File istioctl.changes of Package istioctl
-------------------------------------------------------------------
Sat Sep 14 14:01:00 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 1.23.1:
https://istio.io/latest/news/releases/1.23.x/announcing-1.23.1/
no istioctl-related changes mentioned in the changelog
-------------------------------------------------------------------
Fri Aug 16 18:31:00 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- major update to 1.23.0:
https://istio.io/latest/news/releases/1.23.x/announcing-1.23/
istioctl-related changes:
* The istioctl proxy-status command was improved to include the
time since last change, and more relevant status values.
-------------------------------------------------------------------
Wed Jul 17 06:17:45 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 1.22.3:
* Updated Go version to include security fixes for the net/http
package related to CVE-2024-24791
* Updated Envoy version to include security fixes related to
CVE-2024-39305
* Fixed a bug where router’s merged gateway was not immediately
recomputed when a service was created or updated. (Issue #51726
* Fixed inconsistent behavior with the
istio_agent_cert_expiry_seconds metric.
* Removed sorting of JSON access logs pending Envoy fix.
-------------------------------------------------------------------
Wed Jul 3 19:03:11 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 1.22.2:
https://istio.io/latest/news/releases/1.22.x/announcing-1.22.2/
This release implements the security updates described in our
27th of June post, ISTIO-SECURITY-2024-005 along with bug fixes
to improve robustness.
https://istio.io/latest/news/security/istio-security-2024-005/
* Improved waypoint proxies to no longer run as root.
* Added gateways.securityContext to manifests to provide an
option to customize the gateway securityContext. (Issue #49549)
* Added a new option in ztunnel to completely disable IPv6, to
enable running on kernels with IPv6 disabled.
* Fixed an issue where istioctl analyze returned IST0162 false
positives. (Issue #51257)
* Fixed ENABLE_ENHANCED_RESOURCE_SCOPING not being part of helm
compatibility profiles for Istio 1.20/1.21. (Issue #51399)
* Fixed Kubernetes job pod IPs may not be fully unenrolled from
ambient despite being in a terminated state.
* Fixed false positives in IST0128 and IST0129 when
credentialName and workloadSelector were set. (Issue #51567)
* Fixed an issue where JWKS fetched from URIs were not updated
promptly when there are errors fetching other URIs. (Issue
#51636)
* Fixed an issue causing workloadSelector policies to apply to
the wrong namespace in ztunnel. (Issue #51556)
* Fixed a bug causing discoverySelectors to accidentally filter
out all GatewayClasses.
* Fixed certificate chains parsing avoid unnecessary parsing
errors by trimming unnecessary intermediate certificates.
* Fixed a bug in ambient mode causing requests at the start of a
Pod lifetime to be rejected with unknown source.
* Fixed an issue in ztunnel where some expected connection
terminations were reported as errors.
* Fixed an issue in ztunnel when connecting to a service with a
targetPort that exists only on a subset of pods.
* Fixed an issue when deleting a ServiceEntry when there are
duplicate hostnames across multiple ServiceEntries.
* Fixed an issue where ztunnel would send directly to pods when
connecting to a LoadBalancer IP, instead of going through the
LoadBalancer.
* Fixed an issue where ztunnel would send traffic to terminating
pods.
-------------------------------------------------------------------
Wed Jun 5 05:53:19 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 1.22.1:
https://istio.io/latest/news/releases/1.22.x/announcing-1.22.1/
* Added a new, optional experimental admission policy that only
allows stable features/fields to be used in Istio APIs when
using a remote Istiod cluster. (Issue #173)
* Fixed adding of pod IPs to the host’s ipset to explicitly fail
instead of silently overwriting.
* Fixed an issue causing outboundstatname in MeshConfig to not be
honored for subset clusters.
* Fixed custom injection of the istio-proxy container not working
properly when SecurityContext.RunAs fields were set.
* Fixed returning 503 errors by auto-passthrough gateways created
after enabling mTLS.
* Fixed serviceRegistry orders influence the proxy labels, so we
put the Kubernetes registry in front. (Issue #50968)
-------------------------------------------------------------------
Tue May 14 05:39:32 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- major upgrade to 1.22.0:
https://istio.io/latest/news/releases/1.22.x/announcing-1.22/
https://istio.io/latest/news/releases/1.22.x/announcing-1.22/change-notes/
* Added the istioctl proxy-stauts command, which is the promoted
istioctl experimental proxy-status command. The old istioctl
proxy-status command has been removed. This promotion should
not result in any loss of functionality. However, the request
is now sent based on xDS instead of HTTP, and we have
introduced a set of new xDS-based flags to target the control
plane.
* Added support for multi-cluster analysis in istioctl analyze
command when there are remote cluster secrets set up through
Install Multicluster.
* Added a new istioctl dashboard proxy command, which can be used
to show the admin UI of different proxy pods, for example:
Envoy, ztunnel, and waypoint.
* Added the --proxy option to istioctl experimental wait command.
(Issue #48696)
* Added namespace filtering to istioctl proxy-config workload
command using the --workloads-namespace flag to display
workloads in the specified namespace.
* Added the istioctl dashboard istio-debug command to display the
Istio debug endpoints dashboard.
* Added the istioctl experimental describe command to support
displaying the details of policies for PortLevelSettings.
(Issue #49802)
* Added ability to define the traffic address type (service,
workload, all or none) for waypoints via the --for flag when
using the istioctl experimental waypoint apply command. (Issue
#49896)
* Added the ability to name waypoints through istioctl via the
--name flag on the waypoint command. (Issue #49915), (Issue
#50173)
* Removed the ability to specify a service account for the
waypoint by deleting the --service-account flag on the waypoint
command. (Issue #49915), (Issue #50173)
* Added the ability to enroll a waypoint proxy in the waypoint’s
namespace through istioctl via the --enroll-namespace flag on
the waypoint command. (Issue #50248)
* Added the istioctl ztunnel-config command. This allow users to
view ztunnel configuration information via the istioctl
ztunnel-config workload command. (Issue #49841)
* Removed the workload flag from proxy-config command. Use
istioctl ztunnel-config workload command to view ztunnel
configuration information instead. (Issue #49841)
* Added a warning when using istioctl experimental waypoint apply
--enroll-namespace and the namespace is not labeled for ambient
redirection. (Issue #50396)
* Added the --for flag to istioctl experimental waypoint generate
command so that the user can preview the YAML before they apply
it. (Issue #50790)
* Added an experimental OpenShift Kubernetes platform profile to
istioctl. To install with the OpenShift profile, use istioctl
install --set profile=openshift. See OpenShift Platform Setup
and Install OpenShift using istioctl documents for more
information.
* Added the flag --proxy-admin-port to the command istioctl
experimental envoy-stats to set a custom proxy admin port.
* Fixed an issue where the istioctl experimental proxy-status
<pod> compare command was not working due to unknown configs.
* Fixed the istioctl describe command not displaying Ingress
information under non istio-system namespaces. (Issue #50074)
-------------------------------------------------------------------
Tue Apr 23 07:59:03 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 1.21.2:
This release implements the security updates described in our
22nd of April post, ISTIO-SECURITY-2024-003 along with bug fixes
to improve robustness.
https://istio.io/latest/news/security/istio-security-2024-003
* Added pprof endpoints to profile the CNI pod (on port 9867).
(Issue #49053)
* Improved CNI memory usage by avoiding keeping large files in
memory. (Issue #49053)
-------------------------------------------------------------------
Tue Apr 9 06:29:43 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 1.21.1:
This release implements the security updates described in our 8th
of April post, ISTIO-SECURITY-2024-002 along with bug fixes to
improve robustness.
https://istio.io/latest/news/security/istio-security-2024-002/
* Fixed a bug where VirtualServices containing duplicate hosts
with different cases would cause routes to be rejected by
Envoy. (Issue #49368)
* Fixed an issue where commands relying on Envoy config dump
would not work due to the presence of ECDS config.
* Fixed an issue where telemetry EnvoyFilter resources were not
correctly pruned during the installation process. (Issue
#48126)
* Fixed an issue where pilot CPU consumption was abnormally high
when the in-cluster analysis was enabled. (Issue #49340)
* Fixed an issue where updating a ServiceEntry’s TargetPort would
not trigger an xDS push. (Issue #49878)
-------------------------------------------------------------------
Sat Mar 16 17:26:03 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- major update to 1.21.0:
https://istio.io/latest/news/releases/1.21.x/announcing-1.21/
https://istio.io/latest/news/releases/1.21.x/announcing-1.21/change-notes/
istioctl-related changes:
* Improved injector list to exclude ambient namespaces.
* Improved bug-report performance by reducing the amount of calls
to the k8s API. The pod/node details included in the report
will look different, but contain the same information.
* Improved istioctl bug-report to sort gathered events by
creation date.
* Updated verify-install to not require a IstioOperator file,
since it is now removed from the installation process.
* Added support for deleting multiple waypoints at once via
istioctl experimental waypoint delete <waypoint1> <waypoint2>
....
* Added the --all flag to istioctl experimental waypoint delete
to delete all waypoint resources in a given namespace.
* Added an analyzer to warn users if they set the selector field
instead of the targetRef field for specific Istio resources,
which will cause the resource to be ineffective. (Issue #48273)
* Added message IST0167 to warn users that policies, such as
Sidecar, will have no impact when applied to ambient
namespaces. (Issue #48105)
* Added bootstrap summary to all config dumps’ summary.
* Added completion for Kubernetes pods for some commands that can
select pods, such as istioctl proxy-status <pod>.
* Added --wait option to the istioctl experimental waypoint apply
command. (Issue #46297)
* Added path_separated_prefix to the MATCH column in the output
of proxy-config routes command.
* Fixed an issue where sometimes control plane revisions and
proxy versions were not obtained in the bug report.
* Fixed an issue where istioctl tag list command didn’t accept
--output flag. (Issue #47696)
* Fixed an issue where the default namespace of Envoy and proxy
dashboard command was not set to the actual default namespace.
* Fixed an issue where the IST0158 message was incorrectly
reported when the imageType field was set to distroless in mesh
config. (Issue #47964)
* Fixed an issue where istioctl experimental version has no proxy
info shown.
* Fixed an issue where the IST0158 message was incorrectly
reported when the imageType field was set by the ProxyConfig
resource, or the resource annotation proxy.istio.io/config.
* Fixed an issue where proxy-config ecds didn’t show all of
EcdsConfigDump.
* Fixed injector list having duplicated namespaces shown for the
same injector hook.
* Fixed analyze not working correctly when analyzing files
containing resources that already exist in the cluster. (Issue
#44844)
* Fixed analyze where it was reporting errors for empty files.
(Issue #45653)
* Fixed an issue where the External Control Plane Analyzer was
not working in some remote control plane setups.
* Fixed an issue where istioctl precheck inaccurately reports the
IST0141 message related to resource permissions. (Issue #49379)
* Removed the --rps-limit flag for istioctl bug-report and added
the --rq-concurrency flag. The bug reporter will now limit
request concurrency instead of limiting request rate to the
Kube API.
-------------------------------------------------------------------
Sat Mar 16 17:07:28 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 1.20.4:
https://istio.io/latest/news/releases/1.20.x/announcing-1.20.4/
* Added an environment variable COMPLIANCE_POLICY to Istio
components for enforcing TLS restriction for compliance with
FIPS. When set to fips-140-2 on the Istiod container, the Istio
Proxy container, and all other Istio components, the TLS
version is restricted to v1.2. The cipher suites are limited to
a subset of ECDHE-ECDSA-AES128-GCM-SHA256,
ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384,
ECDHE-RSA-AES256-GCM-SHA384, and ECDH curves to P-256.
These restrictions apply on the following data paths:
- mTLS communication between Envoy proxies;
- regular TLS on the downstream and the upstream of Envoy
proxies (e.g. gateway);
- Google gRPC side requests from Envoy proxies (e.g.
Stackdriver extensions);
- Istiod xDS server;
- Istiod injection and validation webhook servers.
The restrictions are not applied on the following data paths:
- Istiod to Kubernetes API server;
- JWK fetch from Istiod;
- Wasm image and URL fetch from Istio Proxy containers;
- ztunnel.
Note that Istio injector will propagate the value of
COMPLIANCE_POLICY to the injected proxy container, when set.
(Issue #49081)
* Fixed an issue where the local client contained incorrect
entries in the local DNS name table. (Issue #47340)
* Fixed a bug that made PeerAuthentication too restrictive in
ambient mode.
* Fixed a bug where VirtualService containing wildcard hosts that
aren’t present in the service registry are ignored. (Issue
#49364)
* Fixed an issue where istioctl precheck inaccurately reports the
IST0141 message related to resource permissions. (Issue #49379)
* Fixed a bug for IPv6 only clusters that prevented
ServiceEntry-based listeners from having correct SNI matches.
(Issue #49476)
* Fixed a bug when there is more than one service with the same
host name within the same namespace, a STRICT_DNS cluster
without endpoints error could occur. (Issue #49489)
* Fixed an issue that when using a delegate in a VirtualService,
the effective VirtualService may not be consistent with
expectations due to a sorting error. (Issue #49539)
* Fixed a bug where specifying a URI regex .* match within a
VirtualService HTTP route did not short-circuit the subsequent
HTTP routes.
* Fixed an issue where Endpoint and Service in the istiod-remote
chart did not respect the revision value. (Issue #47552)
-------------------------------------------------------------------
Fri Feb 9 19:19:21 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 1.20.3:
https://istio.io/latest/news/releases/1.20.x/announcing-1.20.3/
* Improved graceful termination abort logic when the Envoy
process terminates early. (Issue #36686)
* Fixed an issue where updating a service’s TargetPort does not
trigger an xDS push. (Issue #48580)
* Fixed an issue where in-cluster analysis was unnecessarily
performed when there’s no configuration change. (Issue #48665)
* Fixed an issue where the webhook generated with istioctl tag
set is unexpectedly removed by the installer. (Issue #47423)
* Fixed a bug that results in the incorrect generation of
configurations for pods without associated services, which
includes all services within the same namespace. This can
occasionally lead to conflicting inbound listeners error.
* Fixed a bug that made PeerAuthentication too restrictive in
ambient mode.
* Fixed an issue causing Istio CNI to stop functioning on
minimal/locked down nodes (such as no sh binary). The new logic
runs with no external dependencies, and will attempt to
continue if errors are encountered (which could be caused by
things like SELinux rules). In particular, this fixes running
Istio on Bottlerocket nodes. (Issue #48746)
-------------------------------------------------------------------
Wed Jan 10 19:23:07 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 1.20.2:
https://istio.io/latest/news/releases/1.20.x/announcing-1.20.2/
* Changes
- Added configurable scaling behavior for Gateway
HorizontalPodAutoscaler in the helm chart. (usage)
- Fixed a bug where overlapping wildcard hosts in a
VirtualService produces incorrect routing configurations when
wildcard services were selected (e.g. in ServiceEntry).
(Issue #45415)
- Fixed an issue where Istio was performing additional XDS
pushes for StatefulSets and headless Service endpoints while
scaling. (Issue #48207)
- Fixed an issue where the Istio injection webhook may be
modified in dry-run mode. (Issue #48241)
- Fixed an issue if DestinationRule’s exportTo includes
workload’s current namespace (not ‘.’), other namespaces are
ignored from exportTo. (Issue #48349)
- Fixed an issue where the QUIC listeners were not correctly
created when dual-stack is enabled. (Issue #48336)
- Fixed an issue where istioctl proxy-config ecds didn’t
display all EcdsConfigDump.
- Fixed an issue where new endpoints may not be sent to
proxies. (Issue #48373)
- Fixed an issue where installing with Stackdriver and using
custom configurations would prevent Stackdriver from being
enabled.
- Fixed an issue where long-lived connections, TCP bytes and
gRPC, could result in a proxy memory leak.
-------------------------------------------------------------------
Tue Dec 12 21:41:43 UTC 2023 - kastl@b1-systems.de
- Update to version 1.20.1:
https://istio.io/latest/news/releases/1.20.x/announcing-1.20.1/
* Security update
- Changes to Istio CNI Permissions as described in
ISTIO-SECURITY-2023-005
* Changes
- Fixed an issue where the webhook generated by istioctl tag
set was unexpectedly being removed by the installer. (Issue
#47423)
- Fixed an issue where the istioctl tag list command did not
accept the --output flag. (Issue #47696)
- Fixed an issue where custom injection of the istio-proxy
container was not working on OpenShift, due to how OpenShift
sets the pod’s SecurityContext.RunAs field.
- Fixed an issue where VirtualService HTTP header present match
was not working when header-name: {} was set. (Issue #47341)
- Fixed multi-cluster leader election not being able to
prioritize local over remote leaders. (Issue #47901)
- Fixed a memory leak when hostNetwork pods scaled up and down.
(Issue #47893)
- Fixed a memory leak when WorkloadEntries changed their IP
address. (Issue #47893)
- Fixed a memory leak when a ServiceEntry was removed. (Issue
#47893)
- Improved istioctl bug-report performance by reducing the
number of calls to the Kubernetes API. The included pod/node
details in the report remain comprehensive but will be
presented differently.
- Removed the --rps-limit flag for istioctl bug-report and
added the --rq-concurrency flag. This change enables the bug
reporter to limit request concurrency rather than the request
rate to the Kubernetes API.
-------------------------------------------------------------------
Thu Nov 16 12:10:47 UTC 2023 - kastl@b1-systems.de
- Update to version 1.20.0:
https://istio.io/latest/news/releases/1.20.x/announcing-1.20/
* Deprecation Notices
- There are no new deprecations in Istio 1.20.0.
* Istioctl
- Added a new istioctl dashboard proxy command, which can be
used to show the admin UI of different proxy pods, like
Envoy, Ztunnel, Waypoint.
- Added an output format option for the istioctl experimental
pre-check command. Valid options are log, json or yaml.
- Added the --output-threshold flag in istioctl experimental
precheck to control the message output threshold. The default
threshold is now warning, which replaces the previous default
of info.
- Added support for auto-detecting the pilot’s monitoring port
if it is not set to the default value of 15014. (Issue
#46652)
- Added lazy loading for default namespace detection in
istioctl to avoid checking the kubeconfig for commands that
do not require a Kubernetes environment. (Issue #47159)
- Added support for setting loggers’ levels of istio-proxy in
the istioctl proxy-config log command with --level <level> or
--level level=<level>.
- Added an analyzer for showing warning messages about
incorrect/missing information related to Istio installations
using an External Control Plane. (Issue #47269)
- Added IST0162 GatewayPortNotDefinedOnService message to
detect an issue where a Gateway port was not exposed by
Service.
- Fixed istioctl operator remove command to not remove all
revisions of the operator controller when the revision is
“default” or not specified. (Issue #45242)
- Fixed an issue where verify-install had incorrect results
when installed deployments were not healthy.
- Fixed the istioctl experimental describe command to provide
correct Gateway information when using the injected gateway.
- Fixed an issue where istioctl analyze would analyze
irrelevant configmaps. (Issue #46563)
- Fixed istioctl analyze incorrectly showing an error when
ServiceEntry hosts are used in a VirtualService destination
across a namespace boundary. (Issue #46597)
- Fixed an issue where istioctl proxy-config failed to process
a config dump from a file if EDS endpoints were not provided.
(Issue #47505)
- Removed the istioctl experimental revision tag command, which
was graduated to istioctl tag.
-------------------------------------------------------------------
Tue Nov 14 11:14:52 UTC 2023 - kastl@b1-systems.de
- Update to version 1.19.4:
* Automator: update ztunnel@release-1.19 in
istio/istio@release-1.19 (#47794)
* Update deps for 1.19.4 (#47796)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47795)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47790)
* Automator: update istio/client-go@release-1.19 dependency in
istio/istio@release-1.19 (#47788)
* Automator: update common-files@release-1.19 in
istio/istio@release-1.19 (#47787)
* Update BASE_VERSION to 1.19-2023-11-06T19-02-47 (#47765)
* Fix header present match (#47704) (#47736)
* [release-1.19] Fix tag list output command not working (#47710)
* [release-1.19] Sidecar resources using defaultEndpoint can use
::1 in all cases (#47676)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47663)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47635)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47594)
* [release-1.19] fix multiple header matches in root vs (#47274)
* prevent running crdclient twice, this will cause
crdClient.queue stop… (#47399) (#47597)
* Fix traffic to terminating headless services (#47379) (#47589)
* Update BASE_VERSION to 1.19-2023-10-25T19-03-30 (#47586)
* [release-1.19] istioctl: allow file configdump missing eds for
`proxy-config` (#47554)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47570)
* Skip+Warn instead of NACK on invalid TLS gateway (#47560)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47557)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47542)
* reduce logging level to DEBUG when td don't match but
SkipValidateTrustDomain is enabled (#47528)
* Allow setting priorityClassName in Istio gateway helm chart
(#47460)
* 1.19: Bump iptables image to fix glibc (#47339) (#47497)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47485)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47452)
* [release-1.19] Fix multicluster secret filtering (#47438)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47421)
* [release-1.19] Gated feature flag to add a secondary outbound
bind for IPv6-only clusters (#47408)
* cni: 1.19 cherrypicks (#47392)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47387)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47365)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47363)
* [release-1.19] Clarify telemetry deployment namespace (#47360)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47345)
* Update BASE_VERSION to 1.19-2023-10-13T03-27-30 (#47343)
* # Adjust DNS Proxy CNAME wildcard response to be compatible
with glibc and musl (#47323)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47317)
* Automator: update ztunnel@release-1.19 in
istio/istio@release-1.19 (#47314)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47296)
-------------------------------------------------------------------
Thu Oct 12 05:30:26 UTC 2023 - kastl@b1-systems.de
- Update to version 1.19.3:
* Automator: update istio/client-go@release-1.19 dependency in
istio/istio@release-1.19 (#47293)
* Update golang.org/x/net and grpc-go (#47287)
* Automator: update common-files@release-1.19 in
istio/istio@release-1.19 (#47291)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47289)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47271)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47243)
* Automator: update ztunnel@release-1.19 in
istio/istio@release-1.19 (#47240)
* Automator: update istio/client-go@release-1.19 dependency in
istio/istio@release-1.19 (#47232)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47233)
* Automator: update common-files@release-1.19 in
istio/istio@release-1.19 (#47231)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47186)
- skipping non-existent release 1.19.2
-------------------------------------------------------------------
Wed Oct 04 09:40:21 UTC 2023 - kastl@b1-systems.de
- Update to version 1.19.1:
* Update deps for 1.19.1 (#47129)
* Automator: update istio/client-go@release-1.19 dependency in
istio/istio@release-1.19 (#47123)
* [release-1.19] Push back invalid secret to prevent sds fetching
timeout (#47110)
* Autheticate crane with DefaultKeychain (#47100)
* [release-1.19] Fix issue with dual-stack iptables6 rules when
using istio-cni plugin… (#47108)
* Automator: update ztunnel@release-1.19 in
istio/istio@release-1.19 (#47075)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#47062)
* Fix issue with emiting uninitialized Guage metrics (#46980)
* [release-1.19] fix DNSNoEndpointClusters metric (#46966)
* [release-1.19] dedup addressInfo (#46949)
* [release-1.19] Add endpoints to proxy-config all output
(#46940)
* [release-1.19] Gateway API cherrypicks (#46938)
* [release-1.19] Fix verify install kinds for kind
NetworkAttachmentDefinition (#46944)
* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4
(#46889)
* Automator: update ztunnel@release-1.19 in
istio/istio@release-1.19 (#46900)
* Cherrypick 46579 (#46896)
* Automator: update istio/client-go@release-1.19 dependency in
istio/istio@release-1.19 (#46888)
* [release-1.19] Update sigs.k8s.io/gateway-api to 0.8.0 (#46677)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#46878)
* Automator: update istio/client-go@release-1.19 dependency in
istio/istio@release-1.19 (#46873)
* Automator: update proxy@release-1.19 in
istio/istio@release-1.19 (#46872)
* Automator: update common-files@release-1.19 in
istio/istio@release-1.19 (#46871)
* [release-1.19] Cherrypick 46429 (#46784)
* Automator: update istio/client-go@release-1.19 dependency in
istio/istio@release-1.19 (#46853)
* [release-1.19] install: fix warning with wrong control plane
(#46739)
* [release-1.19] Ambient: fix incorrect updates when ambient
namespace label is changed (#46715)
* [release-1.19] Add ability to install gateway helm chart with
dual-stack service def… (#46683)
* Remove conditional cleanup from traffic test. (#46819)
* respect meshConfig.defaultConfig.sampling (#46735)
* Report networkpolicies in bug-report (#46843)
-------------------------------------------------------------------
Wed Sep 06 05:22:41 UTC 2023 - kastl@b1-systems.de
- Update to version 1.19.0:
very large changelog, please find it at
https://github.com/istio/istio/releases/tag/1.19.0 and
https://istio.io/news/releases/1.19.x/announcing-1.19/
-------------------------------------------------------------------
Tue Jul 25 17:22:24 UTC 2023 - kastl@b1-systems.de
- Update to version 1.18.2:
* Add validation of workload entry identity (#117)
* Bump proxy version (#122)
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#46039)
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#46025)
* Fix nil map for cluster builder (#46024)
* fix concurrent map access in endpoint metadata (#44473)
(#46021)
* fix conflict (#46017)
* Exit if sds socket not found (#45941) (#46014)
-------------------------------------------------------------------
Mon Jul 17 04:59:39 UTC 2023 - kastl@b1-systems.de
- Update to version 1.18.1:
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#46007)
* Automator: update ztunnel@release-1.18 in
istio/istio@release-1.18 (#46000)
* Automator: update istio/client-go@release-1.18 dependency in
istio/istio@release-1.18 (#45996)
* Automator: update common-files@release-1.18 in
istio/istio@release-1.18 (#45995)
* Update image from (#45958)
* [release-1.18] prevent port conflict with sidecar static
listener like 15021 15090 (#45966)
* [release-1.18] Set inject true for compatibility tests (#45928)
* Automator: update ztunnel@release-1.18 in
istio/istio@release-1.18 (#45948)
* Add release note for #45632 (#45927)
* [release-1.18] Fix health probe port overwrite (#45873)
* Automator: update istio/client-go@release-1.18 dependency in
istio/istio@release-1.18 (#45938)
* Automator: update common-files@release-1.18 in
istio/istio@release-1.18 (#45936)
* Automator: update ztunnel@release-1.18 in
istio/istio@release-1.18 (#45892)
* Automator: update common-files@release-1.18 in
istio/istio@release-1.18 (#45875)
* Automator: update istio/client-go@release-1.18 dependency in
istio/istio@release-1.18 (#45876)
* [release-1.18] Fix bug report include option not working as
expected (#45860)
* Automator: update istio/client-go@release-1.18 dependency in
istio/istio@release-1.18 (#45857)
* [release-1.18] Fix a potential nil panic of endpointindex
(#45808)
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#45834)
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#45771)
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#45769)
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#45747)
* gcp metadata: compute GCPClusterURL from metadata (#45741)
* Fix auth header syntax (#45711)
* Automator: update ztunnel@release-1.18 in
istio/istio@release-1.18 (#45702)
* Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 (#45684)
* Automator: update common-files@release-1.18 in
istio/istio@release-1.18 (#45690)
* Automator: update istio/client-go@release-1.18 dependency in
istio/istio@release-1.18 (#45660)
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#45667)
* prow: move to use WI for auth_header in private (#45609)
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#45587)
* Automator: update ztunnel@release-1.18 in
istio/istio@release-1.18 (#45579)
* Automator: update istio/client-go@release-1.18 dependency in
istio/istio@release-1.18 (#45570)
* Automator: update common-files@release-1.18 in
istio/istio@release-1.18 (#45569)
* [release-1.18] improve accesslog mode e2e tests (#45519)
* Update BASE_VERSION to 1.18-2023-06-15T19-02-54 (#45495)
* [release-1.18] cherry-pick: add debug info when generating
certs for workloads (#45194)
* [release-1.18] Update min supported k8s version to 1.24
(#45444)
* Automator: update proxy@release-1.18 in
istio/istio@release-1.18 (#45450)
* Automator: update istio/client-go@release-1.18 dependency in
istio/istio@release-1.18 (#45381)
* [release-1.18] Check the disabled status when adding a log
provider (#45373)
* Change to use Node instead of RawMeta (#45359)
* [release-1.18] Fix istioctl pc secret cert validity not
accurate (#45343)
* Add rolling update max unavailable to CNI chart to speed up
deploys (cherry pick to release-1.18) (#44934)
* Fix Telemetry disablement matching (#45303)
* Fix invalid XDS configuration for wildcard Ingress HTTP path
(#44898) (#45168)
* Adding LRS support (#45165)
* [release-1.18] Certificate Revocation List support (#45130)
* [release-1.18]Manual cherry-pick of 44481 and 44775 (#45081)
* precise-errorcode-debuggen (#45164)
* Automator: update ztunnel@release-1.18 in
istio/istio@release-1.18 (#45333)
* Automator: update istio/client-go@release-1.18 dependency in
istio/istio@release-1.18 (#45326)
* Automator: update common-files@release-1.18 in
istio/istio@release-1.18 (#45325)
-------------------------------------------------------------------
Tue Jun 13 06:13:18 UTC 2023 - kastl@b1-systems.de
- Update to version 1.18.0:
very large changelog, please see
https://istio.io/latest/news/releases/1.18.x/announcing-1.18/
-------------------------------------------------------------------
Tue Jun 13 06:08:03 UTC 2023 - kastl@b1-systems.de
- Update to version 1.17.3:
* Update BASE_VERSION to 1.17-2023-05-31T19-02-43 (#45227)
* Revert "[release-1.17] Operator: Fix webhooks reconciled by
operator are inconsistent with istioctl install's (#45121)"
(#45205)
* 1.17: bump docker dep (#45198)
* cherry-pick: add debug info when generating certs for workloads
#45183 (#45189)
* [release-1.17] Run update_deps.sh (#45177)
* [release-1.17] Operator: Fix webhooks reconciled by operator
are inconsistent with istioctl install's (#45121)
* RetryWithContext should use the new NextBackOff() (#45122)
* Update BASE_VERSION to 1.17-2023-05-24T19-03-36 (#45110)
* [release-1.17] fix backoff and read ca file interval (#45039)
* [release-1.17]Manual cherry-pick of 44481 and 44775 (#45082)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#45017)
* Automator: update istio/client-go@release-1.17 dependency in
istio/istio@release-1.17 (#45070)
* Automator: update common-files@release-1.17 in
istio/istio@release-1.17 (#45069)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44989)
* remove file from file certs before triggering call backs
(#44908)
* [release-1.17] Fix MaybeApplyTLSModeLabel function (#44939)
* spiffe: fix handling of trust bundles with multiple keys
(#44909)
* [release-1.17] inject: remove unknown fields from template
(#44858)
* add support for security.istio.io/v1beta1 api in authz tests
when testing multiple istio versions (#44447) (#44808)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44782)
* [release-1.17] Fix persistent sessions scale down with envoy
(#44652)
* [release-1.17] Fix verify-install to work with multi iops
(#44753)
* Skip runtime resources when analyzing files (#44506) (#44733)
* [release-1.17] Fix pilot using wrong readinessprobe check,
should check if /validate and /inject endpoints are ready.
(#44750)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44745)
* Fix multi-cluster issue by increasing the timeout of listing
CRDs (#44715) (#44739)
* Automator: update istio/client-go@release-1.17 dependency in
istio/istio@release-1.17 (#44734)
* Automator: update common-files@release-1.17 in
istio/istio@release-1.17 (#44732)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44718)
* Use safer dedupe for config (#44502) (#44535)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44618)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44598)
* Update BASE_VERSION to 1.17-2023-04-26T19-03-52 (#44574)
* disable automount SA token only on tests with min istio
revisions >= 1.16 (#44492)
* fix missing gateway services (#44463)
* [release-1.17] add validation for empty prefix header match
(#44455)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44440)
* Integration Test for Istio custom GRPC count metrics (#44288)
* [release-1.17] gateway: prevent duplicate `istio_authn` network
filter in the filter chain (#44399)
* fix gateway service name (#44382)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44389)
* Update BASE_VERSION to 1.17-2023-04-12T19-03-40 (#44359)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44344)
* Automator: update istio/client-go@release-1.17 dependency in
istio/istio@release-1.17 (#44283)
* Automator: update common-files@release-1.17 in
istio/istio@release-1.17 (#44282)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44271)
* gateway: remove internal annotation from propogating (#44220)
(#44229)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44241)
* [release-1.17] add release-notes for grpc stats (#44222)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44217)
* [1.17] gateway deployment controller: handle backwards
compatibility (#44171)
* fix: increment failures in serverFailure function (#44176)
* [release-1.17] always enable grpc stats filter (#44180)
-------------------------------------------------------------------
Wed Apr 19 12:10:36 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- package sample files
-------------------------------------------------------------------
Wed Apr 05 04:41:53 UTC 2023 - kastl@b1-systems.de
- Update to version 1.17.2:
* [release-1.17] Update deps 1.17 (#106)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44133)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44102)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44079)
* Add endpointslices to bug-report dump (#44054)
* Automator: update common-files@release-1.17 in
istio/istio@release-1.17 (#44055)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44061)
* Automator: update istio/client-go@release-1.17 dependency in
istio/istio@release-1.17 (#44058)
* vm: fix assigning label from metadata (#44021)
* [release-1.17] tracing: Update proxyConfig.Tracing merge logic
(#42518) (#44019)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#44049)
* Update BASE_VERSION to 1.17-2023-03-21T19-02-32 (#44039)
* add retry to default service account patch command (#43915)
* Fix gateway injection when istio.io/rev=<tag> (#43668)
* Automator: update istio/client-go@release-1.17 dependency in
istio/istio@release-1.17 (#43973)
* [release-1.17] Fix x wait when
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING is not true (#43980)
* Automator: update common-files@release-1.17 in
istio/istio@release-1.17 (#43971)
* Use ReadHeaderTimeout instead of ReadTimeout when gRPC is
multiplexed (#43885)
* Break system namespace and ingressgateway assumptions (#43809)
(#43866)
* [release-1.17] Run update_deps.sh (#43869)
* [release-1.17] ServiceEntry IP allocation: Stable IP when used
in multiple namespaces (#43879)
* Bump Helm to 3.11.1 (#43860)
* Bump x/net to 0.7.0 (#43851)
* Automator: update istio/client-go@release-1.17 dependency in
istio/istio@release-1.17 (#43855)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#43856)
* Automator: update common-files@release-1.17 in
istio/istio@release-1.17 (#43854)
* Automator: update istio/client-go@release-1.17 dependency in
istio/istio@release-1.17 (#43834)
* [release-1.17] Fix name resolution in istioctl command (#43819)
* Update BASE_VERSION to 1.17-2023-03-07T19-01-20 (#43812)
* [release-1.17] rbac: honor useAuthenticated (#43808)
* [release-1.17] Include trustDomains from CaCertificates in SAN
Validation (#43795)
* AccessLogging: fix the issue where disable accesslogging does
not take effect. (#43798)
* Update BASE_VERSION to 1.17-2023-03-03T19-02-38 (#43757)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#43734)
* Automator: update istio/client-go@release-1.17 dependency in
istio/istio@release-1.17 (#43718)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#43707)
* Automator: update istio/client-go@release-1.17 dependency in
istio/istio@release-1.17 (#43695)
* [release-1.17] Fix analyzing not caught some messages in
default namespace (#43678)
* Update BASE_VERSION to 1.17-2023-02-28T19-03-02 (#43666)
* [release-1.17] fix unexpected behavior of multi accesslogging
filters (#43591)
* [release-1.17] validate: improve ValidateHTTPHeaderValue
(#43391)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#43573)
* [release-1.17] cluster: clone Push.Mesh.ConnectTimeout to avoid
unintended mutation by EnvoyFilter (#43557)
* [release-1.17] Fix large direct response (#43550)
* Automator: update proxy@release-1.17 in
istio/istio@release-1.17 (#43530)
-------------------------------------------------------------------
Tue Mar 28 10:50:26 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- bash-completion subpackage now Requires bash-completion
-------------------------------------------------------------------
Fri Mar 3 06:01:56 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- new package istioctl: CLI for the istio service mesh for Kubernetes
