robot: project cni chart upgrades from 1.17.1 to 1.23.3

Signed-off-by: robot <[email protected]>

charts/cni/cni/Chart.yaml

@@ -1,15 +1,15 @@
-apiVersion: v1
-appVersion: 1.17.1
+apiVersion: v2
+appVersion: 1.23.3
 description: Helm chart for istio-cni components
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
   - istio-cni
   - istio
 name: cni
 sources:
-  - https://github.com/istio/istio/tree/master/cni
-version: 1.17.1
+  - https://github.com/istio/istio
+version: 1.23.3
 dependencies:
   - name: cni
-    version: "1.17.1"
+    version: "1.23.3"
     repository: "https://istio-release.storage.googleapis.com/charts"

charts/cni/cni/README.md

@@ -21,4 +21,45 @@ helm install istio-cni istio/cni -n kube-system
 ```
 
 Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
-`priorityClassName` can be used.
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.

charts/cni/cni/charts/cni/Chart.yaml

@@ -1,11 +1,11 @@
-apiVersion: v1
-appVersion: 1.17.1
+apiVersion: v2
+appVersion: 1.23.3
 description: Helm chart for istio-cni components
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
 - istio-cni
 - istio
 name: cni
 sources:
-- https://github.com/istio/istio/tree/master/cni
-version: 1.17.1
+- https://github.com/istio/istio
+version: 1.23.3

charts/cni/cni/charts/cni/README.md

@@ -21,4 +21,45 @@ helm install istio-cni istio/cni -n kube-system
 ```
 
 Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
-`priorityClassName` can be used.
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.

charts/cni/cni/charts/cni/files/profile-ambient.yaml

@@ -0,0 +1,20 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
+
+# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel
+variant: distroless

charts/cni/cni/charts/cni/files/profile-compatibility-version-1.20.yaml

@@ -0,0 +1,26 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.21 behavioral changes
+    ENABLE_EXTERNAL_NAME_ALIAS: "false"
+    PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+    VERIFY_CERTIFICATE_AT_CLIENT: "false"
+    ENABLE_AUTO_SNI: "false"
+
+    # 1.22 behavioral changes
+    ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
+    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # 1.22 behavioral changes
+      ISTIO_DELTA_XDS: "false"
+      # 1.23 behavioral changes
+      ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+    tracing:
+      zipkin:
+        address: zipkin.istio-system:9411

charts/cni/cni/charts/cni/files/profile-compatibility-version-1.21.yaml

@@ -0,0 +1,23 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.22 behavioral changes
+    ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
+    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
+
+    # 1.23 behavioral changes
+    ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+
+meshConfig:
+  # 1.22 behavioral changes
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_DELTA_XDS: "false"
+      # 1.23 behavioral changes
+      ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+    tracing:
+      zipkin:
+        address: zipkin.istio-system:9411

charts/cni/cni/charts/cni/files/profile-compatibility-version-1.22.yaml

@@ -0,0 +1,16 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.23 behavioral changes
+    ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # 1.22 behavioral changes
+      ENABLE_DEFERRED_CLUSTER_CREATION: "false"
+      # 1.23 behavioral changes
+      ENABLE_DELIMITED_STATS_TAG_REGEX: "false"

charts/cni/cni/charts/cni/files/profile-demo.yaml

@@ -0,0 +1,73 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi

charts/cni/cni/charts/cni/files/profile-openshift-ambient.yaml

@@ -0,0 +1,33 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+global:
+  platform: openshift
+cni:
+  ambient:
+    enabled: true
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  logLevel: info
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+  variant: distroless
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+    # Allow sidecars/ingress to send/receive HBONE. This is required for interop.
+    PILOT_ENABLE_SENDING_HBONE: "true"
+    PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true"
+platform: openshift
+variant: distroless
+seLinuxOptions:
+  type: spc_t

charts/cni/cni/charts/cni/files/profile-openshift.yaml

@@ -0,0 +1,20 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  logLevel: info
+  provider: "multus"
+global:
+  platform: openshift
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+platform: openshift

charts/cni/cni/charts/cni/files/profile-preview.yaml

@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"

charts/cni/cni/charts/cni/files/profile-stable.yaml

@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true

charts/cni/cni/charts/cni/templates/NOTES.txt

@@ -1,5 +1,5 @@
 "{{ .Release.Name }}" successfully installed!
 
 To learn more about the release, try:
-  $ helm status {{ .Release.Name }}
-  $ helm get all {{ .Release.Name }}
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}

charts/cni/cni/charts/cni/templates/_helpers.tpl

@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}