chore(chart-deps): update istio to version 1.29.0#2954
Open
chore(chart-deps): update istio to version 1.29.0#2954
Conversation
CasLubbers
requested review from
Ani1357,
j-zimnowoda and
merll
as code owners
CasLubbers
approved these changes
Feb 20, 2026
Contributor
Author
|
Comparison of Helm chart templating output: @@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.subsets.items.properties.trafficPolicy.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.subsets.items.properties.trafficPolicy.properties.portLevelSettings.items.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.trafficPolicy.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.trafficPolicy.properties.portLevelSettings.items.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.subsets.items.properties.trafficPolicy.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.subsets.items.properties.trafficPolicy.properties.portLevelSettings.items.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.trafficPolicy.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.trafficPolicy.properties.portLevelSettings.items.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1beta1.schema.openAPIV3Schema.properties.spec.properties.subsets.items.properties.trafficPolicy.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1beta1.schema.openAPIV3Schema.properties.spec.properties.subsets.items.properties.trafficPolicy.properties.portLevelSettings.items.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1beta1.schema.openAPIV3Schema.properties.spec.properties.trafficPolicy.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1beta1.schema.openAPIV3Schema.properties.spec.properties.trafficPolicy.properties.portLevelSettings.items.properties.loadBalancer.properties.warmup.properties.aggression.minimum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/destinationrules.networking.istio.io
! ± value change
- 1
+ 0
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.configPatches.items.properties.match @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/envoyfilters.networking.istio.io
! + one map entry added:
+ x-kubernetes-validations:
+ - message: "only support waypointMatch when context is WAYPOINT"
+ rule: "has(self.context) ? ((self.context == \"WAYPOINT\") ? has(self.waypoint) : !has(self.waypoint)) : !has(self.waypoint)"
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.configPatches.items.properties.match.oneOf @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/envoyfilters.networking.istio.io
! - one list entry removed:
- - not:
- anyOf:
- - required:
- - listener
- - required:
- - routeConfiguration
- - required:
- - cluster
! + two list entries added:
+ - not:
+ anyOf:
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ - required:
+ - waypoint
+ - required:
+ - waypoint
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.configPatches.items.properties.match.properties @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/envoyfilters.networking.istio.io
! + one map entry added:
+ waypoint:
+ type: object
+ properties:
+ filter:
+ type: object
+ description: "The name of a specific filter to apply the patch to."
+ properties:
+ name:
+ type: string
+ description: "The filter name to match on."
+ subFilter:
+ type: object
+ description: "The next level filter within this filter to match on."
+ properties:
+ name:
+ type: string
+ description: "The filter name to match on."
+ portNumber:
+ type: integer
+ description: "The service port to match on."
+ maximum: 4294967295
+ minimum: 0
+ x-kubernetes-validations:
+ - message: "port must be between 1-65535"
+ rule: "0 < self && self <= 6553"
+ route:
+ type: object
+ description: "Match a specific route."
+ properties:
+ name:
+ type: string
+ description: "The Route objects generated by default are named as default."
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.configPatches.items.properties.match.properties.context.description @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/envoyfilters.networking.istio.io
! ± value change in multiline text (one insert, one deletion)
The specific config generation context to match on.
- Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY
+ Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY, WAYPOINT
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.configPatches.items.properties.match.properties.context.enum @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/envoyfilters.networking.istio.io
! + one list entry added:
+ - WAYPOINT
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.http.items.properties.directResponse.properties.body.properties.bytes.format @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/virtualservices.networking.istio.io
! ± value change
- binary
+ byte
@@ spec.versions.v1alpha3.schema.openAPIV3Schema.properties.spec.properties.http.items.properties.directResponse.properties.body.properties.bytes.format @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/virtualservices.networking.istio.io
! ± value change
- binary
+ byte
@@ spec.versions.v1beta1.schema.openAPIV3Schema.properties.spec.properties.http.items.properties.directResponse.properties.body.properties.bytes.format @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/virtualservices.networking.istio.io
! ± value change
- binary
+ byte
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.tracing.items.properties.customTags.additionalProperties.oneOf @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/telemetries.telemetry.istio.io
! - one list entry removed:
- - not:
- anyOf:
- - required:
- - literal
- - required:
- - environment
- - required:
- - header
! + two list entries added:
+ - not:
+ anyOf:
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ - required:
+ - formatter
+ - required:
+ - formatter
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.tracing.items.properties.customTags.additionalProperties.properties @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/telemetries.telemetry.istio.io
! + one map entry added:
+ formatter:
+ type: object
+ description: "Formatter adds the value of access logging substitution formatter."
+ required:
+ - value
+ properties:
+ value:
+ type: string
+ description: "The formatter tag value to use, same formatter as HTTP access logging (e.g."
+ minLength: 1
@@ spec.versions.v1alpha1.schema.openAPIV3Schema.properties.spec.properties.tracing.items.properties.customTags.additionalProperties.oneOf @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/telemetries.telemetry.istio.io
! - one list entry removed:
- - not:
- anyOf:
- - required:
- - literal
- - required:
- - environment
- - required:
- - header
! + two list entries added:
+ - not:
+ anyOf:
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ - required:
+ - formatter
+ - required:
+ - formatter
@@ spec.versions.v1alpha1.schema.openAPIV3Schema.properties.spec.properties.tracing.items.properties.customTags.additionalProperties.properties @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/telemetries.telemetry.istio.io
! + one map entry added:
+ formatter:
+ type: object
+ description: "Formatter adds the value of access logging substitution formatter."
+ required:
+ - value
+ properties:
+ value:
+ type: string
+ description: "The formatter tag value to use, same formatter as HTTP access logging (e.g."
+ minLength: 1
@@ data.merged-values @@
! ± value change in multiline text (one insert, one deletion)
{
"affinity": {},
"autoscaleBehavior": {},
"autoscaleEnabled": true,
[124 lines unchanged)]
},
"sts": {
"servicePort": 0
},
- "tag": "1.28.3",
+ "tag": "1.29.0",
"variant": "",
"waypoint": {
"affinity": {},
"nodeSelector": {},
[119 lines unchanged)]
"variant": "",
"volumeMounts": [],
"volumes": []
}
@@ spec.template.spec.containers.discovery.image @@
! ± value change
- docker.io/istio/pilot:1.28.3
+ docker.io/istio/pilot:1.29.0
@@ spec.template.spec.containers.discovery.env @@
! - one list entry removed:
- - name: GOMEMLIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.memory
- divisor: 1
@@ data.values @@
! ± value change in multiline text (one insert, one deletion)
{
"gateways": {
"seccompProfile": {},
"securityContext": {}
[99 lines unchanged)]
},
"sts": {
"servicePort": 0
},
- "tag": "1.28.3",
+ "tag": "1.29.0",
"variant": "",
"waypoint": {
"affinity": {},
"nodeSelector": {},
[29 lines unchanged)]
"rewriteAppHTTPProbe": true,
"templates": {}
}
}
@@ data.config @@
! ± value change in multiline text (31 inserts, 19 deletions)
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
defaultTemplates: [sidecar]
policy: enabled
alwaysInjectSelector:
[eight lines unchanged)]
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+ cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }}
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+ memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }}
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+ cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }}
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+ memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }}
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
[247 lines unchanged)]
- name: ISTIO_CPU_LIMIT
valueFrom:
resourceFieldRef:
resource: limits.cpu
+ divisor: "1"
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
[14 lines unchanged)]
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
+ divisor: "1"
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
+ divisor: "1"
{{- if .CompliancePolicy }}
- name: COMPLIANCE_POLICY
value: "{{ .CompliancePolicy }}"
{{- end }}
[211 lines unchanged)]
{{- end }}
{{- end }}
- name: istio-ca-crl
configMap:
- name: istio-ca-crl
+ name: {{ .Values.pilot.crlConfigMapName | default "istio-ca-crl" }}
optional: true
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
[113 lines unchanged)]
- name: ISTIO_CPU_LIMIT
valueFrom:
resourceFieldRef:
resource: limits.cpu
+ divisor: "1"
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
[twelve lines unchanged)]
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
+ divisor: "1"
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
+ divisor: "1"
{{- if .CompliancePolicy }}
- name: COMPLIANCE_POLICY
value: "{{ .CompliancePolicy }}"
{{- end }}
[224 lines unchanged)]
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+ cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }}
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+ memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }}
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
- cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+ cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }}
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
- memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+ memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }}
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
[310 lines unchanged)]
) | nindent 4 }}
{{- if ge .KubeVersion 128 }}
# Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: "{{.Name}}"
uid: "{{.UID}}"
{{- end }}
[13 lines unchanged)]
"gateway.networking.k8s.io/gateway-class-name" .GatewayClass
"gateway.istio.io/managed" .ControllerLabel
) | nindent 4 }}
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: "{{.Name}}"
uid: "{{.UID}}"
spec:
[120 lines unchanged)]
- name: ISTIO_CPU_LIMIT
valueFrom:
resourceFieldRef:
resource: limits.cpu
+ divisor: "1"
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
{{- if .ProxyConfig.ProxyMetadata }}
[five lines unchanged)]
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
+ divisor: "1"
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
+ divisor: "1"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
{{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
{{- if $network }}
[142 lines unchanged)]
) | nindent 4 }}
name: {{.DeploymentName | quote}}
namespace: {{.Namespace | quote}}
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: "{{.Name}}"
uid: "{{.UID}}"
spec:
[26 lines unchanged)]
"gateway.networking.k8s.io/gateway-name" .Name
"gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: {{.Name}}
uid: "{{.UID}}"
spec:
[17 lines unchanged)]
"gateway.networking.k8s.io/gateway-name" .Name
"gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: {{.Name}}
uid: "{{.UID}}"
spec:
[17 lines unchanged)]
) | nindent 4 }}
{{- if ge .KubeVersion 128 }}
# Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: "{{.Name}}"
uid: "{{.UID}}"
{{- end }}
[13 lines unchanged)]
"gateway.networking.k8s.io/gateway-class-name" .GatewayClass
"gateway.istio.io/managed" "istio.io-gateway-controller"
) | nindent 4 }}
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: {{.Name}}
uid: "{{.UID}}"
spec:
[123 lines unchanged)]
- name: ISTIO_CPU_LIMIT
valueFrom:
resourceFieldRef:
resource: limits.cpu
+ divisor: "1"
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
[three lines unchanged)]
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
+ divisor: "1"
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
+ divisor: "1"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
- name: ISTIO_META_NODE_NAME
valueFrom:
[143 lines unchanged)]
) | nindent 4 }}
name: {{.DeploymentName | quote}}
namespace: {{.Namespace | quote}}
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: {{.Name}}
uid: {{.UID}}
spec:
[26 lines unchanged)]
"gateway.networking.k8s.io/gateway-name" .Name
"gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: {{.Name}}
uid: "{{.UID}}"
spec:
[17 lines unchanged)]
"gateway.networking.k8s.io/gateway-name" .Name
"gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
ownerReferences:
- - apiVersion: gateway.networking.k8s.io/v1beta1
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ name: {{.Name}}
+ uid: "{{.UID}}"
+ spec:
+ selector:
+ matchLabels:
+ gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+ agentgateway: |
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: {{.ServiceAccount | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+ ) | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+ ---
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+ "gateway.istio.io/managed" "istio.io-agentgateway-controller"
+ ) | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ name: {{.Name}}
+ uid: "{{.UID}}"
+ spec:
+ selector:
+ matchLabels:
+ "{{.GatewayNameLabel}}": {{.Name}}
+ template:
+ metadata:
+ annotations:
+ {{- toJsonMap
+ (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+ (strdict "istio.io/rev" (.Revision | default "default"))
+ (strdict
+ "prometheus.io/path" "/stats/prometheus"
+ "prometheus.io/port" "15020"
+ "prometheus.io/scrape" "true"
+ ) | nindent 8 }}
+ labels:
+ {{- toJsonMap
+ (strdict
+ "sidecar.istio.io/inject" "false"
+ "service.istio.io/canonical-name" .DeploymentName
+ "service.istio.io/canonical-revision" "latest"
+ )
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+ "gateway.istio.io/managed" "istio.io-agentgateway-controller"
+ ) | nindent 8 }}
+ spec:
+ securityContext:
+ {{- if .Values.gateways.securityContext }}
+ {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+ {{- else }}
+ sysctls:
+ - name: net.ipv4.ip_unprivileged_port_start # allows binding to 80 and 443 without root
+ value: "0"
+ {{- if .Values.gateways.seccompProfile }}
+ seccompProfile:
+ {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+ {{- end }}
+ {{- end }}
+ serviceAccountName: {{.ServiceAccount | quote}}
+ containers:
+ - name: agentgateway
+ {{- if contains "/" (annotation .ObjectMeta `gateway.istio.io/agentgatewayImage` .Values.global.agentgateway.image) }}
+ image: "{{ annotation .ObjectMeta `gateway.istio.io/agentgatewayImage` .Values.global.agentgateway.image }}"
+ {{- else }}
+ image: "{{ .AgentgatewayImage }}"
+ {{- end }}
+ {{- if .Values.global.proxy.resources }}
+ resources:
+ {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ allowPrivilegeEscalation: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsUser: {{ .ProxyUID | default "10101" }}
+ runAsGroup: {{ .ProxyGID | default "10101" }}
+ runAsNonRoot: true
+ ports:
+ - containerPort: 15020
+ name: metrics
+ protocol: TCP
+ - containerPort: 15021
+ name: status-port
+ protocol: TCP
+ args:
+ - --config
+ - '{}'
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+ {{- end }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ divisor: "1"
+ - name: GATEWAY
+ value: {{.Name|quote}}
+ - name: RUST_BACKTRACE
+ value: "1"
+ - name: CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+ {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+ - name: NETWORK
+ value: {{.|quote}}
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ - name: XDS_ADDRESS
+ value: {{ .ProxyConfig.DiscoveryAddress | quote }}
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 15
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - mountPath: /var/run/secrets/xds
+ name: istiod-ca-cert
+ - mountPath: /var/run/secrets/xds-tokens
+ name: istio-token
+ - mountPath: /tmp
+ name: tmp
+ volumes:
+ - emptyDir: {}
+ name: tmp
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: xds-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+ projected:
+ sources:
+ - clusterTrustBundle:
+ name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+ path: root-cert.pem
+ {{- else }}
+ configMap:
+ name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ ---
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+ ) | nindent 4 }}
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ name: {{.Name}}
+ uid: {{.UID}}
+ spec:
+ ipFamilyPolicy: PreferDualStack
+ ports:
+ {{- range $key, $val := .Ports }}
+ - name: {{ $val.Name | quote }}
+ port: {{ $val.Port }}
+ protocol: TCP
+ appProtocol: {{ $val.AppProtocol }}
+ {{- end }}
+ selector:
+ "{{.GatewayNameLabel}}": {{.Name}}
+ {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+ loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+ {{- end }}
+ type: {{ .ServiceType | quote }}
+ ---
+ apiVersion: autoscaling/v2
+ kind: HorizontalPodAutoscaler
+ metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+ ) | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1
+ kind: Gateway
+ name: {{.Name}}
+ uid: "{{.UID}}"
+ spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: {{.DeploymentName | quote}}
+ maxReplicas: 1
+ ---
+ apiVersion: policy/v1
+ kind: PodDisruptionBudget
+ metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+ ) | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
name: {{.Name}}
uid: "{{.UID}}"
spec:
selector:
matchLabels:
gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
@@ rules @@
! - one list entry removed:
- - resources:
- - endpoints
- - namespaces
- - nodes
- - pods
- - replicationcontrollers
- - secrets
- - services
- apiGroups:
- -
- verbs:
- - get
- - list
- - watch
! + one list entry added:
+ - resources:
+ - configmaps
+ - endpoints
+ - namespaces
+ - nodes
+ - pods
+ - replicationcontrollers
+ - secrets
+ - services
+ apiGroups:
+ -
+ verbs:
+ - get
+ - list
+ - watch
@@ data.core.yaml @@
! ± value change in multiline text (one insert, one deletion)
adminApps:
- deps:
- prometheus
ingress:
[384 lines unchanged)]
about: Istio is an open platform for providing a uniform way to integrate microservices,
manage traffic flow across microservices, enforce policies and aggregate telemetry
data. Istio's control plane provides an abstraction layer over the underlying
cluster management platform.
- appVersion: 1.28.3
+ appVersion: 1.29.0
integration: App Platform has security best practices built in, and is designed
for intrusion. Istio is used by App Platform as a service mesh to deliver mTLS
enforcement for all traffic that is deemed compromisable, egress control to
force teams to choose explicit egress endpoints, and advanced routing capabilities
[329 lines unchanged)]
svc: tekton-dashboard
type: public
name: tekton
ownHost: true
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates the dependency base to version 1.29.0.