Skip to content

Commit 079c361

Browse files
briantwatsonbriantwatson
authored
chore: update istio CRDs to use v1 API (#2606)
## Description #### Original scope (3 operator-typed kinds) - **Typed classes** — AuthorizationPolicy, VirtualService, ServiceEntry regenerated at `v1` via `src/istio/tasks.yaml` `KEEP` list update - **advancedHTTP subset** — regenerated at `v1` via `CRD_VERSION` bump in `gen-istio-crd-sources.ts` - **Imports** — aggregator (`crd/index.ts`), `sources/package/v1alpha1.ts`, and 7 direct-path consumers (3 source + 4 spec) repointed to `-v1` - **Hardcoded `apiVersion` literals** — 9 string swaps in operator source + specs - **AuthorizationPolicy chart YAMLs** — 2 Keycloak templates bumped - **Docs** — VirtualService + AuthorizationPolicy examples at `v1` #### Expanded scope (other shipped Istio kinds with upstream `v1`) - **PeerAuthentication** — 5 chart YAMLs (keycloak, istio-common ×2, metrics-server, prometheus-stack) bumped `v1beta1` → `v1` - **Gateway** — 1 chart YAML (`uds-istio-config`) bumped `v1beta1` → `v1` - **DestinationRule** — 1 chart YAML (Keycloak session stickiness) bumped `v1alpha3` → `v1 ## Related Issue Fixes CORE-44 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Steps to Validate - ` kubectl get vs,authorizationpolicy,serviceentry,peerauthentication,destinationrule,gateway -A -o yaml | grep -E '^- apiVersion:' | sort -u` post-deploy. - Applied `v1beta1` VirtualService and PeerAuthentication → still accepted (no regression) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-core/blob/main/CONTRIBUTING.md) followed
1 parent 40a1a97 commit 079c361

27 files changed

Lines changed: 66 additions & 66 deletions

File tree

docs/dev/authorization-policy-generation.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ spec:
6666
```
6767
6868
```yaml
69-
apiVersion: security.istio.io/v1beta1
69+
apiVersion: security.istio.io/v1
7070
kind: AuthorizationPolicy
7171
metadata:
7272
name: protect-my-app-ingress-external-app
@@ -99,7 +99,7 @@ spec:
9999
```
100100
101101
```yaml
102-
apiVersion: security.istio.io/v1beta1
102+
apiVersion: security.istio.io/v1
103103
kind: AuthorizationPolicy
104104
metadata:
105105
name: protect-my-app-ingress-frontend
@@ -132,7 +132,7 @@ spec:
132132
```
133133
134134
```yaml
135-
apiVersion: security.istio.io/v1beta1
135+
apiVersion: security.istio.io/v1
136136
kind: AuthorizationPolicy
137137
metadata:
138138
name: protect-loki-ingress-all
@@ -160,7 +160,7 @@ spec:
160160
```
161161
162162
```yaml
163-
apiVersion: security.istio.io/v1beta1
163+
apiVersion: security.istio.io/v1
164164
kind: AuthorizationPolicy
165165
metadata:
166166
name: protect-myapp-ingress-all
@@ -191,7 +191,7 @@ spec:
191191
```
192192
193193
```yaml
194-
apiVersion: security.istio.io/v1beta1
194+
apiVersion: security.istio.io/v1
195195
kind: AuthorizationPolicy
196196
metadata:
197197
name: protect-my-app-ingress-9090-backend-istio-admin-gateway
@@ -228,7 +228,7 @@ spec:
228228
```
229229
230230
```yaml
231-
apiVersion: security.istio.io/v1beta1
231+
apiVersion: security.istio.io/v1
232232
kind: AuthorizationPolicy
233233
metadata:
234234
name: protect-grafana-ingress-grafana-istio-tenant-gateway

docs/how-to-guides/networking/configure-non-http-ingress.mdx

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ This example configures SSH ingress, but the same process applies to any TCP pro
7979
In your application's Zarf package, create a Gateway CR that tells Istio to listen on the new port for your host:
8080

8181
```yaml title="gateway.yaml"
82-
apiVersion: networking.istio.io/v1beta1
82+
apiVersion: networking.istio.io/v1
8383
kind: Gateway
8484
metadata:
8585
name: example-ssh-gateway
@@ -101,7 +101,7 @@ This example configures SSH ingress, but the same process applies to any TCP pro
101101
Route incoming TCP traffic from the gateway to your application service:
102102
103103
```yaml title="virtualservice.yaml"
104-
apiVersion: networking.istio.io/v1beta1
104+
apiVersion: networking.istio.io/v1
105105
kind: VirtualService
106106
metadata:
107107
name: example-ssh

src/istio/charts/uds-istio-config/templates/gateway.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Copyright 2024 Defense Unicorns
1+
# Copyright 2024-2026 Defense Unicorns
22
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
33

44
{{- $domain := tpl .Values.domain . }}
@@ -7,7 +7,7 @@
77
{{- $rootMode := $rootTLS.mode | default ($.Values.tls.mode | default "SIMPLE") -}}
88
{{- $rootSupportTLS := $rootTLS.supportTLSV1_2 | default ($.Values.tls.supportTLSV1_2 | default false) -}}
99
{{- if .Values.tls }}
10-
apiVersion: networking.istio.io/v1beta1
10+
apiVersion: networking.istio.io/v1
1111
kind: Gateway
1212
metadata:
1313
name: {{ .Values.name }}-gateway

src/istio/common/chart/templates/peer-authentication.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
1-
# Copyright 2024 Defense Unicorns
1+
# Copyright 2024-2026 Defense Unicorns
22
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
33

44
---
55
# @lulaStart 4bc74dfa-60b7-4716-af4b-b492a12eec42
66
# Source: istio/templates/bigbang/peerAuthentication.yaml
7-
apiVersion: security.istio.io/v1beta1
7+
apiVersion: security.istio.io/v1
88
kind: PeerAuthentication
99
metadata:
1010
name: default-istio-system

src/istio/common/chart/templates/pepr-istio-config.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Copyright 2024 Defense Unicorns
1+
# Copyright 2024-2026 Defense Unicorns
22
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
33

44
# Have to pre-create the namespace and also patch it with the istio-injection label later because
@@ -10,7 +10,7 @@ metadata:
1010
labels:
1111
istio.io/dataplane-mode: ambient
1212
---
13-
apiVersion: "security.istio.io/v1beta1"
13+
apiVersion: "security.istio.io/v1"
1414
kind: PeerAuthentication
1515
metadata:
1616
name: permissive-pepr-webhook
@@ -25,7 +25,7 @@ spec:
2525
"3000":
2626
mode: PERMISSIVE
2727
---
28-
apiVersion: "security.istio.io/v1beta1"
28+
apiVersion: "security.istio.io/v1"
2929
kind: PeerAuthentication
3030
metadata:
3131
name: permissive-pepr-webhook-watcher

src/istio/tasks.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ tasks:
4848
npx kubernetes-fluent-client@3.11.6 crd https://raw.githubusercontent.com/istio/istio/1.29.1/manifests/charts/base/files/crd-all.gen.yaml "$OUT_DIR"
4949
5050
# Istio includes all CRDs in a single YAML file so we need to prune down to just the subset we want to keep
51-
KEEP="authorizationpolicy-v1beta1 gateway-v1 requestauthentication-v1 serviceentry-v1beta1 sidecar-v1 virtualservice-v1beta1"
51+
KEEP="authorizationpolicy-v1 gateway-v1 requestauthentication-v1 serviceentry-v1 sidecar-v1 virtualservice-v1"
5252
for f in "$OUT_DIR"/*.ts; do
5353
base="$(basename "$f" .ts)"
5454
if [[ " $KEEP " != *" $base "* ]]; then

src/keycloak/chart/templates/destination-rule.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
# Copyright 2024 Defense Unicorns
1+
# Copyright 2024-2026 Defense Unicorns
22
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
33

44
{{- if and .Values.autoscaling.enabled .Values.autoscaling.sessionStickiness.enabled }}
5-
apiVersion: networking.istio.io/v1alpha3
5+
apiVersion: networking.istio.io/v1
66
kind: DestinationRule
77
metadata:
88
name: {{ include "keycloak.fullname" . }}-sticky-session

src/keycloak/chart/templates/istio-authpol-admin.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
# Copyright 2024 Defense Unicorns
1+
# Copyright 2024-2026 Defense Unicorns
22
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
33

4-
{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }}
5-
apiVersion: security.istio.io/v1beta1
4+
{{- if .Capabilities.APIVersions.Has "security.istio.io/v1" }}
5+
apiVersion: security.istio.io/v1
66
kind: AuthorizationPolicy
77
metadata:
88
name: keycloak-block-admin-access-from-public-gateway

src/keycloak/chart/templates/istio-authpol-waypoint.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
# Copyright 2025 Defense Unicorns
1+
# Copyright 2025-2026 Defense Unicorns
22
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
33

4-
{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }}
5-
apiVersion: security.istio.io/v1beta1
4+
{{- if .Capabilities.APIVersions.Has "security.istio.io/v1" }}
5+
apiVersion: security.istio.io/v1
66
kind: AuthorizationPolicy
77
metadata:
88
name: keycloak-enforce-waypoint

src/keycloak/chart/templates/istio-peer-auth.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
# Copyright 2024 Defense Unicorns
1+
# Copyright 2024-2026 Defense Unicorns
22
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
33

4-
{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }}
5-
apiVersion: security.istio.io/v1beta1
4+
{{- if .Capabilities.APIVersions.Has "security.istio.io/v1" }}
5+
apiVersion: security.istio.io/v1
66
kind: PeerAuthentication
77
metadata:
88
name: keycloak

0 commit comments

Comments
 (0)