) * Update BASE_VERSION to 1.17-2023-04-26T19-03-52 (#44574) * disable automount SA token only on tests with min istio revisions >= 1.16 (#44492) * fix missing gateway services (#44463) * [release-1.17] add validation for empty prefix header match (#44455) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44440) * Integration Test for Istio custom GRPC count metrics (#44288) * [release-1.17] gateway: prevent duplicate `istio_authn` network filter in the filter chain (#44399) * fix gateway service name (#44382) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44389) * Update BASE_VERSION to 1.17-2023-04-12T19-03-40 (#44359) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44344) * Automator: update istio/client-go@release-1.17 dependency in istio/istio@release-1.17 (#44283) * Automator: update common-files@release-1.17 in istio/istio@release-1.17 (#44282) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44271) * gateway: remove internal annotation from propogating (#44220) (#44229) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44241) * [release-1.17] add release-notes for grpc stats (#44222) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44217) * [1.17] gateway deployment controller: handle backwards compatibility (#44171) * fix: increment failures in serverFailure function (#44176) * [release-1.17] always enable grpc stats filter (#44180) ------------------------------------------------------------------- Wed Apr 19 12:10:36 UTC 2023 - Johannes Kastl - package sample files ------------------------------------------------------------------- Wed Apr 05 04:41:53 UTC 2023 - kastl@b1-systems.de - Update to version 1.17.2: * [release-1.17] Update deps 1.17 (#106) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44133) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44102) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44079) * Add endpointslices to bug-report dump (#44054) * Automator: update common-files@release-1.17 in istio/istio@release-1.17 (#44055) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44061) * Automator: update istio/client-go@release-1.17 dependency in istio/istio@release-1.17 (#44058) * vm: fix assigning label from metadata (#44021) * [release-1.17] tracing: Update proxyConfig.Tracing merge logic (#42518) (#44019) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#44049) * Update BASE_VERSION to 1.17-2023-03-21T19-02-32 (#44039) * add retry to default service account patch command (#43915) * Fix gateway injection when istio.io/rev= (#43668) * Automator: update istio/client-go@release-1.17 dependency in istio/istio@release-1.17 (#43973) * [release-1.17] Fix x wait when PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING is not true (#43980) * Automator: update common-files@release-1.17 in istio/istio@release-1.17 (#43971) * Use ReadHeaderTimeout instead of ReadTimeout when gRPC is multiplexed (#43885) * Break system namespace and ingressgateway assumptions (#43809) (#43866) * [release-1.17] Run update_deps.sh (#43869) * [release-1.17] ServiceEntry IP allocation: Stable IP when used in multiple namespaces (#43879) * Bump Helm to 3.11.1 (#43860) * Bump x/net to 0.7.0 (#43851) * Automator: update istio/client-go@release-1.17 dependency in istio/istio@release-1.17 (#43855) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#43856) * Automator: update common-files@release-1.17 in istio/istio@release-1.17 (#43854) * Automator: update istio/client-go@release-1.17 dependency in istio/istio@release-1.17 (#43834) * [release-1.17] Fix name resolution in istioctl command (#43819) * Update BASE_VERSION to 1.17-2023-03-07T19-01-20 (#43812) * [release-1.17] rbac: honor useAuthenticated (#43808) * [release-1.17] Include trustDomains from CaCertificates in SAN Validation (#43795) * AccessLogging: fix the issue where disable accesslogging does not take effect. (#43798) * Update BASE_VERSION to 1.17-2023-03-03T19-02-38 (#43757) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#43734) * Automator: update istio/client-go@release-1.17 dependency in istio/istio@release-1.17 (#43718) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#43707) * Automator: update istio/client-go@release-1.17 dependency in istio/istio@release-1.17 (#43695) * [release-1.17] Fix analyzing not caught some messages in default namespace (#43678) * Update BASE_VERSION to 1.17-2023-02-28T19-03-02 (#43666) * [release-1.17] fix unexpected behavior of multi accesslogging filters (#43591) * [release-1.17] validate: improve ValidateHTTPHeaderValue (#43391) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#43573) * [release-1.17] cluster: clone Push.Mesh.ConnectTimeout to avoid unintended mutation by EnvoyFilter (#43557) * [release-1.17] Fix large direct response (#43550) * Automator: update proxy@release-1.17 in istio/istio@release-1.17 (#43530) ------------------------------------------------------------------- Tue Mar 28 10:50:26 UTC 2023 - Johannes Kastl - bash-completion subpackage now Requires bash-completion ------------------------------------------------------------------- Fri Mar 3 06:01:56 UTC 2023 - Johannes Kastl - new package istioctl: CLI for the istio service mesh for Kubernetes