feat: represent revision tags using services by german1608 · Pull Request #56141 · istio/istio

german1608 · 2025-04-30T20:04:31Z

Please provide a description of this PR:

This PR implements clusterip services as a replacement for mutatingwebhooks when using revision tags.

Design doc: https://docs.google.com/document/d/1gCvcTUo0f5HhOZ5UFHYK_moDGXVAZTssZBPhPvewqGU/edit?tab=t.0

linux-foundation-easycla · 2025-04-30T20:04:36Z

The committers listed above are authorized under a signed CLA.

✅ login: german1608 / name: German Robayo (a844ca6, b9a7b34, a9b0c57, 25369b5, d363126, cf5d4a0, 4634344, 2ea0dbd, 073cd3b, d60799b, bc07b99, afe7c31, 24e997a, 7272f6c, aa30e06, fb08f9f, 25cd5a8, a110ce1, 7355e44, 17e8228, 9e8daf2, 31951ca, 5032ff8, e801b75, 84c8036, def2910, d523a99, daf14e4, 97ff49e, 4a40763, 0b0537e, 21c8037, ee5c292, c40ad5a, 177ac99, 245dfac, 6588467)

istio-policy-bot · 2025-04-30T20:04:37Z

😊 Welcome @german1608! This is either your first contribution to the Istio istio repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

istio-testing · 2025-04-30T20:04:43Z

Hi @german1608. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Stevenjin8 · 2025-05-06T15:11:26Z

/ok-to-test

german1608 · 2025-05-12T17:40:44Z

/ok-to-test

german1608 · 2025-05-12T17:57:07Z

/ok-to-test

german1608 · 2025-05-12T18:11:47Z

/retest

german1608 · 2025-05-13T18:19:36Z

/ok-to-test

german1608 · 2025-05-14T01:29:44Z

/ok-to-test

german1608 · 2025-05-14T20:30:01Z

/ok-to-test

german1608 · 2025-05-15T00:14:35Z

/ok-to-test

german1608 · 2025-05-15T01:26:40Z

/ok-to-test

german1608 · 2025-05-15T17:15:18Z

/ok-to-test

german1608 · 2025-05-15T17:38:06Z

/retest

german1608 · 2025-06-24T21:02:44Z

@howardjohn could you take a look at this PR please? Let me know any outstanding questions

This reverts commit 0550a31.

* first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size

…stio#56833) This reverts commit 0550a31.

* Initial changes to reach label selector from mesh config to update endpoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Pass MeshConfig to GlobalMergedWorkloadServicesCollection Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add cluster and listener service filtering for waypoints and e/w gateways Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Respond to PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add more tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Fix incorrect waypoint logic. In ambient mode, e/w gateways and waypoints are both node.Type Waypoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Remove unused ServicesForGateway Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Updated failing lint and add a release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Filter services in ServiceServiceBuilder and check feature flag for ambient multi network. Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Move feature flag set to avoid race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Remove ScopeByService on workload Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix fmt Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add scope to serviceInfo equality check Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Also add Service SANS * [REMOVE ME] enable multinetwork ambient by default * Move number theory functions to math module * Even capacity distribution with multiple gateways * Automatically include waypoint svc of global svcs * Some refactoring too * Messy checkpoint * Random * Jackie rebase * Jackie rebase * Tests passing (?) * Lint * Enable domain suffixes * fix tests again * Make gen * Add e/w gateway support for ambient multi network tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix lint/gen and test failures Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Tests passing (?) * Lint * Automator: update proxy@master in istio/istio@master (#56771) * Fix Gateway API tests to consider istio test cli flags (#56704) * set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test * feat: represent revision tags using services (#56141) * first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size * Update client go (#56780) * Automator: update istio/client-go@master dependency in istio/istio@master * fix test * fix more * fix TestTelemetryMetricsExhaustiveness --------- Co-authored-by: istio-testing <istio-testing-bot@google.com> * Automator: update istio/client-go@master dependency in istio/istio@master (#56781) * Impl RetryBudget in DestinationRule (#56782) * impl RetryBudget * release notes * add test case * add release notes for ClusterTrustBundle (#56748) * Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (#56784) When executing TestServiceEntryInlinedWorkloadEntry Ambient test in a public cloud based cluster, the created ingress is a domain based name and the test fails with the following error: configuration is invalid: endpoint address "a6eec2a91721a42b0aa8e140fc6611fc-1873540778.us-east-1.elb.amazonaws.com" is not a valid IP address Add a domain name resolution to ip based address. Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> * Automator: update common-files@master in istio/istio@master (#56788) * Automator: update proxy@master in istio/istio@master (#56789) * Do not transitively import net/trace (#56637) * Do not transitively import net/trace This drops 300kb off the binary. Note a big deal but #56636 is a 5mb potentional and this is a step to it * drop license * Automator: update istio/client-go@master dependency in istio/istio@master (#56790) * do not use discovery filter for system namespace network (#56687) * do not use discovery filter for system namespace network * relnote * revert label selector * Automator: update proxy@master in istio/istio@master (#56794) * status: fix busyloop (#56798) This has been observed to cause extremely high CPU usage as we busyloop. Basically if we have at least 1 pending item, and we re-enqueue and actively worked on item, it will busy loop until the actively worked on item is handled. We should instead kill this worker. The other worker will handle the task when it completes * Gateway: provide stable HTTPRoute status ordering (#56504) * Add test cases * gateway: emit HTTPRoute status in a stable ordering * Update tests * fix test * Automator: update ztunnel@master in istio/istio@master (#56803) * manifests: refactor conditions for tproxy and capNetBindService (#56809) * manifests: refactor conditions for TPROXY Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Encapsulate checking capNetBindService Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * tests: assign privileged SCC to tproxy SA on OpenShift (#56799) * tests: assign privileged SCC to tproxy SA on OpenShift Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Rename bool variable `openshift` to `isOpenShift` Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Fix a typo in CRB name Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * fix dns althost name generation (#56806) * fix dns althost name generation Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * remove unnecessary test change Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add gateway implementation for retry budget (#56808) * add gateway implementation for retry budget Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * comments Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * tcp/tls route: fix multiple parent binds (#56818) Fixes #56769 The problem was we had non-unique names for each generated object. Add unit tests and fix to use the same counting appraoch HTTP/GRPC uses * Automator: update proxy@master in istio/istio@master (#56813) * Add annotation support to deployment object in istio discovery chart (#56787) * Add deployment object annotation support to istio discovery chart * Add release note for deployment object annotation support to istiod chart * Automator: update go-control-plane in istio/istio@master (#56821) * Automator: update proxy@master in istio/istio@master (#56822) * Automator: update proxy@master in istio/istio@master (#56823) * Automator: update proxy@master in istio/istio@master (#56829) * Create Istio owned CNI config (#56156) * Create Istio owned CNI config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Set CNIConfName to primary CNI config file name Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Make Istio owned cni config opt in and the config name configurable Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add warning for invalid istio own cni config filename priority Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Revert "feat: represent revision tags using services (#56141)" (#56833) This reverts commit 0550a31. * Automator: update istio/client-go@master dependency in istio/istio@master (#56835) * Automator: update ztunnel@master in istio/istio@master (#56840) * improve istioctl dashboard example (#56842) Signed-off-by: xin.li <xin.li@daocloud.io> * Automator: update common-files@master in istio/istio@master (#56834) * Automator: update proxy@master in istio/istio@master (#56846) * Enable domain suffixes * fix tests again * Make gen * Respond to Keith's PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix get and comparison * review part 1 * Fix gen Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add support waypoint visibility at network gateways when the waypoint has globally scoped services Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Get rid of splithorizon specific stuff * lint * lint * - deploy e/w gateway with blackhole listener/cluster if ambient multinetwork is enable to allow for existence even if no globally scoped services exist - utilize existing apps for integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * wait on eastwest gateway by checking programmed status Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Minimize diff * Update default servicescopeconfig and duplicate DeployGatewayAPI for simplicity Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix indentation and remove unrelated file Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Compare networks rather than cluster id to determine locality Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * review part 2 * correct east west gw svc name * Use correct address for e/w gateway and compare networks rather than clusterids Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add todo and remove duplicate config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix flakes * Add comment to fix e/w gateway service lookup perf in beta Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Include network gateways * use other network gateway * Use name when generating ewgateway workloads * Keith review * Don't use gateway suffixes * releasenotes * Fix service merging and nwgateway naming * Issue about multiple network gateways * Lint, fix test, and remove release note * Jackie review * More docs --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: xin.li <xin.li@daocloud.io> Co-authored-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: German Robayo <germanrobayo33@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Maxim Babushkin <mbabushk@redhat.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Ramal Abeysekera <ramal.abeysekera@hotmail.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix2@gmail.com> Co-authored-by: my-git9 <xin.li@daocloud.io>

* Initial changes to reach label selector from mesh config to update endpoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Pass MeshConfig to GlobalMergedWorkloadServicesCollection Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add cluster and listener service filtering for waypoints and e/w gateways Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Respond to PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add more tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Fix incorrect waypoint logic. In ambient mode, e/w gateways and waypoints are both node.Type Waypoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Remove unused ServicesForGateway Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Updated failing lint and add a release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Filter services in ServiceServiceBuilder and check feature flag for ambient multi network. Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Move feature flag set to avoid race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Remove ScopeByService on workload Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix fmt Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add scope to serviceInfo equality check Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Also add Service SANS * [REMOVE ME] enable multinetwork ambient by default * Move number theory functions to math module * Even capacity distribution with multiple gateways * Automatically include waypoint svc of global svcs * Some refactoring too * Messy checkpoint * Random * Jackie rebase * Jackie rebase * Tests passing (?) * Lint * Enable domain suffixes * fix tests again * Make gen * Add e/w gateway support for ambient multi network tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix lint/gen and test failures Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Tests passing (?) * Lint * Automator: update proxy@master in istio/istio@master (istio#56771) * Fix Gateway API tests to consider istio test cli flags (istio#56704) * set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test * feat: represent revision tags using services (istio#56141) * first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size * Update client go (istio#56780) * Automator: update istio/client-go@master dependency in istio/istio@master * fix test * fix more * fix TestTelemetryMetricsExhaustiveness --------- Co-authored-by: istio-testing <istio-testing-bot@google.com> * Automator: update istio/client-go@master dependency in istio/istio@master (istio#56781) * Impl RetryBudget in DestinationRule (istio#56782) * impl RetryBudget * release notes * add test case * add release notes for ClusterTrustBundle (istio#56748) * Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (istio#56784) When executing TestServiceEntryInlinedWorkloadEntry Ambient test in a public cloud based cluster, the created ingress is a domain based name and the test fails with the following error: configuration is invalid: endpoint address "a6eec2a91721a42b0aa8e140fc6611fc-1873540778.us-east-1.elb.amazonaws.com" is not a valid IP address Add a domain name resolution to ip based address. Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> * Automator: update common-files@master in istio/istio@master (istio#56788) * Automator: update proxy@master in istio/istio@master (istio#56789) * Do not transitively import net/trace (istio#56637) * Do not transitively import net/trace This drops 300kb off the binary. Note a big deal but istio#56636 is a 5mb potentional and this is a step to it * drop license * Automator: update istio/client-go@master dependency in istio/istio@master (istio#56790) * do not use discovery filter for system namespace network (istio#56687) * do not use discovery filter for system namespace network * relnote * revert label selector * Automator: update proxy@master in istio/istio@master (istio#56794) * status: fix busyloop (istio#56798) This has been observed to cause extremely high CPU usage as we busyloop. Basically if we have at least 1 pending item, and we re-enqueue and actively worked on item, it will busy loop until the actively worked on item is handled. We should instead kill this worker. The other worker will handle the task when it completes * Gateway: provide stable HTTPRoute status ordering (istio#56504) * Add test cases * gateway: emit HTTPRoute status in a stable ordering * Update tests * fix test * Automator: update ztunnel@master in istio/istio@master (istio#56803) * manifests: refactor conditions for tproxy and capNetBindService (istio#56809) * manifests: refactor conditions for TPROXY Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Encapsulate checking capNetBindService Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * tests: assign privileged SCC to tproxy SA on OpenShift (istio#56799) * tests: assign privileged SCC to tproxy SA on OpenShift Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Rename bool variable `openshift` to `isOpenShift` Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Fix a typo in CRB name Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * fix dns althost name generation (istio#56806) * fix dns althost name generation Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * remove unnecessary test change Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add gateway implementation for retry budget (istio#56808) * add gateway implementation for retry budget Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * comments Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * tcp/tls route: fix multiple parent binds (istio#56818) Fixes istio#56769 The problem was we had non-unique names for each generated object. Add unit tests and fix to use the same counting appraoch HTTP/GRPC uses * Automator: update proxy@master in istio/istio@master (istio#56813) * Add annotation support to deployment object in istio discovery chart (istio#56787) * Add deployment object annotation support to istio discovery chart * Add release note for deployment object annotation support to istiod chart * Automator: update go-control-plane in istio/istio@master (istio#56821) * Automator: update proxy@master in istio/istio@master (istio#56822) * Automator: update proxy@master in istio/istio@master (istio#56823) * Automator: update proxy@master in istio/istio@master (istio#56829) * Create Istio owned CNI config (istio#56156) * Create Istio owned CNI config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Set CNIConfName to primary CNI config file name Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Make Istio owned cni config opt in and the config name configurable Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add warning for invalid istio own cni config filename priority Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Revert "feat: represent revision tags using services (istio#56141)" (istio#56833) This reverts commit 0550a31. * Automator: update istio/client-go@master dependency in istio/istio@master (istio#56835) * Automator: update ztunnel@master in istio/istio@master (istio#56840) * improve istioctl dashboard example (istio#56842) Signed-off-by: xin.li <xin.li@daocloud.io> * Automator: update common-files@master in istio/istio@master (istio#56834) * Automator: update proxy@master in istio/istio@master (istio#56846) * Enable domain suffixes * fix tests again * Make gen * Respond to Keith's PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix get and comparison * review part 1 * Fix gen Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add support waypoint visibility at network gateways when the waypoint has globally scoped services Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Get rid of splithorizon specific stuff * lint * lint * - deploy e/w gateway with blackhole listener/cluster if ambient multinetwork is enable to allow for existence even if no globally scoped services exist - utilize existing apps for integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * wait on eastwest gateway by checking programmed status Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Minimize diff * Update default servicescopeconfig and duplicate DeployGatewayAPI for simplicity Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix indentation and remove unrelated file Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Compare networks rather than cluster id to determine locality Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * review part 2 * correct east west gw svc name * Use correct address for e/w gateway and compare networks rather than clusterids Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add todo and remove duplicate config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix flakes * Add comment to fix e/w gateway service lookup perf in beta Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Include network gateways * use other network gateway * Use name when generating ewgateway workloads * Keith review * Don't use gateway suffixes * releasenotes * Fix service merging and nwgateway naming * Issue about multiple network gateways * Lint, fix test, and remove release note * Jackie review * More docs --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: xin.li <xin.li@daocloud.io> Co-authored-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: German Robayo <germanrobayo33@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Maxim Babushkin <mbabushk@redhat.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Ramal Abeysekera <ramal.abeysekera@hotmail.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix2@gmail.com> Co-authored-by: my-git9 <xin.li@daocloud.io>

* Initial changes to reach label selector from mesh config to update endpoints Pass MeshConfig to GlobalMergedWorkloadServicesCollection Add cluster and listener service filtering for waypoints and e/w gateways Respond to PR feedback Add more tests Fix incorrect waypoint logic. In ambient mode, e/w gateways and waypoints are both node.Type Waypoints Remove unused ServicesForGateway Updated failing lint and add a release note * Filter services in ServiceServiceBuilder and check feature flag for ambient multi network. * Move feature flag set to avoid race * Fix race * Remove ScopeByService on workload * Fix fmt * Add scope to serviceInfo equality check * Also add Service SANS * [REMOVE ME] enable multinetwork ambient by default * Move number theory functions to math module * Even capacity distribution with multiple gateways * Automatically include waypoint svc of global svcs * Some refactoring too * Messy checkpoint * Random * Jackie rebase * Jackie rebase * Tests passing (?) * Lint * Enable domain suffixes * fix tests again * Make gen * Add e/w gateway support for ambient multi network tests * Fix integration tests * Fix lint/gen and test failures * Tests passing (?) * Lint * Automator: update proxy@master in istio/istio@master (#56771) * Fix Gateway API tests to consider istio test cli flags (#56704) * set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test * feat: represent revision tags using services (#56141) * first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size * Update client go (#56780) * Automator: update istio/client-go@master dependency in istio/istio@master * fix test * fix more * fix TestTelemetryMetricsExhaustiveness --------- * Automator: update istio/client-go@master dependency in istio/istio@master (#56781) * Impl RetryBudget in DestinationRule (#56782) * impl RetryBudget * release notes * add test case * add release notes for ClusterTrustBundle (#56748) * Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (#56784) When executing TestServiceEntryInlinedWorkloadEntry Ambient test in a public cloud based cluster, the created ingress is a domain based name and the test fails with the following error: configuration is invalid: endpoint address "a6eec2a91721a42b0aa8e140fc6611fc-1873540778.us-east-1.elb.amazonaws.com" is not a valid IP address Add a domain name resolution to ip based address. * Automator: update common-files@master in istio/istio@master (#56788) * Automator: update proxy@master in istio/istio@master (#56789) * Do not transitively import net/trace (#56637) * Do not transitively import net/trace This drops 300kb off the binary. Note a big deal but #56636 is a 5mb potentional and this is a step to it * drop license * Automator: update istio/client-go@master dependency in istio/istio@master (#56790) * do not use discovery filter for system namespace network (#56687) * do not use discovery filter for system namespace network * relnote * revert label selector * Automator: update proxy@master in istio/istio@master (#56794) * status: fix busyloop (#56798) This has been observed to cause extremely high CPU usage as we busyloop. Basically if we have at least 1 pending item, and we re-enqueue and actively worked on item, it will busy loop until the actively worked on item is handled. We should instead kill this worker. The other worker will handle the task when it completes * Gateway: provide stable HTTPRoute status ordering (#56504) * Add test cases * gateway: emit HTTPRoute status in a stable ordering * Update tests * fix test * Automator: update ztunnel@master in istio/istio@master (#56803) * manifests: refactor conditions for tproxy and capNetBindService (#56809) * manifests: refactor conditions for TPROXY * Encapsulate checking capNetBindService --------- * tests: assign privileged SCC to tproxy SA on OpenShift (#56799) * tests: assign privileged SCC to tproxy SA on OpenShift * Rename bool variable `openshift` to `isOpenShift` * Fix a typo in CRB name --------- * fix dns althost name generation (#56806) * fix dns althost name generation * remove unnecessary test change --------- * add gateway implementation for retry budget (#56808) * add gateway implementation for retry budget * comments --------- * tcp/tls route: fix multiple parent binds (#56818) Fixes #56769 The problem was we had non-unique names for each generated object. Add unit tests and fix to use the same counting appraoch HTTP/GRPC uses * Automator: update proxy@master in istio/istio@master (#56813) * Add annotation support to deployment object in istio discovery chart (#56787) * Add deployment object annotation support to istio discovery chart * Add release note for deployment object annotation support to istiod chart * Automator: update go-control-plane in istio/istio@master (#56821) * Automator: update proxy@master in istio/istio@master (#56822) * Automator: update proxy@master in istio/istio@master (#56823) * Automator: update proxy@master in istio/istio@master (#56829) * Create Istio owned CNI config (#56156) * Create Istio owned CNI config * Set CNIConfName to primary CNI config file name * Make Istio owned cni config opt in and the config name configurable * Add warning for invalid istio own cni config filename priority * Add release note --------- * Revert "feat: represent revision tags using services (#56141)" (#56833) This reverts commit 0550a31. * Automator: update istio/client-go@master dependency in istio/istio@master (#56835) * Automator: update ztunnel@master in istio/istio@master (#56840) * improve istioctl dashboard example (#56842) * Automator: update common-files@master in istio/istio@master (#56834) * Automator: update proxy@master in istio/istio@master (#56846) * Enable domain suffixes * fix tests again * Make gen * Respond to Keith's PR feedback * Fix get and comparison * review part 1 * Fix gen * Add support waypoint visibility at network gateways when the waypoint has globally scoped services * Get rid of splithorizon specific stuff * lint * lint * - deploy e/w gateway with blackhole listener/cluster if ambient multinetwork is enable to allow for existence even if no globally scoped services exist - utilize existing apps for integration tests * wait on eastwest gateway by checking programmed status * Minimize diff * Update default servicescopeconfig and duplicate DeployGatewayAPI for simplicity * Fix indentation and remove unrelated file * Compare networks rather than cluster id to determine locality * review part 2 * correct east west gw svc name * Use correct address for e/w gateway and compare networks rather than clusterids * Add todo and remove duplicate config * Fix flakes * Add comment to fix e/w gateway service lookup perf in beta * Include network gateways * use other network gateway * Use name when generating ewgateway workloads * Keith review * Don't use gateway suffixes * releasenotes * Fix service merging and nwgateway naming * Issue about multiple network gateways * Lint, fix test, and remove release note * Jackie review * More docs --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: xin.li <xin.li@daocloud.io> Co-authored-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: German Robayo <germanrobayo33@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Maxim Babushkin <mbabushk@redhat.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Ramal Abeysekera <ramal.abeysekera@hotmail.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix2@gmail.com> Co-authored-by: my-git9 <xin.li@daocloud.io>

* upstream/master: Update client go (istio#56780) feat: represent revision tags using services (istio#56141) Fix Gateway API tests to consider istio test cli flags (istio#56704) Automator: update proxy@master in istio/istio@master (istio#56771)

* upstream/master: Automator: update ztunnel@master in istio/istio@master (istio#56840) Automator: update istio/client-go@master dependency in istio/istio@master (istio#56835) Revert "feat: represent revision tags using services (istio#56141)" (istio#56833) Create Istio owned CNI config (istio#56156) Automator: update proxy@master in istio/istio@master (istio#56829)

istio-testing added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Apr 30, 2025

istio-policy-bot added area/ambient Issues related to ambient mesh area/environments area/user experience labels Apr 30, 2025

istio-testing added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. needs-ok-to-test labels Apr 30, 2025

german1608 force-pushed the feat/use-services-for-mwh-replacement branch from 3a29e28 to a5bc155 Compare April 30, 2025 21:39

istio-testing added ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. and removed needs-ok-to-test labels May 6, 2025

german1608 force-pushed the feat/use-services-for-mwh-replacement branch from 1eb3fea to 759a032 Compare May 13, 2025 18:00

german1608 changed the title ~~Feat/use services for mwh replacement~~ feat: represent revision tags using services May 15, 2025

german1608 marked this pull request as ready for review May 15, 2025 17:54

german1608 requested review from a team as code owners May 15, 2025 17:54

german1608 added 12 commits June 24, 2025 17:09

fix compilation error

d523a99

fix lint

ee5c292

wip integ-helm_istio

d60799b

add app=istiod label filter

b9a7b34

merge override labels in generate.go

0b0537e

add release note

21c8037

set owner labels to revision service tag

97ff49e

rollback changes on e2e for helm

4a40763

fix helm e2e

177ac99

use servicesAfters instead of webhooksAfter in tag_test.go assertion log

6588467

Remove unnecessary deprecation message

245dfac

refactor tag_test.go to reduce diff size

c40ad5a

german1608 force-pushed the feat/use-services-for-mwh-replacement branch from 3608262 to c40ad5a Compare June 24, 2025 17:10

istio-testing removed the needs-rebase Indicates a PR needs to be rebased before being merged label Jun 24, 2025

therealmitchconnors approved these changes Jun 24, 2025

View reviewed changes

german1608 requested a review from howardjohn June 24, 2025 21:02

howardjohn approved these changes Jun 25, 2025

View reviewed changes

istio-testing merged commit 0550a31 into istio:master Jun 26, 2025
30 checks passed

keithmattix added a commit that referenced this pull request Jun 30, 2025

Revert "feat: represent revision tags using services (#56141)"

f5cb6e6

This reverts commit 0550a31.

keithmattix mentioned this pull request Jun 30, 2025

Revert "feat: represent revision tags using services" #56833

Merged

istio-testing pushed a commit that referenced this pull request Jun 30, 2025

Revert "feat: represent revision tags using services (#56141)" (#56833)

c067da3

This reverts commit 0550a31.

german1608 mentioned this pull request Jul 1, 2025

feat: represent revision tags using services #56851

Merged

Stevenjin8 pushed a commit to Stevenjin8/istio that referenced this pull request Jul 3, 2025

Revert "feat: represent revision tags using services (istio#56141)" (i…

b8760b0

…stio#56833) This reverts commit 0550a31.

Conversation

german1608 commented Apr 30, 2025 • edited by istio-policy-bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

linux-foundation-easycla bot commented Apr 30, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

istio-policy-bot commented Apr 30, 2025

Uh oh!

istio-testing commented Apr 30, 2025

Uh oh!

Stevenjin8 commented May 6, 2025

Uh oh!

german1608 commented May 12, 2025

Uh oh!

german1608 commented May 12, 2025

Uh oh!

german1608 commented May 12, 2025

Uh oh!

german1608 commented May 13, 2025

Uh oh!

german1608 commented May 14, 2025

Uh oh!

german1608 commented May 14, 2025

Uh oh!

german1608 commented May 15, 2025

Uh oh!

german1608 commented May 15, 2025

Uh oh!

german1608 commented May 15, 2025

Uh oh!

german1608 commented May 15, 2025

Uh oh!

german1608 commented Jun 24, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

german1608 commented Apr 30, 2025 •

edited by istio-policy-bot

Loading

linux-foundation-easycla bot commented Apr 30, 2025 •

edited

Loading