Merge tag '1.19.8' into tetratefips-release-1.19

Istio release 1.19.8

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:release-1.19-91f550e0d56c59767d966985f7cc14ddb1f75859",
+  "image": "gcr.io/istio-testing/build-tools:release-1.19-013f27a57a64f1d22f60c3dcb9b242cf4814065a",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.19-2024-01-31T19-05-18
+BASE_VERSION ?= 1.19-2024-02-16T19-01-38
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

common/.commonfiles.sha

@@ -1 +1 @@
-42df49ca0c1c06a33ab4a93d24906bb4cb255eb3
+bdb38aa251ecadf811809709d381eb2d8f62d9cf

common/config/.golangci.yml

@@ -242,7 +242,6 @@ linters-settings:
       AllGoFiles:
         files:
           - $all
-          - "!**/tests/integration/**"
         deny:
           - pkg: golang.org/x/net/http2/h2c
             desc: "h2c.NewHandler is unsafe; use wrapper istio.io/istio/pkg/h2c"

common/scripts/setup_env.sh

@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=release-1.19-91f550e0d56c59767d966985f7cc14ddb1f75859
+  IMAGE_VERSION=release-1.19-013f27a57a64f1d22f60c3dcb9b242cf4814065a
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools

go.mod

@@ -109,8 +109,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.12.2
-	istio.io/api v1.19.7-0.20240110022508-68cf4097ffc5
-	istio.io/client-go v1.19.7-0.20240110023605-ad5ce1f48b56
+	istio.io/api v1.19.7-0.20240306022805-999d751c637a
+	istio.io/client-go v1.19.7-0.20240306023701-8b2b3da74273
 	k8s.io/api v0.28.1
 	k8s.io/apiextensions-apiserver v0.28.1
 	k8s.io/apimachinery v0.28.1

go.sum

@@ -1386,10 +1386,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-istio.io/api v1.19.7-0.20240110022508-68cf4097ffc5 h1:wR3m6KvLnflLUDQ+alDY8gAG1H3veH5LUtqjSEZk3mo=
-istio.io/api v1.19.7-0.20240110022508-68cf4097ffc5/go.mod h1:KstZe4bKbXouALUJ5PqpjNEhu5nj90HrDFitZfpNhlU=
-istio.io/client-go v1.19.7-0.20240110023605-ad5ce1f48b56 h1:KgQr08nNcZxhIwkXimdEVLSPAtM9+Lc0Mux2qddCjqg=
-istio.io/client-go v1.19.7-0.20240110023605-ad5ce1f48b56/go.mod h1:MrVvkqWjM6iK2xO8jrAcuwfvjOy6HcNJRD/r0LWE6mM=
+istio.io/api v1.19.7-0.20240306022805-999d751c637a h1:BrjgC43C+jLsT9BlRVaM3W0tNS66LK4MIJHA9s+6kZg=
+istio.io/api v1.19.7-0.20240306022805-999d751c637a/go.mod h1:KstZe4bKbXouALUJ5PqpjNEhu5nj90HrDFitZfpNhlU=
+istio.io/client-go v1.19.7-0.20240306023701-8b2b3da74273 h1:BNcgTo0Rt0XJnbPsCJQx/smGj64iqf6krvF5oW2DM5k=
+istio.io/client-go v1.19.7-0.20240306023701-8b2b3da74273/go.mod h1:wpLEk59sC4l97oqEXbj6pMcTJc/MiyTViusixPPITG4=
 k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
 k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
 k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108=

istio.deps

@@ -4,13 +4,13 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "af5e0ef2c1473f0f4e61f78adf81c85ff6389f87"
+    "lastStableSHA": "7160620e52a1d6ef058caf22d37d22d8f9b09636"
   },
   {
     "_comment": "",
     "name": "ZTUNNEL_REPO_SHA",
     "repoName": "ztunnel",
     "file": "",
-    "lastStableSHA": "e80e96bd5d1484a90838ebe97ea9be402f7803f7"
+    "lastStableSHA": "f6f806ee5f9cf42a1892d06450e41eefd1e80f56"
   }
 ]

istioctl/pkg/precheck/precheck.go

@@ -213,87 +213,84 @@ func checkInstallPermissions(cli kube.CLIClient, istioNamespace string) diag.Mes
 		namespace string
 		group     string
 		version   string
-		name      string
+		resource  string
 	}{
 		{
-			version: "v1",
-			name:    "Namespace",
+			version:  "v1",
+			resource: "namespaces",
 		},
 		{
-			namespace: istioNamespace,
-			group:     "rbac.authorization.k8s.io",
-			version:   "v1",
-			name:      "ClusterRole",
+			group:    "rbac.authorization.k8s.io",
+			version:  "v1",
+			resource: "clusterroles",
 		},
 		{
-			namespace: istioNamespace,
-			group:     "rbac.authorization.k8s.io",
-			version:   "v1",
-			name:      "ClusterRoleBinding",
+			group:    "rbac.authorization.k8s.io",
+			version:  "v1",
+			resource: "clusterrolebindings",
 		},
 		{
-			namespace: istioNamespace,
-			group:     "apiextensions.k8s.io",
-			version:   "v1",
-			name:      "CustomResourceDefinition",
+			group:    "apiextensions.k8s.io",
+			version:  "v1",
+			resource: "customresourcedefinitions",
 		},
 		{
 			namespace: istioNamespace,
 			group:     "rbac.authorization.k8s.io",
 			version:   "v1",
-			name:      "Role",
+			resource:  "roles",
 		},
 		{
 			namespace: istioNamespace,
 			version:   "v1",
-			name:      "ServiceAccount",
+			resource:  "serviceaccounts",
 		},
 		{
 			namespace: istioNamespace,
 			version:   "v1",
-			name:      "Service",
+			resource:  "services",
 		},
 		{
 			namespace: istioNamespace,
 			group:     "apps",
 			version:   "v1",
-			name:      "Deployments",
+			resource:  "deployments",
 		},
 		{
 			namespace: istioNamespace,
 			version:   "v1",
-			name:      "ConfigMap",
+			resource:  "configmaps",
 		},
 		{
-			group:   "admissionregistration.k8s.io",
-			version: "v1",
-			name:    "MutatingWebhookConfiguration",
+			group:    "admissionregistration.k8s.io",
+			version:  "v1",
+			resource: "mutatingwebhookconfigurations",
 		},
 		{
-			group:   "admissionregistration.k8s.io",
-			version: "v1",
-			name:    "ValidatingWebhookConfiguration",
+			group:    "admissionregistration.k8s.io",
+			version:  "v1",
+			resource: "validatingwebhookconfigurations",
 		},
 	}
 	msgs := diag.Messages{}
 	for _, r := range Resources {
-		err := checkCanCreateResources(cli, r.namespace, r.group, r.version, r.name)
+		err := checkCanCreateResources(cli, r.namespace, r.group, r.version, r.resource)
 		if err != nil {
-			msgs.Add(msg.NewInsufficientPermissions(&resource.Instance{Origin: clusterOrigin{}}, r.name, err.Error()))
+			msgs.Add(msg.NewInsufficientPermissions(&resource.Instance{Origin: clusterOrigin{}}, r.resource, err.Error()))
 		}
 	}
 	return msgs
 }
 
-func checkCanCreateResources(c kube.CLIClient, namespace, group, version, name string) error {
+func checkCanCreateResources(c kube.CLIClient, namespace, group, version, resource string) error {
 	s := &authorizationapi.SelfSubjectAccessReview{
 		Spec: authorizationapi.SelfSubjectAccessReviewSpec{
 			ResourceAttributes: &authorizationapi.ResourceAttributes{
 				Namespace: namespace,
 				Verb:      "create",
 				Group:     group,
 				Version:   version,
-				Resource:  name,
+				Resource:  resource,
 			},
 		},
 	}

manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml

@@ -100,6 +100,10 @@ spec:
       valueFrom:
         resourceFieldRef:
           resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
     - name: ISTIO_META_APP_CONTAINERS
       value: "{{ $containers | join "," }}"
     - name: ISTIO_META_CLUSTER_ID

manifests/charts/istio-control/istio-discovery/files/injection-template.yaml

@@ -289,6 +289,10 @@ spec:
       valueFrom:
         resourceFieldRef:
           resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
     - name: ISTIO_META_CLUSTER_ID
       value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
     - name: ISTIO_META_NODE_NAME

manifests/charts/istiod-remote/files/gateway-injection-template.yaml

@@ -100,6 +100,10 @@ spec:
       valueFrom:
         resourceFieldRef:
           resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
     - name: ISTIO_META_APP_CONTAINERS
       value: "{{ $containers | join "," }}"
     - name: ISTIO_META_CLUSTER_ID

manifests/charts/istiod-remote/files/injection-template.yaml

@@ -289,6 +289,10 @@ spec:
       valueFrom:
         resourceFieldRef:
           resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
     - name: ISTIO_META_CLUSTER_ID
       value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
     - name: ISTIO_META_NODE_NAME

pilot/pkg/bootstrap/server.go

@@ -42,6 +42,7 @@ import (
 	istiogrpc "istio.io/istio/pilot/pkg/grpc"
 	"istio.io/istio/pilot/pkg/keycertbundle"
 	"istio.io/istio/pilot/pkg/model"
+	sec_model "istio.io/istio/pilot/pkg/security/model"
 	"istio.io/istio/pilot/pkg/server"
 	"istio.io/istio/pilot/pkg/serviceregistry/aggregate"
 	"istio.io/istio/pilot/pkg/serviceregistry/provider"
@@ -752,6 +753,8 @@ func (s *Server) initSecureDiscoveryService(args *PilotArgs) error {
 		MinVersion:   tls.VersionTLS12,
 		CipherSuites: args.ServerOptions.TLSOptions.CipherSuits,
 	}
+	// Compliance for xDS server TLS.
+	sec_model.EnforceGoCompliance(cfg)
 
 	tlsCreds := credentials.NewTLS(cfg)
 

pilot/pkg/bootstrap/webhook.go

@@ -20,6 +20,7 @@ import (
 	"net/http"
 	"strings"
 
+	sec_model "istio.io/istio/pilot/pkg/security/model"
 	istiolog "istio.io/istio/pkg/log"
 )
 
@@ -50,17 +51,21 @@ func (s *Server) initSecureWebhookServer(args *PilotArgs) {
 		return
 	}
 
+	tlsConfig := &tls.Config{
+		GetCertificate: s.getIstiodCertificate,
+		MinVersion:     tls.VersionTLS12,
+		CipherSuites:   args.ServerOptions.TLSOptions.CipherSuits,
+	}
+	// Compliance for control plane validation and injection webhook server.
+	sec_model.EnforceGoCompliance(tlsConfig)
+
 	istiolog.Info("initializing secure webhook server for istiod webhooks")
 	// create the https server for hosting the k8s injectionWebhook handlers.
 	s.httpsMux = http.NewServeMux()
 	s.httpsServer = &http.Server{
-		Addr:     args.ServerOptions.HTTPSAddr,
-		ErrorLog: log.New(&httpServerErrorLogWriter{}, "", 0),
-		Handler:  s.httpsMux,
-		TLSConfig: &tls.Config{
-			GetCertificate: s.getIstiodCertificate,
-			MinVersion:     tls.VersionTLS12,
-			CipherSuites:   args.ServerOptions.TLSOptions.CipherSuits,
-		},
+		Addr:      args.ServerOptions.HTTPSAddr,
+		ErrorLog:  log.New(&httpServerErrorLogWriter{}, "", 0),
+		Handler:   s.httpsMux,
+		TLSConfig: tlsConfig,
 	}
 }

pilot/pkg/model/push_context.go

@@ -1559,12 +1559,6 @@ func (ps *PushContext) initVirtualServices(env *Environment) {
 
 	totalVirtualServices.Record(float64(len(virtualServices)))
 
-	// TODO(rshriram): parse each virtual service and maintain a map of the
-	// virtualservice name, the list of registry hosts in the VS and non
-	// registry DNS names in the VS.  This should cut down processing in
-	// the RDS code. See separateVSHostsAndServices in route/route.go
-	sortConfigByCreationTime(vservices)
-
 	// convert all shortnames in virtual services into FQDNs
 	for _, r := range vservices {
 		resolveVirtualServiceShortnames(r.Spec.(*networking.VirtualService), r.Meta)

pilot/pkg/model/virtualservice.go

@@ -260,6 +260,8 @@ func mergeVirtualServicesIfNeeded(
 		out = append(out, root)
 	}
 
+	sortConfigByCreationTime(out)
+
 	return out, delegatesByRoot
 }
 

pilot/pkg/model/virtualservice_test.go

@@ -705,6 +705,33 @@ func TestMergeVirtualServices(t *testing.T) {
 			assert.Equal(t, got, tc.expectedVirtualServices)
 		})
 	}
+
+	t.Run("test merge order", func(t *testing.T) {
+		root := rootVs.DeepCopy()
+		delegate := delegateVs.DeepCopy()
+		normal := independentVs.DeepCopy()
+
+		// make sorting results predictable.
+		t0 := time.Now()
+		root.CreationTimestamp = t0.Add(1)
+		delegate.CreationTimestamp = t0.Add(2)
+		normal.CreationTimestamp = t0.Add(3)
+
+		checkOrder := func(got []config.Config, _ map[ConfigKey][]ConfigKey) {
+			gotOrder := make([]string, 0, len(got))
+			for _, c := range got {
+				gotOrder = append(gotOrder, fmt.Sprintf("%s/%s", c.Namespace, c.Name))
+			}
+			wantOrder := []string{"istio-system/root-vs", "default/virtual-service"}
+			assert.Equal(t, gotOrder, wantOrder)
+		}
+
+		vses := []config.Config{root, delegate, normal}
+		checkOrder(mergeVirtualServicesIfNeeded(vses, map[visibility.Instance]bool{visibility.Public: true}))
+
+		vses = []config.Config{normal, delegate, root}
+		checkOrder(mergeVirtualServicesIfNeeded(vses, map[visibility.Instance]bool{visibility.Public: true}))
+	})
 }
 
 func TestMergeHttpRoutes(t *testing.T) {

pilot/pkg/networking/core/v1alpha3/cluster_waypoint.go

@@ -30,6 +30,7 @@ import (
 	networking "istio.io/api/networking/v1alpha3"
 	"istio.io/istio/pilot/pkg/model"
 	"istio.io/istio/pilot/pkg/networking/util"
+	sec_model "istio.io/istio/pilot/pkg/security/model"
 	"istio.io/istio/pilot/pkg/util/protoconv"
 	v3 "istio.io/istio/pilot/pkg/xds/v3"
 	"istio.io/istio/pkg/config/host"
@@ -171,6 +172,8 @@ func (cb *ClusterBuilder) buildConnectOriginate(proxy *model.Proxy, push *model.
 			Matcher: uriSanMatcher,
 		})
 	}
+	// Compliance for Envoy tunnel upstreams.
+	sec_model.EnforceCompliance(ctx)
 	return &cluster.Cluster{
 		Name:                          ConnectOriginate,
 		ClusterDiscoveryType:          &cluster.Cluster_Type{Type: cluster.Cluster_ORIGINAL_DST},

pilot/pkg/networking/core/v1alpha3/listener.go

@@ -172,6 +172,9 @@ func BuildListenerTLSContext(serverTLSSettings *networking.ServerTLSSettings,
 		applyDownstreamTLSDefaults(mesh.GetTlsDefaults(), ctx.CommonTlsContext)
 		applyServerTLSSettings(serverTLSSettings, ctx.CommonTlsContext)
 	}
+
+	// Compliance for Envoy TLS downstreams.
+	authnmodel.EnforceCompliance(ctx.CommonTlsContext)
 	return ctx
 }
 

pilot/pkg/networking/core/v1alpha3/listener_waypoint.go

@@ -698,5 +698,7 @@ func buildCommonConnectTLSContext(proxy *model.Proxy, push *model.PushContext) *
 		TlsMaximumProtocolVersion: tls.TlsParameters_TLSv1_3,
 		TlsMinimumProtocolVersion: tls.TlsParameters_TLSv1_3,
 	}
+	// Compliance for Envoy tunnel TLS contexts.
+	security.EnforceCompliance(ctx)
 	return ctx
 }