Update Istio test versions and Istio docs (#688)

.github/workflows/istio-tests.yaml

@@ -1,4 +1,4 @@
-# Copyright 2019, 2024, Oracle Corporation and/or its affiliates.  All rights reserved.
+# Copyright 2019, 2025, Oracle Corporation and/or its affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at
 # http://oss.oracle.com/licenses/upl.
 
@@ -38,8 +38,8 @@ jobs:
       matrix:
         istioVersion:
         - latest
-        - 1.18.2
-        - 1.17.5
+        - 1.23.4
+        - 1.22.8
 
     steps:
     - uses: actions/checkout@v4

Makefile

@@ -40,7 +40,7 @@ KUBERNETES_DOC_VERSION=v1.30
 # ----------------------------------------------------------------------------------------------------------------------
 # The Coherence version to build against - must be a Java 8 compatible version
 COHERENCE_VERSION     ?= 21.12.5
-COHERENCE_VERSION_LTS ?= 14.1.2-0-0
+COHERENCE_VERSION_LTS ?= 14.1.2-0-1
 # The default Coherence image the Operator will run if no image is specified
 COHERENCE_IMAGE_REGISTRY ?= ghcr.io/oracle
 COHERENCE_IMAGE_NAME     ?= coherence-ce
@@ -358,7 +358,24 @@ METALLB_VERSION ?= v0.12.1
 # Istio settings
 # ----------------------------------------------------------------------------------------------------------------------
 # The version of Istio to install, leave empty for the latest
-ISTIO_VERSION ?=
+ISTIO_VERSION    ?=
+ISTIO_PROFILE    ?= demo
+ISTIO_USE_CONFIG ?= false
+ifeq (,$(ISTIO_VERSION))
+	ISTIO_VERSION_USE := $(shell $(SCRIPTS_DIR)/find-istio-version.sh "$(TOOLS_DIRECTORY)/istio-latest.txt")
+	ISTIO_REVISION    := $(subst .,-,$(ISTIO_VERSION_USE))
+	ISTIO_HOME        := $(TOOLS_DIRECTORY)/istio-$(ISTIO_VERSION_USE)
+else
+ifeq (latest,$(ISTIO_VERSION))
+	ISTIO_VERSION_USE := $(shell $(SCRIPTS_DIR)/find-istio-version.sh "$(TOOLS_DIRECTORY)/istio-latest.txt")
+	ISTIO_REVISION    := $(subst .,-,$(ISTIO_VERSION_USE))
+	ISTIO_HOME        := $(TOOLS_DIRECTORY)/istio-$(ISTIO_VERSION_USE)
+else
+	ISTIO_VERSION_USE := $(ISTIO_VERSION)
+	ISTIO_REVISION    := $(subst .,-,$(ISTIO_VERSION))
+	ISTIO_HOME        := $(TOOLS_DIRECTORY)/istio-$(ISTIO_VERSION)
+endif
+endif
 
 # ----------------------------------------------------------------------------------------------------------------------
 # Tanzu settings
@@ -415,6 +432,9 @@ $(BUILD_PROPS):
 	OPERATOR_IMAGE_NAME=$(OPERATOR_IMAGE_NAME)\n\
 	OPERATOR_IMAGE=$(OPERATOR_IMAGE)\n\
 	VERSION=$(VERSION)\n\
+	ISTIO_VERSION_USE=$(ISTIO_VERSION_USE)\n\
+	ISTIO_REVISION=$(ISTIO_REVISION)\n\
+	ISTIO_PROFILE=$(ISTIO_PROFILE)\n\
 	OPERATOR_PACKAGE_IMAGE=$(OPERATOR_PACKAGE_IMAGE)\n" > $(BUILD_PROPS)
 
 # ----------------------------------------------------------------------------------------------------------------------
@@ -1739,6 +1759,7 @@ k3d-create: $(TOOLS_BIN)/k3d ## Create the k3d cluster
 		--registry-use $(K3D_INTERNAL_REGISTRY) --no-lb \
 		--runtime-ulimit "nofile=64000:64000" --runtime-ulimit "nproc=64000:64000" \
 		--api-port 127.0.0.1:6550
+	$(SCRIPTS_DIR)/k3d-label-node.sh
 
 .PHONY: k3d-stop
 k3d-stop: $(TOOLS_BIN)/k3d  ## Stop a default k3d cluster
@@ -2273,39 +2294,53 @@ uninstall-metallb: ## Uninstall MetalLB
 # Install the latest Istio version
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: install-istio
-install-istio: get-istio ## Install the latest version of Istio into k8s (or override the version using the ISTIO_VERSION env var)
-	$(eval ISTIO_HOME := $(shell find $(TOOLS_DIRECTORY) -maxdepth 1 -type d | grep istio))
-	$(ISTIO_HOME)/bin/istioctl install --set profile=demo -y
-	kubectl -n istio-system wait --for condition=available deployment.apps/istiod
+install-istio: delete-istio-config get-istio ## Install the latest version of Istio into k8s (or override the version using the ISTIO_VERSION env var)
+	$(ISTIO_HOME)/bin/istioctl install -f $(BUILD_OUTPUT)/istio-config.yaml -y
+	kubectl -n istio-system wait --for condition=available deployment.apps/istiod-$(ISTIO_REVISION)
 	kubectl -n istio-system wait --for condition=available deployment.apps/istio-ingressgateway
 	kubectl -n istio-system wait --for condition=available deployment.apps/istio-egressgateway
-	kubectl apply -f ./hack/istio-strict.yaml
-	kubectl -n $(OPERATOR_NAMESPACE) apply -f ./hack/istio-operator.yaml
+	kubectl apply -f $(SCRIPTS_DIR)/istio-strict.yaml
+	kubectl -n $(OPERATOR_NAMESPACE) apply -f $(SCRIPTS_DIR)/istio-operator.yaml
 	kubectl label namespace $(OPERATOR_NAMESPACE) istio-injection=enabled --overwrite=true
 	kubectl label namespace $(OPERATOR_NAMESPACE_CLIENT) istio-injection=enabled --overwrite=true
 	kubectl label namespace $(CLUSTER_NAMESPACE) istio-injection=enabled --overwrite=true
 	kubectl apply -f $(ISTIO_HOME)/samples/addons
 
+# ----------------------------------------------------------------------------------------------------------------------
+# Upgrade Istio
+# ----------------------------------------------------------------------------------------------------------------------
+.PHONY: upgrade-istio
+upgrade-istio: delete-istio-config $(BUILD_OUTPUT)/istio-config.yaml ## Upgrade an already installed Istio to the Istio version specified by ISTIO_VERSION
+	$(ISTIO_HOME)/bin/istioctl upgrade -f $(SCRIPTS_DIR)/istio-config.yaml -y
+
 # ----------------------------------------------------------------------------------------------------------------------
 # Uninstall Istio
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: uninstall-istio
-uninstall-istio: get-istio ## Uninstall Istio from k8s
-	kubectl -n $(OPERATOR_NAMESPACE) delete -f ./hack/istio-operator.yaml || true
-	kubectl delete -f ./hack/istio-strict.yaml
-	$(eval ISTIO_HOME := $(shell find $(TOOLS_DIRECTORY) -maxdepth 1 -type d | grep istio))
+uninstall-istio: delete-istio-config get-istio ## Uninstall Istio from k8s
+	kubectl -n $(OPERATOR_NAMESPACE) delete -f $(SCRIPTS_DIR)/istio-operator.yaml || true
+	kubectl delete -f ./hack/istio-strict.yaml || true
 	$(ISTIO_HOME)/bin/istioctl uninstall --purge -y
 
+$(BUILD_OUTPUT)/istio-config.yaml: $(BUILD_PROPS)
+	@echo "Creating Istio config: rev=$(ISTIO_REVISION)"
+	cp $(SCRIPTS_DIR)/istio-config.yaml $(BUILD_OUTPUT)/istio-config.yaml
+	$(SED) -e 's/ISTIO_PROFILE/$(ISTIO_PROFILE)/g' $(BUILD_OUTPUT)/istio-config.yaml
+	$(SED) -e 's/ISTIO_REVISION/$(ISTIO_REVISION)/g' $(BUILD_OUTPUT)/istio-config.yaml
+
+.PHONY: delete-istio-config
+delete-istio-config:
+	rm $(BUILD_OUTPUT)/istio-config.yaml || true
 
 # ----------------------------------------------------------------------------------------------------------------------
 # Get the latest Istio version
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: get-istio
-get-istio: $(BUILD_PROPS)
-	$(SCRIPTS_DIR)/get-istio-latest.sh "$(ISTIO_VERSION)" "$(TOOLS_DIRECTORY)"
-	$(eval ISTIO_HOME := $(shell find $(TOOLS_DIRECTORY) -maxdepth 1 -type d | grep istio))
+get-istio: $(BUILD_PROPS) $(BUILD_OUTPUT)/istio-config.yaml ## Download Istio to the build/tools/istio-* directory
+	$(SCRIPTS_DIR)/get-istio-latest.sh "$(ISTIO_VERSION_USE)" "$(TOOLS_DIRECTORY)"
 	@echo "Istio installed at $(ISTIO_HOME)"
 
+
 # ----------------------------------------------------------------------------------------------------------------------
 # Obtain the golangci-lint binary
 # ----------------------------------------------------------------------------------------------------------------------

examples/400_Istio/README.adoc

@@ -1,6 +1,6 @@
 ///////////////////////////////////////////////////////////////////////////////
 
-    Copyright (c) 2021, 2024, Oracle and/or its affiliates.
+    Copyright (c) 2021, 2025, Oracle and/or its affiliates.
     Licensed under the Universal Permissive License v 1.0 as shown at
     http://oss.oracle.com/licenses/upl.
 
@@ -25,6 +25,23 @@ Coherence clusters can be manually configured to work with Istio, even if not us
 See the Istio example in the <<examples/no-operator/04_istio/README.adoc,No Operator Examples>>
 ====
 
+[IMPORTANT]
+====
+*Upgrading Istio*
+
+The Istio documentations states that the recommended way to upgrade Istio is to use
+https://istio.io/latest/docs/setup/upgrade/canary/[Istio revisions and canary upgrades].
+If Istio is upgraded using a simple in-place upgrade option this will cause Coherence Pods to have communication issues
+and ultimately make the Coherence cluster unusable. This is because an in-place Istio upgrade will cause the Istio Proxy
+in the side-car containers to receive config updates and then to drain all the TCP connections it is managing, hence
+causing Coherence containers to disconnect from each other.
+
+This issue is not just related to Coherence but can impact any long-lived TCP connections, for example connections to a database.
+
+If you are using Istio in a managed environment where you do not control its life-cycle, you must ensure that the people
+that are responsible for managing Istio use the recommended upgrade approach.
+====
+
 === How Does Coherence Work with Istio?
 
 Istio is a "Service Mesh" so the clue to how Istio works in Kubernetes is in the name, it relies on the configuration

hack/find-istio-version.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Copyright (c) 2025, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at
+# http://oss.oracle.com/licenses/upl.
+#
+
+ISTIO_VERSION_FILE=$1
+ISTIO_VERSION=""
+
+if [ -e $1 ]
+then
+  ISTIO_VERSION=$(cat $1)
+else
+if [ "${ISTIO_VERSION}" = "" -o "${ISTIO_VERSION}" = "latest" ]
+then
+  ISTIO_VERSION="$(curl -sL https://github.com/istio/istio/releases | \
+                    grep -o 'releases/[0-9]*.[0-9]*.[0-9]*/' | sort --version-sort | \
+                    tail -1 | awk -F'/' '{ print $2}')"
+  ISTIO_VERSION="${ISTIO_VERSION##*/}"
+  echo ${ISTIO_VERSION} > $1
+fi
+fi
+
+echo ${ISTIO_VERSION}

hack/get-istio-latest.sh

@@ -24,7 +24,6 @@ ISTIO_HOME=${TOOLS_DIRECTORY}/istio-${ISTIO_VERSION}
 
 if [ ! -d "${ISTIO_HOME}" ]; then
   echo "Istio will be installed into ${ISTIO_HOME}"
-  rm -rf "${TOOLS_DIRECTORY}"/istio-*
   mkdir -p "${ISTIO_HOME}" || true
   curl -sL https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh -
 fi

hack/istio-config.yaml

@@ -0,0 +1,36 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  namespace: istio-system
+spec:
+  profile: ISTIO_PROFILE
+  revision: ISTIO_REVISION
+  # Turn on default components: base, pilot, and ingress gateway
+  components:
+    base:
+      enabled: true
+    pilot:
+      enabled: true
+      k8s:
+        podDisruptionBudget:
+          minAvailable: 1
+        hpaSpec:
+          minReplicas: 2
+    # Istio Gateway feature
+    ingressGateways:
+      - name: istio-ingressgateway
+        enabled: true
+    egressGateways:
+      - name: istio-egressgateway
+        enabled: true
+
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    gateways:
+      istio-ingressgateway: {}
+      istio-egressgateway: {}

hack/k3d-label-node.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+kubectl label node k3d-operator-agent-0 topology.kubernetes.io/zone=zone-one --overwrite
+kubectl label node k3d-operator-agent-0 topology.kubernetes.io/region=one --overwrite
+kubectl label node k3d-operator-agent-0 oci.oraclecloud.com/fault-domain=fd-one --overwrite
+kubectl label node k3d-operator-agent-0 coherence.oracle.com/test=test-one --overwrite
+
+kubectl label node k3d-operator-agent-1 topology.kubernetes.io/zone=zone-one --overwrite
+kubectl label node k3d-operator-agent-1 topology.kubernetes.io/region=one --overwrite
+kubectl label node k3d-operator-agent-1 oci.oraclecloud.com/fault-domain=fd-one --overwrite
+kubectl label node k3d-operator-agent-1 coherence.oracle.com/test=test-one --overwrite
+
+kubectl label node k3d-operator-agent-2 topology.kubernetes.io/zone=zone-two --overwrite || true
+kubectl label node k3d-operator-agent-2 topology.kubernetes.io/region=two --overwrite || true
+kubectl label node k3d-operator-agent-2 oci.oraclecloud.com/fault-domain=fd-two --overwrite || true
+kubectl label node k3d-operator-agent-2 coherence.oracle.com/test=test-two --overwrite || true
+
+kubectl label node k3d-operator-agent-3 topology.kubernetes.io/zone=zone-two --overwrite || true
+kubectl label node k3d-operator-agent-3 topology.kubernetes.io/region=two --overwrite || true
+kubectl label node k3d-operator-agent-3 oci.oraclecloud.com/fault-domain=fd-two --overwrite || true
+kubectl label node k3d-operator-agent-3 coherence.oracle.com/test=test-two --overwrite || true
+
+kubectl label node k3d-operator-agent-4 topology.kubernetes.io/zone=zone-three --overwrite || true
+kubectl label node k3d-operator-agent-4 topology.kubernetes.io/region=three --overwrite || true
+kubectl label node k3d-operator-agent-4 oci.oraclecloud.com/fault-domain=fd-three --overwrite || true
+kubectl label node k3d-operator-agent-4 coherence.oracle.com/test=test-three --overwrite || true
+
+kubectl label node k3d-operator-server-0 topology.kubernetes.io/zone=zone-three --overwrite || true
+kubectl label node k3d-operator-server-0 topology.kubernetes.io/region=three --overwrite || true
+kubectl label node k3d-operator-server-0 oci.oraclecloud.com/fault-domain=fd-three --overwrite || true
+kubectl label node k3d-operator-server-0 coherence.oracle.com/test=test-three --overwrite || true
+