Backport changes (istio#433)

* istio#16223

* istio#16272

* istio#16187

* istio#16466

* istio#16634

* istio#16594

* istio#16666

* istio#16483

* istio#16820

* istio#16842

* istio#16852

* istio#16835

* istio#16863

* istio#16892

* istio#16991

* istio#16957

* istio#17013

* istio#17134

* istio#17155

* istio#17235

* istio#17342

* istio#17477

* istio#17615

* istio#17334

* istio#17708

* istio#17737

* Fix injection template

* Fix quoting

* Fix test values

* Add accidentally deleted affinity

crds/kustomization.yaml

@@ -4,7 +4,6 @@ kind: Kustomization
 resources:
   - files/crd-10.yaml
   - files/crd-11.yaml
-  - files/crd-12.yaml
   - files/crd-14.yaml
   - files/crd-certmanager-10.yaml
   - files/crd-certmanager-11.yaml

crds/templates/crds.yaml

@@ -1,6 +1,5 @@
 {{ .Files.Get "files/crd-10.yaml" }}
 {{ .Files.Get "files/crd-11.yaml" }}
-{{ .Files.Get "files/crd-12.yaml" }}
 {{ .Files.Get "files/crd-14.yaml" }}
 {{- if .Values.certmanager }}
 {{- if .Values.certmanager.enabled }}

gateways/istio-egress/templates/deployment.yaml

@@ -1,12 +1,12 @@
 {{ $gateway := index .Values "gateways" "istio-egressgateway" }}
+{{- $labels := (dict "app" "istio-egressgateway" "istio" "egressgateway") }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: istio-egressgateway
   namespace: {{ .Release.Namespace }}
   labels:
-    app: istio-egressgateway
-    istio: egressgateway
+{{ $labels | toYaml | indent 4 }}
     release: {{ .Release.Name }}
 spec:
 {{- if not $gateway.autoscaleEnabled }}
@@ -25,8 +25,7 @@ spec:
   template:
     metadata:
       labels:
-        app: istio-egressgateway
-        istio: egressgateway
+{{ $labels | toYaml | indent 8 }}
 {{- if eq .Release.Namespace "istio-system"}}
         heritage: Tiller
         release: istio
@@ -182,6 +181,13 @@ spec:
             value: istio-egressgateway
           - name: ISTIO_META_OWNER
             value: kubernetes://api/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/istio-egressgateway
+          {{- if $.Values.global.meshID }}
+          - name: ISTIO_META_MESH_ID
+            value: "{{ $.Values.global.meshID }}"
+          {{- else if $.Values.global.trustDomain }}
+          - name: ISTIO_META_MESH_ID
+            value: "{{ $.Values.global.trustDomain }}"
+          {{- end }}
           - name: ISTIO_META_POD_NAME
             valueFrom:
               fieldRef:
@@ -208,6 +214,13 @@ spec:
             value: |
 {{ toJson $gateway.podAnnotations | indent 16}}
 {{ end }}
+          - name: ISTIO_METAJSON_LABELS
+            value: |
+              {{ $labels | toJson }}
+          - name: ISTIO_META_CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: SDS_ENABLED
+            value: "{{ .Values.global.sds.enabled }}"
           volumeMounts:
           {{ if .Values.global.sds.enabled }}
           - name: sdsudspath

gateways/istio-egress/values.yaml

@@ -37,7 +37,7 @@ gateways:
         memory: 128Mi
       limits:
         cpu: 2000m
-        memory: 256Mi
+        memory: 1024Mi
     cpu:
       targetAverageUtilization: 80
 

gateways/istio-ingress/templates/deployment.yaml

@@ -1,12 +1,12 @@
-{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
+{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
+{{- $labels := (dict "app" "istio-ingressgateway" "istio" "ingressgateway") }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: istio-ingressgateway
   namespace: {{ .Release.Namespace }}
   labels:
-    app: istio-ingressgateway
-    istio: ingressgateway
+{{ $labels | toYaml | indent 4 }}
     release: {{ .Release.Name }}
 spec:
 {{- if not $gateway.autoscaleEnabled }}
@@ -25,8 +25,7 @@ spec:
   template:
     metadata:
       labels:
-        app: istio-ingressgateway
-        istio: ingressgateway
+{{ $labels | toYaml | indent 8 }}
 {{- if eq .Release.Namespace "istio-system"}}
         heritage: Tiller
         release: istio
@@ -226,6 +225,13 @@ spec:
             value: istio-ingressgateway
           - name: ISTIO_META_OWNER
             value: kubernetes://api/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/istio-ingressgateway
+          {{- if $.Values.global.meshID }}
+          - name: ISTIO_META_MESH_ID
+            value: "{{ $.Values.global.meshID }}"
+          {{- else if $.Values.global.trustDomain }}
+          - name: ISTIO_META_MESH_ID
+            value: "{{ $.Values.global.trustDomain }}"
+          {{- end }}
           - name: ISTIO_META_POD_NAME
             valueFrom:
               fieldRef:
@@ -253,6 +259,13 @@ spec:
             value: |
 {{ toJson $gateway.podAnnotations | indent 16}}
 {{ end }}
+          - name: ISTIO_METAJSON_LABELS
+            value: |
+              {{ $labels | toJson }}
+          - name: ISTIO_META_CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: SDS_ENABLED
+            value: "{{ .Values.global.sds.enabled }}"
           volumeMounts:
           {{ if .Values.global.sds.enabled }}
           - name: sdsudspath

gateways/istio-ingress/templates/preconfigured.yaml

@@ -25,8 +25,8 @@ spec:
       name: https-default
     tls:
       mode: SIMPLE
-      serverCertificate: /etc/istio/ingress-certs/tls.crt
-      privateKey: /etc/istio/ingress-certs/tls.key
+      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
+      privateKey: /etc/istio/ingressgateway-certs/tls.key
     hosts:
     - "*"
 {{ end }}

global.yaml

@@ -120,7 +120,7 @@ global:
     # the specified period, defaulting to non mTLS plain TCP
     # traffic. Set this field to tweak the period that Envoy will wait
     # for the client to send the first bits of data. (MUST BE >=1ms)
-    protocolDetectionTimeout: 1s
+    protocolDetectionTimeout: 100ms
 
     #If set to true, istio-proxy container will have privileged securityContext
     privileged: false
@@ -205,7 +205,7 @@ global:
 
   proxy_init:
     # Base name for the proxy_init container, used to configure iptables.
-    image: proxy_init
+    image: proxyv2
     resources:
       limits:
         cpu: 100m
@@ -327,6 +327,9 @@ global:
     # talk to one another. All clusters should be using Istio mTLS and must
     # have a shared root CA for this model to work.
     enabled: false
+    # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+    # to properly label proxies
+    clusterName: ""
 
   # A minimal set of requested resources to applied to all deployments so that
   # Horizontal Pod Autoscaler will be able to function (if set).
@@ -418,6 +421,12 @@ global:
     # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
     enabled: false
     udsPath: ""
+    # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+    # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
+    # JWT is intended for the CA.
+    token:
+      aud: istio-ca
+
 
   # Configure the mesh networks to be used by the Split Horizon EDS.
   #

istio-control/istio-autoinject/files/injection-template.yaml

@@ -10,7 +10,8 @@ template: |
   {{- else }}
     image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
   {{- end }}
-    args:
+    command:
+    - istio-iptables
     - "-p"
     - 15001
     - "-z"
@@ -189,6 +190,25 @@ template: |
       valueFrom:
         fieldRef:
           fieldPath: status.hostIP
+  {{- if eq .Values.global.proxy.tracer "datadog" }}
+  {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }}
+  {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+  {{- end }}
+  {{- end }}
+  {{- end }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{if or (ne $index1 0) (ne $index2 0)}},{{end}}{{ structToJSON $p }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
     - name: ISTIO_META_POD_NAME
       valueFrom:
         fieldRef:
@@ -197,6 +217,8 @@ template: |
       valueFrom:
         fieldRef:
           fieldPath: metadata.namespace
+    - name: SDS_ENABLED
+      value: "{{ .Values.global.sds.enabled }}"
     - name: ISTIO_META_INTERCEPTION_MODE
       value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
     - name: ISTIO_META_INCLUDE_INBOUND_PORTS
@@ -336,7 +358,7 @@ template: |
       - serviceAccountToken:
           path: istio-token
           expirationSeconds: 43200
-          audience: {{ .Values.global.trustDomain }}
+          audience: {{ .Values.global.sds.token.aud }}
   {{- if .Values.global.sds.customTokenDirectory }}
   - name: custom-sds-token
     secret:

istio-control/istio-autoinject/templates/deployment.yaml

@@ -30,7 +30,6 @@ spec:
 {{- end }}
       annotations:
         sidecar.istio.io/inject: "false"
-        checksum/config-volume: {{ .Files.Get "files/injection-template.yaml" | sha256sum }}
         {{- if .Values.sidecarInjectorWebhook.podAnnotations }}
 {{ toYaml .Values.sidecarInjectorWebhook.podAnnotations | indent 8 }}
         {{- end }}

istio-control/istio-autoinject/templates/sidecar-injector-configmap.yaml

@@ -15,8 +15,13 @@ data:
   config: |-
     policy: {{ .Values.global.proxy.autoInject }}
     alwaysInjectSelector:
-{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | indent 6 }}
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
     neverInjectSelector:
-{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | indent 6 }}
-{{ .Files.Get "files/injection-template.yaml" | indent 4 }}
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }}
+    injectedAnnotations:
+    {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": "{{ $val }}"
+    {{- end }}
+
 {{- end }}

istio-control/istio-autoinject/values.yaml

@@ -27,6 +27,20 @@ sidecarInjectorWebhook:
   tolerations: []
   podAnnotations: {}
 
+  # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+  # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+  #
+  # annotations:
+  #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+  #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+  #
+  # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+  # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+  # injectedAnnotations:
+  #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+  #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+  injectedAnnotations: {}
+
   # If set, will use the value as injection label. The value must match the 'release' label of the injector,
   # except when 1.2 istio-injection label is used, which must be set to "enabled".
   injectLabel: istio-injection

istio-control/istio-config/templates/deployment.yaml

@@ -167,6 +167,8 @@ spec:
               fieldRef:
                 apiVersion: v1
                 fieldPath: status.podIP
+          - name: SDS_ENABLED
+            value: "{{ .Values.global.sds.enabled }}"
           resources:
 {{- if .Values.global.proxy.resources }}
 {{ toYaml .Values.global.proxy.resources | indent 12 }}

istio-control/istio-discovery/templates/configmap.yaml

@@ -10,10 +10,10 @@ data:
 
   meshNetworks: |-
     # Network config
-{{ toYaml .Values.pilot.meshNetworks | indent 4 }}
+{{ toYaml .Values.pilot.meshNetworks | trim | indent 4 }}
 
   values.yaml: |-
-{{ toYaml .Values.pilot | indent 4 }}
+{{ toYaml .Values.pilot | trim | indent 4 }}
 
   mesh: |-
     {{- if .Values.global.enableTracing }}
@@ -36,6 +36,11 @@ data:
     reportBatchMaxTime: {{ .Values.mixer.telemetry.reportBatchMaxTime }}
     {{- end }}
 
+    {{- if .Values.mixer.telemetry.sessionAffinityEnabled }}
+    # sidecarToTelemetrySessionAffinity will create a STRICT_DNS type cluster for istio-telemetry.
+    sidecarToTelemetrySessionAffinity: {{ .Values.mixer.telemetry.sessionAffinityEnabled }}
+    {{- end }}
+
     {{- if .Values.pilot.telemetry.enabled }}
     {{- if .Values.global.controlPlaneSecurityEnabled }}
     mixerReportServer: istio-telemetry.{{ .Values.global.telemetryNamespace }}.svc.cluster.local:15004
@@ -79,7 +84,7 @@ data:
     {{- if .Values.global.sds.enabled }}
     # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
     # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
-    sdsUdsPath: {{ .Values.global.sds.udsPath }}
+    sdsUdsPath: {{ .Values.global.sds.udsPath | quote }}
 
     {{- else }}
     # Set expected values when SDS is disabled
@@ -119,14 +124,14 @@ data:
 
     {{- if  .Values.global.localityLbSetting.enabled }}
     localityLbSetting:
-{{ toYaml .Values.global.localityLbSetting | indent 6 }}
+{{ toYaml .Values.global.localityLbSetting | trim | indent 6 }}
     {{- end }}
 
     # Configures DNS certificates provisioned through Chiron linked into Pilot.
     # The DNS certificate provisioning is enabled by default now so it get tested.
     # TODO (lei-tang): we'll decide whether enable it by default or not before Istio 1.4 Release.
     certificates:
-{{ toYaml .Values.global.certificates | indent 6 }}
+{{ toYaml .Values.global.certificates | trim | indent 6 }}
 
     defaultConfig:
       #