robot: project gateway chart upgrades from 1.17.1 to 1.24.2

Signed-off-by: robot <[email protected]>

charts/gateway/config

@@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false
 export REPO_URL=https://istio-release.storage.googleapis.com/charts
 export REPO_NAME=istio
 export CHART_NAME=gateway
-export VERSION=1.17.1
+export VERSION=1.24.2
 
 # pr, issue, none
 export UPGRADE_METHOD=pr

charts/gateway/gateway/Chart.yaml

@@ -1,16 +1,16 @@
 apiVersion: v2
-appVersion: 1.17.1
+appVersion: 1.24.2
 description: Helm chart for deploying Istio gateways
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
   - istio
   - gateways
 name: gateway
 sources:
-  - http://github.com/istio/istio
+  - https://github.com/istio/istio
 type: application
-version: 1.17.1
+version: 1.24.2
 dependencies:
   - name: gateway
-    version: "1.17.1"
+    version: "1.24.2"
     repository: "https://istio-release.storage.googleapis.com/charts"

charts/gateway/gateway/README.md

@@ -35,6 +35,28 @@ To view support configuration options and documentation, run:
 helm show values istio/gateway
 ```
 
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
 ### `image: auto` Information
 
 The image used by the chart, `auto`, may be unintuitive.

charts/gateway/gateway/charts/gateway/Chart.yaml

@@ -1,12 +1,12 @@
 apiVersion: v2
-appVersion: 1.17.1
+appVersion: 1.24.2
 description: Helm chart for deploying Istio gateways
 icon: https://istio.io/latest/favicons/android-192x192.png
 keywords:
 - istio
 - gateways
 name: gateway
 sources:
-- http://github.com/istio/istio
+- https://github.com/istio/istio
 type: application
-version: 1.17.1
+version: 1.24.2

charts/gateway/gateway/charts/gateway/README.md

@@ -35,6 +35,28 @@ To view support configuration options and documentation, run:
 helm show values istio/gateway
 ```
 
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
 ### `image: auto` Information
 
 The image used by the chart, `auto`, may be unintuitive.

charts/gateway/gateway/charts/gateway/files/profile-ambient.yaml

@@ -0,0 +1,17 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true

charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.21.yaml

@@ -0,0 +1,33 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.22 behavioral changes
+    ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
+    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
+
+    # 1.23 behavioral changes
+    ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+
+    # 1.24 behavioral changes
+    ENABLE_INBOUND_RETRY_POLICY: "false"
+    EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+    PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+    ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+    PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
+meshConfig:
+  # 1.22 behavioral changes
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_DELTA_XDS: "false"
+      # 1.23 behavioral changes
+      ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+      # 1.24 behaviour changes
+      ENABLE_DEFERRED_STATS_CREATION: "false"
+      BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+    tracing:
+      zipkin:
+        address: zipkin.istio-system:9411

charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.22.yaml

@@ -0,0 +1,26 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.23 behavioral changes
+    ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+
+    # 1.24 behavioral changes
+    ENABLE_INBOUND_RETRY_POLICY: "false"
+    EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+    PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+    ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+    PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # 1.22 behavioral changes
+      ENABLE_DEFERRED_CLUSTER_CREATION: "false"
+      # 1.23 behavioral changes
+      ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+      # 1.24 behaviour changes
+      ENABLE_DEFERRED_STATS_CREATION: "false"
+      BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"

charts/gateway/gateway/charts/gateway/files/profile-compatibility-version-1.23.yaml

@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    ENABLE_INBOUND_RETRY_POLICY: "false"
+    EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+    PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+    ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+    PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # 1.24 behaviour changes
+      ENABLE_DEFERRED_STATS_CREATION: "false"
+      BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"

charts/gateway/gateway/charts/gateway/files/profile-demo.yaml

@@ -0,0 +1,90 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi

charts/gateway/gateway/charts/gateway/files/profile-platform-k3d.yaml

@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin

charts/gateway/gateway/charts/gateway/files/profile-platform-k3s.yaml

@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/current/bin/

charts/gateway/gateway/charts/gateway/files/profile-platform-microk8s.yaml

@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin

charts/gateway/gateway/charts/gateway/files/profile-platform-minikube.yaml

@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns

charts/gateway/gateway/charts/gateway/files/profile-platform-openshift.yaml

@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"

charts/gateway/gateway/charts/gateway/files/profile-preview.yaml

@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"

charts/gateway/gateway/charts/gateway/files/profile-remote.yaml

@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true

charts/gateway/gateway/charts/gateway/files/profile-stable.yaml

@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true

charts/gateway/gateway/charts/gateway/templates/NOTES.txt

@@ -1,8 +1,8 @@
 "{{ include "gateway.name" . }}" successfully installed!
 
 To learn more about the release, try:
-  $ helm status {{ .Release.Name }}
-  $ helm get all {{ .Release.Name }}
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
 
 Next steps:
   * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/