Automator: merge upstream changes to openshift-service-mesh/istio@master

* upstream/master:
  Bug Fix - Add Handling of `GatewayClass` to `WaypointPolicyStatusCollection` (#55667)
  samples: update open-telemetry (#55672)
  add retry backoff support in gateway (#55659)
  Automator: update proxy@master in istio/istio@master (#55666)
  fix unknown annotation sidecar.istio.io/statsCompression (#55657)
  sample: update metallb for kind-lb (#55653)

Author: openshift-service-mesh-bot

go.mod

@@ -94,7 +94,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.17.1
-	istio.io/api v1.25.0-alpha.0.0.20250320073341-81bc1902f4b3
+	istio.io/api v1.25.0-alpha.0.0.20250321002943-e41c1d8a2a3e
 	istio.io/client-go v1.25.0-alpha.0.0.20250320073741-e8b65a187b3a
 	k8s.io/api v0.32.3
 	k8s.io/apiextensions-apiserver v0.32.3

go.sum

@@ -643,8 +643,8 @@ helm.sh/helm/v3 v3.17.1 h1:gzVoAD+qVuoJU6KDMSAeo0xRJ6N1znRxz3wyuXRmJDk=
 helm.sh/helm/v3 v3.17.1/go.mod h1:nvreuhuR+j78NkQcLC3TYoprCKStLyw5P4T7E5itv2w=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-istio.io/api v1.25.0-alpha.0.0.20250320073341-81bc1902f4b3 h1:xK5cnBL7JwNi2J3Ib+3mjwg58rrxV+UZZxXC6a+EbqY=
-istio.io/api v1.25.0-alpha.0.0.20250320073341-81bc1902f4b3/go.mod h1:QFzEXv/IT582T0FHZVp1QoolvE4ws0zz/vVO55blmlE=
+istio.io/api v1.25.0-alpha.0.0.20250321002943-e41c1d8a2a3e h1:DrzGSeOMnGdhY4bu8NI70NTjaMpPjQ18qC1Qf64ieDQ=
+istio.io/api v1.25.0-alpha.0.0.20250321002943-e41c1d8a2a3e/go.mod h1:QFzEXv/IT582T0FHZVp1QoolvE4ws0zz/vVO55blmlE=
 istio.io/client-go v1.25.0-alpha.0.0.20250320073741-e8b65a187b3a h1:LFB0Tn1NTjdZVG2mgAQRklVZgKmEO0ABE7wO7k8eFCg=
 istio.io/client-go v1.25.0-alpha.0.0.20250320073741-e8b65a187b3a/go.mod h1:pti0wgffDXhlnCKKKXnMbE1HiAHH1I/q3dxk/Mar68w=
 k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=

istio.deps

@@ -4,7 +4,7 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "dfae03070b07b43465e834c61a4642b13ba180bb"
+    "lastStableSHA": "147cc9af7be04d55b0c9d9177c6de6bfdec9d655"
   },
   {
     "_comment": "",

pilot/pkg/config/kube/gateway/conversion.go

@@ -295,7 +295,10 @@ func convertHTTPRoute(r k8s.HTTPRouteRule, ctx configContext,
 			// Invalid to set this when there are no attempts
 			vs.Retries.RetryOn = ""
 		}
-		// Istio does not currently implement the Backoff field due to lack of support in VirtualService
+		if r.Retry.Backoff != nil {
+			retrybackOff, _ := time.ParseDuration(string(*r.Retry.Backoff))
+			vs.Retries.Backoff = durationpb.New(retrybackOff)
+		}
 	}
 
 	if r.Timeouts != nil {

pilot/pkg/config/kube/gateway/testdata/http.yaml

@@ -295,6 +295,7 @@ spec:
           port: 80
       retry:
         attempts: 3
+        backoff: 3ms
         codes:
         - 503
         - 429

pilot/pkg/config/kube/gateway/testdata/http.yaml.golden

@@ -116,6 +116,7 @@ spec:
     name: default.http-retry-request.0
     retries:
       attempts: 3
+      backoff: 0.003s
       retryOn: connect-failure,refused-stream,unavailable,cancelled,503,429
     route:
     - destination:

pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go

@@ -221,6 +221,7 @@ func New(options Options) Index {
 			Waypoints,
 			Services,
 			ServiceEntries,
+			GatewayClasses,
 			Namespaces,
 			opts,
 		)

pilot/pkg/serviceregistry/kube/controller/ambient/authorization_test.go

@@ -16,6 +16,7 @@ package ambient
 
 import (
 	"context"
+	"fmt"
 	"testing"
 	"time"
 
@@ -231,6 +232,9 @@ func TestWaypointPolicyStatusCollection(t *testing.T) {
 	clientSe := kclient.New[*networkingclient.ServiceEntry](c)
 	seCol := krt.WrapClient(clientSe, opts.WithName("seCol")...)
 
+	clientGwClass := kclient.New[*gtwapiv1beta1.GatewayClass](c)
+	gwClassCol := krt.WrapClient(clientGwClass, opts.WithName("gwClassCol")...)
+
 	clientNs := kclient.New[*v1.Namespace](c)
 	nsCol := krt.WrapClient(clientNs, opts.WithName("nsCol")...)
 
@@ -261,7 +265,7 @@ func TestWaypointPolicyStatusCollection(t *testing.T) {
 		}
 	}, opts.WithName("waypoint")...)
 
-	wpsCollection := WaypointPolicyStatusCollection(authzPolCol, waypointCol, svcCol, seCol, nsCol, opts)
+	wpsCollection := WaypointPolicyStatusCollection(authzPolCol, waypointCol, svcCol, seCol, gwClassCol, nsCol, opts)
 	c.RunAndWait(ctx.Done())
 
 	_, err := clientNs.Create(&v1.Namespace{
@@ -981,6 +985,123 @@ func TestWaypointPolicyStatusCollection(t *testing.T) {
 				},
 			},
 		},
+		{
+			testName: "single-bind-gateway-class",
+			gatewayClasses: []gtwapiv1beta1.GatewayClass{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "istio-waypoint",
+					},
+					Spec: gtwapiv1beta1.GatewayClassSpec{
+						ControllerName: constants.ManagedGatewayMeshController,
+					},
+				},
+			},
+			policy: securityclient.AuthorizationPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:       "single-gateway-class-pol",
+					Namespace:  "istio-system",
+					Generation: 1,
+				},
+				Spec: v1beta1.AuthorizationPolicy{
+					TargetRefs: []*apiv1beta1.PolicyTargetReference{
+						{
+							Group: gvk.GatewayClass.Group,
+							Kind:  gvk.GatewayClass.Kind,
+							Name:  "istio-waypoint",
+						},
+					},
+					Rules:  []*v1beta1.Rule{},
+					Action: 0,
+				},
+			},
+			expect: []model.PolicyBindingStatus{
+				{
+					Ancestor: "GatewayClass.gateway.networking.k8s.io:istio-system/istio-waypoint",
+					Status: &model.StatusMessage{
+						Reason:  model.WaypointPolicyReasonAccepted,
+						Message: "bound to istio-waypoint",
+					},
+					Bound:              true,
+					ObservedGeneration: 1,
+				},
+			},
+		},
+		{
+			testName:       "nonexistent-gateway-class",
+			gatewayClasses: []gtwapiv1beta1.GatewayClass{},
+			policy: securityclient.AuthorizationPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:       "single-no-gateway-class-pol",
+					Namespace:  "istio-system",
+					Generation: 1,
+				},
+				Spec: v1beta1.AuthorizationPolicy{
+					TargetRefs: []*apiv1beta1.PolicyTargetReference{
+						{
+							Group: gvk.GatewayClass.Group,
+							Kind:  gvk.GatewayClass.Kind,
+							Name:  "nonexistent-gateway-class",
+						},
+					},
+					Rules:  []*v1beta1.Rule{},
+					Action: 0,
+				},
+			},
+			expect: []model.PolicyBindingStatus{
+				{
+					Ancestor: "GatewayClass.gateway.networking.k8s.io:istio-system/nonexistent-gateway-class",
+					Status: &model.StatusMessage{
+						Reason:  model.WaypointPolicyReasonTargetNotFound,
+						Message: "not bound",
+					},
+					Bound:              false,
+					ObservedGeneration: 1,
+				},
+			},
+		},
+		{
+			testName: "non-waypoint-gateway-class",
+			gatewayClasses: []gtwapiv1beta1.GatewayClass{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "not-for-waypoint",
+					},
+					Spec: gtwapiv1beta1.GatewayClassSpec{
+						ControllerName: "random-controller",
+					},
+				},
+			},
+			policy: securityclient.AuthorizationPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:       "non-waypoint-gateway-class-pol",
+					Namespace:  "istio-system",
+					Generation: 1,
+				},
+				Spec: v1beta1.AuthorizationPolicy{
+					TargetRefs: []*apiv1beta1.PolicyTargetReference{
+						{
+							Group: gvk.GatewayClass.Group,
+							Kind:  gvk.GatewayClass.Kind,
+							Name:  "not-for-waypoint",
+						},
+					},
+					Rules:  []*v1beta1.Rule{},
+					Action: 0,
+				},
+			},
+			expect: []model.PolicyBindingStatus{
+				{
+					Ancestor: "GatewayClass.gateway.networking.k8s.io:istio-system/not-for-waypoint",
+					Status: &model.StatusMessage{
+						Reason:  model.WaypointPolicyReasonInvalid,
+						Message: fmt.Sprintf("GatewayClass must use controller name `%s` for waypoints", constants.ManagedGatewayMeshController),
+					},
+					Bound:              false,
+					ObservedGeneration: 1,
+				},
+			},
+		},
 	}
 
 	// these nolint are to suppress findings regarding copying the mutex contained within our service entry proto fields
@@ -999,6 +1120,11 @@ func TestWaypointPolicyStatusCollection(t *testing.T) {
 				assert.NoError(t, err)
 			}
 
+			for _, gwClass := range tc.gatewayClasses {
+				_, err := clientGwClass.Create(&gwClass)
+				assert.NoError(t, err)
+			}
+
 			_, err := clientAuthzPol.Create(&tc.policy)
 			assert.NoError(t, err)
 
@@ -1017,6 +1143,7 @@ type TestWaypointPolicyStatusCollectionTestCase struct {
 	testName       string
 	serviceEntries []networkingclient.ServiceEntry
 	services       []v1.Service
+	gatewayClasses []gtwapiv1beta1.GatewayClass
 	policy         securityclient.AuthorizationPolicy
 	expect         []model.PolicyBindingStatus
 }

pilot/pkg/serviceregistry/kube/controller/ambient/policies.go

@@ -20,13 +20,16 @@ import (
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	networkingclient "istio.io/client-go/pkg/apis/networking/v1"
 	securityclient "istio.io/client-go/pkg/apis/security/v1"
 	"istio.io/istio/pilot/pkg/model"
+	"istio.io/istio/pkg/config/constants"
 	"istio.io/istio/pkg/config/schema/gvk"
 	"istio.io/istio/pkg/kube/krt"
 	"istio.io/istio/pkg/log"
+	"istio.io/istio/pkg/ptr"
 	"istio.io/istio/pkg/slices"
 	"istio.io/istio/pkg/spiffe"
 	"istio.io/istio/pkg/workloadapi/security"
@@ -37,6 +40,7 @@ func WaypointPolicyStatusCollection(
 	waypoints krt.Collection[Waypoint],
 	services krt.Collection[*corev1.Service],
 	serviceEntries krt.Collection[*networkingclient.ServiceEntry],
+	gatewayClasses krt.Collection[*v1beta1.GatewayClass],
 	namespaces krt.Collection[*corev1.Namespace],
 	opts krt.OptionsBuilder,
 ) krt.Collection[model.WaypointPolicyStatus] {
@@ -59,6 +63,21 @@ func WaypointPolicyStatusCollection(
 				reason := "unknown"
 				bound := false
 				switch target.GetKind() {
+				case gvk.GatewayClass_v1.Kind:
+					fetchedGatewayClass := ptr.Flatten(krt.FetchOne(ctx, gatewayClasses, krt.FilterKey(target.GetName())))
+					if fetchedGatewayClass == nil {
+						reason = model.WaypointPolicyReasonTargetNotFound
+					} else {
+						// verify GatewayClass is for waypoint
+						if fetchedGatewayClass.Spec.ControllerName != constants.ManagedGatewayMeshController {
+							reason = model.WaypointPolicyReasonInvalid
+							message = fmt.Sprintf("GatewayClass must use controller name `%s` for waypoints", constants.ManagedGatewayMeshController)
+						} else {
+							bound = true
+							reason = model.WaypointPolicyReasonAccepted
+							message = fmt.Sprintf("bound to %s", fetchedGatewayClass.GetName())
+						}
+					}
 				case gvk.KubernetesGateway.Kind:
 					fetchedWaypoints := krt.Fetch(ctx, waypoints, krt.FilterKey(key))
 					if len(fetchedWaypoints) == 1 {

pkg/bootstrap/config.go

@@ -301,8 +301,8 @@ func getStatsOptions(meta *model.BootstrapNodeMetadata) []option.Instance {
 	}
 
 	var compression string
-	// TODO: move annotation to api repo
-	if statsCompression, ok := meta.Annotations["sidecar.istio.io/statsCompression"]; ok && envoyWellKnownCompressorLibrary.Contains(statsCompression) {
+	if statsCompression, ok := meta.Annotations[annotation.SidecarStatsCompression.Name]; ok &&
+		envoyWellKnownCompressorLibrary.Contains(statsCompression) {
 		compression = statsCompression
 	}
 

releasenotes/notes/52082.yaml

@@ -0,0 +1,8 @@
+apiVersion: release-notes/v2
+kind: feature
+area: istioctl
+issue:
+  - 52082
+releaseNotes:
+  - |
+    **Fixed** an issue that istioctl analyze report unknown annotation `sidecar.istio.io/statsCompression`.

releasenotes/notes/ap-gateway-class-status.yml

@@ -0,0 +1,6 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+releaseNotes:
+- |
+  **Fixed** an issue where `AuthorizationPolicy`'s WaypointAccepted status condition was not being updated to reflect the resolution of a `GatewayClass` target reference.

samples/kind-lb/setupkind.sh

@@ -183,8 +183,8 @@ fi
 # Setup cluster context
 kubectl cluster-info --context "kind-${CLUSTERNAME}"
 
-# Setup metallb using v0.13.11
-kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.11/config/manifests/metallb-native.yaml
+# Setup metallb using v0.14.9
+kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.14.9/config/manifests/metallb-native.yaml
 
 addrName="IPAddress"
 ipv4Prefix=""
@@ -223,7 +223,7 @@ function waitForPods() {
   ns=$1
   lb=$2
   waittime=$3
-  # Wait for the pods to be ready in the given namespace with lable
+  # Wait for the pods to be ready in the given namespace with label
   while : ; do
     res=$(kubectl wait --context "kind-${CLUSTERNAME}" -n "${ns}" pod \
       -l "${lb}" --for=condition=Ready --timeout="${waittime}s" 2>/dev/null ||true)

samples/open-telemetry/otel.yaml

@@ -12,42 +12,38 @@ data:
       otlp:
         protocols:
           grpc:
+            endpoint: 0.0.0.0:4317
           http:
+            endpoint: 0.0.0.0:4318
     processors:
       batch:
     exporters:
       zipkin:
         # Export to zipkin for easy querying
         endpoint: http://zipkin.istio-system.svc:9411/api/v2/spans
-      logging:
-        loglevel: debug
-      jaeger:
-        endpoint: jaeger-collector.istio-system.svc.cluster.local:14250
-        tls:
-          insecure: true
-        sending_queue:
-          enabled: true
-        retry_on_failure:
-          enabled: true
+      debug:
+        verbosity: detailed
     extensions:
       health_check:
-        port: 13133
+      pprof:
+      zpages:
     service:
       extensions:
       - health_check
+      - pprof
+      - zpages
       pipelines:
         logs:
           receivers: [otlp]
           processors: [batch]
-          exporters: [logging]
+          exporters: [debug]
         traces:
           receivers:
           - otlp
           - opencensus
           exporters:
           - zipkin
-          - logging
-          - jaeger
+          - debug
 ---
 apiVersion: v1
 kind: Service
@@ -106,7 +102,7 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: metadata.namespace
-          image: otel/opentelemetry-collector:0.54.0
+          image: otel/opentelemetry-collector:0.122.1
           imagePullPolicy: IfNotPresent
           name: opentelemetry-collector
           ports: