Automator: merge upstream changes to openshift-service-mesh/istio@master

manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml

@@ -343,3 +343,51 @@ spec:
   {{- end }}
   type: {{ .ServiceType | quote }}
 ---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+

manifests/charts/istio-control/istio-discovery/files/waypoint.yaml

@@ -338,3 +338,51 @@ spec:
   {{- end }}
   type: {{ .ServiceType | quote }}
 ---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+

manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml

@@ -177,6 +177,12 @@ rules:
   - apiGroups: ["apps"]
     verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
     resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
   - apiGroups: [""]
     verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
     resources: [ "services" ]

manifests/charts/istio-control/istio-discovery/templates/gateway-class-configmap.yaml

@@ -0,0 +1,21 @@
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}

manifests/charts/istio-control/istio-discovery/values.yaml

@@ -539,3 +539,13 @@ _internal_defaults_do_not_set:
 
     # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
     seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}

operator/pkg/apis/values_types.proto

@@ -1412,6 +1412,9 @@ message Values {
 
   // Specifies experimental helm fields that could be removed or changed in the future
   ExperimentalConfig experimental = 44;
+
+  // Configuration for Gateway Classes
+  google.protobuf.Value gatewayClasses = 45;
 }
 
 // ZeroVPNConfig enables cross-cluster access using SNI matching.

pilot/pkg/bootstrap/configcontroller.go

@@ -193,7 +193,7 @@ func (s *Server) initK8SConfigStore(args *PilotArgs) error {
 						if s.kubeClient.CrdWatcher().WaitForCRD(gvr.KubernetesGateway, leaderStop) {
 							tagWatcher := revisions.NewTagWatcher(s.kubeClient, args.Revision)
 							controller := gateway.NewDeploymentController(s.kubeClient, s.clusterID, s.environment,
-								s.webhookInfo.getWebhookConfig, s.webhookInfo.addHandler, tagWatcher, args.Revision)
+								s.webhookInfo.getWebhookConfig, s.webhookInfo.addHandler, tagWatcher, args.Revision, args.Namespace)
 							// Start informers again. This fixes the case where informers for namespace do not start,
 							// as we create them only after acquiring the leader lock
 							// Note: stop here should be the overall pilot stop, NOT the leader election stop. We are

pilot/pkg/bootstrap/server.go

@@ -153,7 +153,8 @@ type Server struct {
 	RA       ra.RegistrationAuthority
 	caServer *caserver.Server
 
-	// TrustAnchors for workload to workload mTLS
+	// TrustAnchors for workload to workload mTLS and proxy to istiod TLS
+	// Only initiated when `ISTIO_MULTIROOT_MESH` = true
 	workloadTrustBundle *tb.TrustBundle
 	certMu              sync.RWMutex
 	istiodCert          *tls.Certificate
@@ -298,9 +299,11 @@ func NewServer(args *PilotArgs, initFuncs ...func(*Server)) (*Server, error) {
 		return nil, err
 	}
 
-	// Initialize trust bundle after mesh config which it depends on
-	s.workloadTrustBundle = tb.NewTrustBundle(nil, e.Watcher)
-	e.TrustBundle = s.workloadTrustBundle
+	if features.MultiRootMesh {
+		// Initialize trust bundle after mesh config which it depends on
+		s.workloadTrustBundle = tb.NewTrustBundle(nil, e.Watcher)
+		e.TrustBundle = s.workloadTrustBundle
+	}
 
 	// Options based on the current 'defaults' in istio.
 	caOpts := &caOptions{