-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update istio to v1.14.1 #6271
Update istio to v1.14.1 #6271
Conversation
/hold |
8010428
to
00c9f61
Compare
56fec0c
to
de247bf
Compare
4958e92
to
17f01a5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few nits (also in comments that were not part of the PR, but are close to the modified code and could also be improved)
I still haven't gone through all the changes in the chart files though.
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package istio |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
package istio | |
package istio_test |
Since these methods appear to only be used in the istio_test
package and so that they do not get imported every time the istio
package is inported
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, they are not used in istio_test
at all, but in kubeapiserverexposure_test
, vpnauthzserver_test
and vpnseedserver_test
. This is why I added them simply to istio
package to have them in a common place where they fit.
Feel free to suggest a different place, but istio_test
does not work as the functions need to be imported in three different locations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah sorry. You could move the BeComparableToMatcher
matcher to pkg/utils/test/matchers
.
Not sure what would be the best place for the CmpOptsFor...
helper functions though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason why CmpOptsFor...
should not be in pkg/utils/test/matchers
as well? Those functions only make sense for the BeComparableToMatcher
(or if go-cmp
would be used separately).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My reasoning would be that BeComparableToMatcher
is pretty generic and can be used for other tests as well, whereas the current CmpOptsFor...
functions are particularly related to istio.
I dug a bit in our folders and I think you could place the helper functions in e.g. pkg/botanist/component/test/istiocomponent.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Split the content into pkg/utils/test/matchers
and pkg/botanist/component/test/istiocomponent.go
as suggested.
Let me know in case further changes are required.
pkg/operation/botanist/component/vpnseedserver/vpn_seed_server.go
Outdated
Show resolved
Hide resolved
@@ -35,12 +41,16 @@ spec: | |||
image: {{ .Values.image }} | |||
imagePullPolicy: IfNotPresent | |||
securityContext: | |||
allowPrivilegeEscalation: false | |||
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm here's the same comment, but no check if k8s version is higher than 1.22. Is that ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed in the original (https://github.com/istio/istio/blob/1.14.1/manifests/charts/gateway/templates/deployment.yaml#L52), there is a corresponding check for the kubernetes version surrounding the block. However, we already used this configuration before, which means it already worked. I added the comment to reduce the diff while retaining the same behaviour as before.
Apparently, with kubernetes versions below 1.22 we could not use privileged ports in istio, which was never a loss for us.
17f01a5
to
d1e35d9
Compare
/retest |
1 similar comment
/retest |
d1e35d9
to
2898c1a
Compare
2898c1a
to
0937c58
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also add the app.kubernetes.io/version: "1.14.1"
label to the istio-ingress gateway as discussed, apart from that the PR looks good. :)
The managedseed test seems to fail with:
"proxyconfigs.networking.istio.io", which was added with the update of the istio crds, should be added to the gardenlet clusterrole: gardener/charts/gardener/gardenlet/charts/runtime/templates/clusterrole-gardenlet.yaml Lines 124 to 142 in d829ed0
|
0937c58
to
973439b
Compare
Thanks for pointing this out. I added it in the latest commit (together with the version labels suggested by @DockToFuture). |
Addressed with latest commit. |
973439b
to
b378c04
Compare
@ScheererJ: The following test failed, say
Full PR test history. Your PR dashboard. Command help for this repository. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: plkokanov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I am curious how you tested this change in local setup guys? |
PTAL #6330 |
I tested this in the "old" local setup, meaning I used a shooted seed. |
I ran it in the entirely local setup, newly created seed, newly created shoot. Then I also tried creating a seed before the istio update, then checking out the change with the istio update and restarting gardenlet, to see if updates to already existing seeds would cause errors, but didn't encounter any problems. |
* 'master' of github.com:gardener/gardener: (51 commits) Switch extension controller to `logr` and streamline/cleanup logs (gardener#6332) Switch `./test/...` packages to `logr` and drop `github.com/sirupsen/logrus` dependency (gardener#6316) Only check shoot conditions during hibernation integration test (gardener#6325) Add dashboard for monitoring conntrack race failures. (gardener#6329) Reconcile quota before rbac (gardener#6326) Update istio to v1.14.1 (gardener#6271) Update gardenlet's base image to alpine:3.16.0 (gardener#6321) Update envoy proxy to v1.21.4 (gardener#6320) Deploy the metrics server to the kind cluster (gardener#6301) Fix tools download for aarch64 (arm64) (gardener#6314) update with latest CA releases (gardener#6295) Add missing unit tests for the predicates provided by the extensions library (gardener#6249) [GEP-19] Monitoring Stack - Migrating to the `prometheus-operator` (gardener#6151) Revert "Recreate DWD deployment if needed" (gardener#6307) Update to golang 1.18.4 (gardener#6300) Cleaned up imports in vpn-seed-server (gardener#6315) Prepare next Dev Cycle v1.52.0-dev Release v1.51.0 Add pre/post reconciliation/deletion hooks for the Worker resource (gardener#6290) Update the supported values in the usage text of the `--leader-election-resource-lock` flag (gardener#6304) ...
How to categorize this PR?
/area networking
/kind enhancement
What this PR does / why we need it:
Update istio to v1.14.1.
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
The istio go library is updated only to v1.14.0 as there is no corresponding release, yet. However, this should be sufficient for now.
Release note:
/cc @DockToFuture