do not use discovery filter for system namespace network#56687
Merged
istio-testing merged 3 commits intoistio:masterfrom Jun 26, 2025
Merged
do not use discovery filter for system namespace network#56687istio-testing merged 3 commits intoistio:masterfrom
istio-testing merged 3 commits intoistio:masterfrom
Conversation
Member
|
is there a last relese for 1.24? |
howardjohn
approved these changes
Jun 26, 2025
Collaborator
|
In response to a cherrypick label: new pull request created: #56796 |
Collaborator
|
In response to a cherrypick label: new pull request created: #56797 |
Stevenjin8
pushed a commit
to Stevenjin8/istio
that referenced
this pull request
Jul 3, 2025
* do not use discovery filter for system namespace network * relnote * revert label selector
istio-testing
added a commit
that referenced
this pull request
Jul 10, 2025
* Initial changes to reach label selector from mesh config to update endpoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Pass MeshConfig to GlobalMergedWorkloadServicesCollection Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add cluster and listener service filtering for waypoints and e/w gateways Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Respond to PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add more tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Fix incorrect waypoint logic. In ambient mode, e/w gateways and waypoints are both node.Type Waypoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Remove unused ServicesForGateway Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Updated failing lint and add a release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Filter services in ServiceServiceBuilder and check feature flag for ambient multi network. Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Move feature flag set to avoid race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Remove ScopeByService on workload Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix fmt Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add scope to serviceInfo equality check Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Also add Service SANS * [REMOVE ME] enable multinetwork ambient by default * Move number theory functions to math module * Even capacity distribution with multiple gateways * Automatically include waypoint svc of global svcs * Some refactoring too * Messy checkpoint * Random * Jackie rebase * Jackie rebase * Tests passing (?) * Lint * Enable domain suffixes * fix tests again * Make gen * Add e/w gateway support for ambient multi network tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix lint/gen and test failures Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Tests passing (?) * Lint * Automator: update proxy@master in istio/istio@master (#56771) * Fix Gateway API tests to consider istio test cli flags (#56704) * set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test * feat: represent revision tags using services (#56141) * first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size * Update client go (#56780) * Automator: update istio/client-go@master dependency in istio/istio@master * fix test * fix more * fix TestTelemetryMetricsExhaustiveness --------- Co-authored-by: istio-testing <istio-testing-bot@google.com> * Automator: update istio/client-go@master dependency in istio/istio@master (#56781) * Impl RetryBudget in DestinationRule (#56782) * impl RetryBudget * release notes * add test case * add release notes for ClusterTrustBundle (#56748) * Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (#56784) When executing TestServiceEntryInlinedWorkloadEntry Ambient test in a public cloud based cluster, the created ingress is a domain based name and the test fails with the following error: configuration is invalid: endpoint address "a6eec2a91721a42b0aa8e140fc6611fc-1873540778.us-east-1.elb.amazonaws.com" is not a valid IP address Add a domain name resolution to ip based address. Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> * Automator: update common-files@master in istio/istio@master (#56788) * Automator: update proxy@master in istio/istio@master (#56789) * Do not transitively import net/trace (#56637) * Do not transitively import net/trace This drops 300kb off the binary. Note a big deal but #56636 is a 5mb potentional and this is a step to it * drop license * Automator: update istio/client-go@master dependency in istio/istio@master (#56790) * do not use discovery filter for system namespace network (#56687) * do not use discovery filter for system namespace network * relnote * revert label selector * Automator: update proxy@master in istio/istio@master (#56794) * status: fix busyloop (#56798) This has been observed to cause extremely high CPU usage as we busyloop. Basically if we have at least 1 pending item, and we re-enqueue and actively worked on item, it will busy loop until the actively worked on item is handled. We should instead kill this worker. The other worker will handle the task when it completes * Gateway: provide stable HTTPRoute status ordering (#56504) * Add test cases * gateway: emit HTTPRoute status in a stable ordering * Update tests * fix test * Automator: update ztunnel@master in istio/istio@master (#56803) * manifests: refactor conditions for tproxy and capNetBindService (#56809) * manifests: refactor conditions for TPROXY Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Encapsulate checking capNetBindService Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * tests: assign privileged SCC to tproxy SA on OpenShift (#56799) * tests: assign privileged SCC to tproxy SA on OpenShift Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Rename bool variable `openshift` to `isOpenShift` Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Fix a typo in CRB name Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * fix dns althost name generation (#56806) * fix dns althost name generation Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * remove unnecessary test change Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add gateway implementation for retry budget (#56808) * add gateway implementation for retry budget Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * comments Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * tcp/tls route: fix multiple parent binds (#56818) Fixes #56769 The problem was we had non-unique names for each generated object. Add unit tests and fix to use the same counting appraoch HTTP/GRPC uses * Automator: update proxy@master in istio/istio@master (#56813) * Add annotation support to deployment object in istio discovery chart (#56787) * Add deployment object annotation support to istio discovery chart * Add release note for deployment object annotation support to istiod chart * Automator: update go-control-plane in istio/istio@master (#56821) * Automator: update proxy@master in istio/istio@master (#56822) * Automator: update proxy@master in istio/istio@master (#56823) * Automator: update proxy@master in istio/istio@master (#56829) * Create Istio owned CNI config (#56156) * Create Istio owned CNI config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Set CNIConfName to primary CNI config file name Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Make Istio owned cni config opt in and the config name configurable Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add warning for invalid istio own cni config filename priority Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Revert "feat: represent revision tags using services (#56141)" (#56833) This reverts commit 0550a31. * Automator: update istio/client-go@master dependency in istio/istio@master (#56835) * Automator: update ztunnel@master in istio/istio@master (#56840) * improve istioctl dashboard example (#56842) Signed-off-by: xin.li <xin.li@daocloud.io> * Automator: update common-files@master in istio/istio@master (#56834) * Automator: update proxy@master in istio/istio@master (#56846) * Enable domain suffixes * fix tests again * Make gen * Respond to Keith's PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix get and comparison * review part 1 * Fix gen Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add support waypoint visibility at network gateways when the waypoint has globally scoped services Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Get rid of splithorizon specific stuff * lint * lint * - deploy e/w gateway with blackhole listener/cluster if ambient multinetwork is enable to allow for existence even if no globally scoped services exist - utilize existing apps for integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * wait on eastwest gateway by checking programmed status Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Minimize diff * Update default servicescopeconfig and duplicate DeployGatewayAPI for simplicity Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix indentation and remove unrelated file Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Compare networks rather than cluster id to determine locality Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * review part 2 * correct east west gw svc name * Use correct address for e/w gateway and compare networks rather than clusterids Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add todo and remove duplicate config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix flakes * Add comment to fix e/w gateway service lookup perf in beta Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Include network gateways * use other network gateway * Use name when generating ewgateway workloads * Keith review * Don't use gateway suffixes * releasenotes * Fix service merging and nwgateway naming * Issue about multiple network gateways * Lint, fix test, and remove release note * Jackie review * More docs --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: xin.li <xin.li@daocloud.io> Co-authored-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: German Robayo <germanrobayo33@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Maxim Babushkin <mbabushk@redhat.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Ramal Abeysekera <ramal.abeysekera@hotmail.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix2@gmail.com> Co-authored-by: my-git9 <xin.li@daocloud.io>
Stevenjin8
added a commit
to Stevenjin8/istio
that referenced
this pull request
Jul 11, 2025
* Initial changes to reach label selector from mesh config to update endpoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Pass MeshConfig to GlobalMergedWorkloadServicesCollection Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add cluster and listener service filtering for waypoints and e/w gateways Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Respond to PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Add more tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Fix incorrect waypoint logic. In ambient mode, e/w gateways and waypoints are both node.Type Waypoints Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Remove unused ServicesForGateway Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Updated failing lint and add a release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Filter services in ServiceServiceBuilder and check feature flag for ambient multi network. Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Move feature flag set to avoid race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix race Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Remove ScopeByService on workload Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix fmt Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add scope to serviceInfo equality check Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Also add Service SANS * [REMOVE ME] enable multinetwork ambient by default * Move number theory functions to math module * Even capacity distribution with multiple gateways * Automatically include waypoint svc of global svcs * Some refactoring too * Messy checkpoint * Random * Jackie rebase * Jackie rebase * Tests passing (?) * Lint * Enable domain suffixes * fix tests again * Make gen * Add e/w gateway support for ambient multi network tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix lint/gen and test failures Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Tests passing (?) * Lint * Automator: update proxy@master in istio/istio@master (istio#56771) * Fix Gateway API tests to consider istio test cli flags (istio#56704) * set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test * feat: represent revision tags using services (istio#56141) * first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size * Update client go (istio#56780) * Automator: update istio/client-go@master dependency in istio/istio@master * fix test * fix more * fix TestTelemetryMetricsExhaustiveness --------- Co-authored-by: istio-testing <istio-testing-bot@google.com> * Automator: update istio/client-go@master dependency in istio/istio@master (istio#56781) * Impl RetryBudget in DestinationRule (istio#56782) * impl RetryBudget * release notes * add test case * add release notes for ClusterTrustBundle (istio#56748) * Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (istio#56784) When executing TestServiceEntryInlinedWorkloadEntry Ambient test in a public cloud based cluster, the created ingress is a domain based name and the test fails with the following error: configuration is invalid: endpoint address "a6eec2a91721a42b0aa8e140fc6611fc-1873540778.us-east-1.elb.amazonaws.com" is not a valid IP address Add a domain name resolution to ip based address. Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> * Automator: update common-files@master in istio/istio@master (istio#56788) * Automator: update proxy@master in istio/istio@master (istio#56789) * Do not transitively import net/trace (istio#56637) * Do not transitively import net/trace This drops 300kb off the binary. Note a big deal but istio#56636 is a 5mb potentional and this is a step to it * drop license * Automator: update istio/client-go@master dependency in istio/istio@master (istio#56790) * do not use discovery filter for system namespace network (istio#56687) * do not use discovery filter for system namespace network * relnote * revert label selector * Automator: update proxy@master in istio/istio@master (istio#56794) * status: fix busyloop (istio#56798) This has been observed to cause extremely high CPU usage as we busyloop. Basically if we have at least 1 pending item, and we re-enqueue and actively worked on item, it will busy loop until the actively worked on item is handled. We should instead kill this worker. The other worker will handle the task when it completes * Gateway: provide stable HTTPRoute status ordering (istio#56504) * Add test cases * gateway: emit HTTPRoute status in a stable ordering * Update tests * fix test * Automator: update ztunnel@master in istio/istio@master (istio#56803) * manifests: refactor conditions for tproxy and capNetBindService (istio#56809) * manifests: refactor conditions for TPROXY Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Encapsulate checking capNetBindService Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * tests: assign privileged SCC to tproxy SA on OpenShift (istio#56799) * tests: assign privileged SCC to tproxy SA on OpenShift Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Rename bool variable `openshift` to `isOpenShift` Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * Fix a typo in CRB name Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> --------- Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> * fix dns althost name generation (istio#56806) * fix dns althost name generation Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * remove unnecessary test change Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * add gateway implementation for retry budget (istio#56808) * add gateway implementation for retry budget Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * comments Signed-off-by: Rama Chavali <rama.rao@salesforce.com> --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> * tcp/tls route: fix multiple parent binds (istio#56818) Fixes istio#56769 The problem was we had non-unique names for each generated object. Add unit tests and fix to use the same counting appraoch HTTP/GRPC uses * Automator: update proxy@master in istio/istio@master (istio#56813) * Add annotation support to deployment object in istio discovery chart (istio#56787) * Add deployment object annotation support to istio discovery chart * Add release note for deployment object annotation support to istiod chart * Automator: update go-control-plane in istio/istio@master (istio#56821) * Automator: update proxy@master in istio/istio@master (istio#56822) * Automator: update proxy@master in istio/istio@master (istio#56823) * Automator: update proxy@master in istio/istio@master (istio#56829) * Create Istio owned CNI config (istio#56156) * Create Istio owned CNI config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Set CNIConfName to primary CNI config file name Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Make Istio owned cni config opt in and the config name configurable Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add warning for invalid istio own cni config filename priority Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Revert "feat: represent revision tags using services (istio#56141)" (istio#56833) This reverts commit 0550a31. * Automator: update istio/client-go@master dependency in istio/istio@master (istio#56835) * Automator: update ztunnel@master in istio/istio@master (istio#56840) * improve istioctl dashboard example (istio#56842) Signed-off-by: xin.li <xin.li@daocloud.io> * Automator: update common-files@master in istio/istio@master (istio#56834) * Automator: update proxy@master in istio/istio@master (istio#56846) * Enable domain suffixes * fix tests again * Make gen * Respond to Keith's PR feedback Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix get and comparison * review part 1 * Fix gen Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add support waypoint visibility at network gateways when the waypoint has globally scoped services Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Get rid of splithorizon specific stuff * lint * lint * - deploy e/w gateway with blackhole listener/cluster if ambient multinetwork is enable to allow for existence even if no globally scoped services exist - utilize existing apps for integration tests Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * wait on eastwest gateway by checking programmed status Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Minimize diff * Update default servicescopeconfig and duplicate DeployGatewayAPI for simplicity Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix indentation and remove unrelated file Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Compare networks rather than cluster id to determine locality Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * review part 2 * correct east west gw svc name * Use correct address for e/w gateway and compare networks rather than clusterids Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add todo and remove duplicate config Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix flakes * Add comment to fix e/w gateway service lookup perf in beta Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Include network gateways * use other network gateway * Use name when generating ewgateway workloads * Keith review * Don't use gateway suffixes * releasenotes * Fix service merging and nwgateway naming * Issue about multiple network gateways * Lint, fix test, and remove release note * Jackie review * More docs --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: xin.li <xin.li@daocloud.io> Co-authored-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: German Robayo <germanrobayo33@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Maxim Babushkin <mbabushk@redhat.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Ramal Abeysekera <ramal.abeysekera@hotmail.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix2@gmail.com> Co-authored-by: my-git9 <xin.li@daocloud.io>
istio-testing
added a commit
that referenced
this pull request
Jul 12, 2025
* Initial changes to reach label selector from mesh config to update endpoints Pass MeshConfig to GlobalMergedWorkloadServicesCollection Add cluster and listener service filtering for waypoints and e/w gateways Respond to PR feedback Add more tests Fix incorrect waypoint logic. In ambient mode, e/w gateways and waypoints are both node.Type Waypoints Remove unused ServicesForGateway Updated failing lint and add a release note * Filter services in ServiceServiceBuilder and check feature flag for ambient multi network. * Move feature flag set to avoid race * Fix race * Remove ScopeByService on workload * Fix fmt * Add scope to serviceInfo equality check * Also add Service SANS * [REMOVE ME] enable multinetwork ambient by default * Move number theory functions to math module * Even capacity distribution with multiple gateways * Automatically include waypoint svc of global svcs * Some refactoring too * Messy checkpoint * Random * Jackie rebase * Jackie rebase * Tests passing (?) * Lint * Enable domain suffixes * fix tests again * Make gen * Add e/w gateway support for ambient multi network tests * Fix integration tests * Fix lint/gen and test failures * Tests passing (?) * Lint * Automator: update proxy@master in istio/istio@master (#56771) * Fix Gateway API tests to consider istio test cli flags (#56704) * set revision when running istioctl * Add revision to gateway in ManagedGatewayTest * Do not hardcode istio-system in UnamagedGatewayTest * include istioNamespace in istioctl commands for TaggedGatewayTest * Use Revisions instead of Revision (later is deprecated) * only set --istioNamespace is c.istioNamespace * If ingress gateway ns not set, use istio-system * set also ingress gateway svc name * remove revision from ManagedGatewayTest (not needed), add TODO comment for remaining test * feat: represent revision tags using services (#56141) * first iteration of using services and mutatingwebhooks as tags * include namespaces * log warnings on conflict * rename revision-tags to revision-tags-mwc.yaml * Create service tags on helm istiod chart * initial iteration for istioctl tag set * include IstioNamespace in GenerateOptions * Update signature of Generate to return a list of objects to generate * consider service if running ambient * go back to strings when returning * go back to string completely, delete TagResources * rename service object * move break to correct line * implement istioctl tag remove * add uniqTagsFromServices and uniqTagsFromWebhooks * istioctl tag list consider services * add operatorManageWebhooks guard to revision-tags-mwc.yaml * rename revision-tags.yaml to revision-tags-svc.yaml * refactor delete test case * test istioctl tag list * remove ambient check, create and manage both resources at the same time * wip test cases * remove controlplane mode * fix test * my own code review * fix compilation error * fix lint * wip integ-helm_istio * add app=istiod label filter * merge override labels in generate.go * add release note * set owner labels to revision service tag * rollback changes on e2e for helm * fix helm e2e * use servicesAfters instead of webhooksAfter in tag_test.go assertion log * Remove unnecessary deprecation message * refactor tag_test.go to reduce diff size * Update client go (#56780) * Automator: update istio/client-go@master dependency in istio/istio@master * fix test * fix more * fix TestTelemetryMetricsExhaustiveness --------- * Automator: update istio/client-go@master dependency in istio/istio@master (#56781) * Impl RetryBudget in DestinationRule (#56782) * impl RetryBudget * release notes * add test case * add release notes for ClusterTrustBundle (#56748) * Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (#56784) When executing TestServiceEntryInlinedWorkloadEntry Ambient test in a public cloud based cluster, the created ingress is a domain based name and the test fails with the following error: configuration is invalid: endpoint address "a6eec2a91721a42b0aa8e140fc6611fc-1873540778.us-east-1.elb.amazonaws.com" is not a valid IP address Add a domain name resolution to ip based address. * Automator: update common-files@master in istio/istio@master (#56788) * Automator: update proxy@master in istio/istio@master (#56789) * Do not transitively import net/trace (#56637) * Do not transitively import net/trace This drops 300kb off the binary. Note a big deal but #56636 is a 5mb potentional and this is a step to it * drop license * Automator: update istio/client-go@master dependency in istio/istio@master (#56790) * do not use discovery filter for system namespace network (#56687) * do not use discovery filter for system namespace network * relnote * revert label selector * Automator: update proxy@master in istio/istio@master (#56794) * status: fix busyloop (#56798) This has been observed to cause extremely high CPU usage as we busyloop. Basically if we have at least 1 pending item, and we re-enqueue and actively worked on item, it will busy loop until the actively worked on item is handled. We should instead kill this worker. The other worker will handle the task when it completes * Gateway: provide stable HTTPRoute status ordering (#56504) * Add test cases * gateway: emit HTTPRoute status in a stable ordering * Update tests * fix test * Automator: update ztunnel@master in istio/istio@master (#56803) * manifests: refactor conditions for tproxy and capNetBindService (#56809) * manifests: refactor conditions for TPROXY * Encapsulate checking capNetBindService --------- * tests: assign privileged SCC to tproxy SA on OpenShift (#56799) * tests: assign privileged SCC to tproxy SA on OpenShift * Rename bool variable `openshift` to `isOpenShift` * Fix a typo in CRB name --------- * fix dns althost name generation (#56806) * fix dns althost name generation * remove unnecessary test change --------- * add gateway implementation for retry budget (#56808) * add gateway implementation for retry budget * comments --------- * tcp/tls route: fix multiple parent binds (#56818) Fixes #56769 The problem was we had non-unique names for each generated object. Add unit tests and fix to use the same counting appraoch HTTP/GRPC uses * Automator: update proxy@master in istio/istio@master (#56813) * Add annotation support to deployment object in istio discovery chart (#56787) * Add deployment object annotation support to istio discovery chart * Add release note for deployment object annotation support to istiod chart * Automator: update go-control-plane in istio/istio@master (#56821) * Automator: update proxy@master in istio/istio@master (#56822) * Automator: update proxy@master in istio/istio@master (#56823) * Automator: update proxy@master in istio/istio@master (#56829) * Create Istio owned CNI config (#56156) * Create Istio owned CNI config * Set CNIConfName to primary CNI config file name * Make Istio owned cni config opt in and the config name configurable * Add warning for invalid istio own cni config filename priority * Add release note --------- * Revert "feat: represent revision tags using services (#56141)" (#56833) This reverts commit 0550a31. * Automator: update istio/client-go@master dependency in istio/istio@master (#56835) * Automator: update ztunnel@master in istio/istio@master (#56840) * improve istioctl dashboard example (#56842) * Automator: update common-files@master in istio/istio@master (#56834) * Automator: update proxy@master in istio/istio@master (#56846) * Enable domain suffixes * fix tests again * Make gen * Respond to Keith's PR feedback * Fix get and comparison * review part 1 * Fix gen * Add support waypoint visibility at network gateways when the waypoint has globally scoped services * Get rid of splithorizon specific stuff * lint * lint * - deploy e/w gateway with blackhole listener/cluster if ambient multinetwork is enable to allow for existence even if no globally scoped services exist - utilize existing apps for integration tests * wait on eastwest gateway by checking programmed status * Minimize diff * Update default servicescopeconfig and duplicate DeployGatewayAPI for simplicity * Fix indentation and remove unrelated file * Compare networks rather than cluster id to determine locality * review part 2 * correct east west gw svc name * Use correct address for e/w gateway and compare networks rather than clusterids * Add todo and remove duplicate config * Fix flakes * Add comment to fix e/w gateway service lookup perf in beta * Include network gateways * use other network gateway * Use name when generating ewgateway workloads * Keith review * Don't use gateway suffixes * releasenotes * Fix service merging and nwgateway naming * Issue about multiple network gateways * Lint, fix test, and remove release note * Jackie review * More docs --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Signed-off-by: Maxim Babushkin <mbabushk@redhat.com> Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: xin.li <xin.li@daocloud.io> Co-authored-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: German Robayo <germanrobayo33@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Maxim Babushkin <mbabushk@redhat.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Steven Landow <steven@landow.dev> Co-authored-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Ramal Abeysekera <ramal.abeysekera@hotmail.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com> Co-authored-by: Keith Mattix II <keithmattix2@gmail.com> Co-authored-by: my-git9 <xin.li@daocloud.io>
fjglira
pushed a commit
to fjglira/istio
that referenced
this pull request
Sep 26, 2025
* upstream/master: Automator: update ztunnel@master in istio/istio@master (istio#56803) Gateway: provide stable HTTPRoute status ordering (istio#56504) status: fix busyloop (istio#56798) Automator: update proxy@master in istio/istio@master (istio#56794) do not use discovery filter for system namespace network (istio#56687) Automator: update istio/client-go@master dependency in istio/istio@master (istio#56790) Do not transitively import net/trace (istio#56637) Automator: update proxy@master in istio/istio@master (istio#56789) Automator: update common-files@master in istio/istio@master (istio#56788) Add domain resolve to Ambient TestServiceEntryInlinedWorkloadEntry test (istio#56784) add release notes for ClusterTrustBundle (istio#56748) Impl RetryBudget in DestinationRule (istio#56782) Automator: update istio/client-go@master dependency in istio/istio@master (istio#56781)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please provide a description of this PR:
When discoveryFilters are set, this will make us potentially NOT watch the system namespace.. this has multiple bad effects:
istio/pilot/pkg/serviceregistry/kube/controller/controller.go
Line 248 in 4bcf506
<network>/<ip>to check the ambient indexes. The ambient index watches the system namespace separately, without this discovery selector. There will be a mismatch of"" != "your-network", so we assume !supportTunnelistio/pilot/pkg/model/push_context.go
Lines 2581 to 2583 in 4bcf506