Merge tag '1.23.3' into tetratefips-release-1.23

Istio release 1.23.3

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:release-1.23-d82829888b6f4a2b2b2644fe481d72ced2e402aa",
+  "image": "gcr.io/istio-testing/build-tools:release-1.23-d2ac9017a4c8dfb928bbfddd064833427afc0524",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.23-2024-09-04T19-02-13
+BASE_VERSION ?= 1.23-2024-09-17T19-01-11
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

common/.commonfiles.sha

@@ -1 +1 @@
-e6bbccc51a140216fb669986e89602881002553d
+037289f69e8291490f4c780762ecb07986d9998a

common/scripts/setup_env.sh

@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=release-1.23-d82829888b6f4a2b2b2644fe481d72ced2e402aa
+  IMAGE_VERSION=release-1.23-d2ac9017a4c8dfb928bbfddd064833427afc0524
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/containernetworking/plugins v1.5.0
 	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
-	github.com/docker/cli v26.1.4+incompatible
+	github.com/docker/cli v26.1.5+incompatible
 	github.com/envoyproxy/go-control-plane v0.12.1-0.20240719165848-f888b4f71207
 	github.com/evanphx/json-patch/v5 v5.9.0
 	github.com/fatih/color v1.17.0
@@ -98,8 +98,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.15.1
-	istio.io/api v1.23.1-0.20240906150629-ba126bb830f0
-	istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43
+	istio.io/api v1.23.3-0.20241007150425-eb56b2cffca7
+	istio.io/client-go v1.23.3-0.20241007150824-1455e2e0ee0a
 	k8s.io/api v0.30.1
 	k8s.io/apiextensions-apiserver v0.30.1
 	k8s.io/apimachinery v0.30.1
@@ -135,7 +135,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v26.1.4+incompatible // indirect
+	github.com/docker/docker v26.1.5+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect

go.sum

@@ -137,13 +137,13 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etly
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8=
-github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v26.1.5+incompatible h1:NxXGSdz2N+Ibdaw330TDO3d/6/f7MvHuiMbuFaIQDTk=
+github.com/docker/cli v26.1.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
-github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g=
+github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
 github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
@@ -1009,10 +1009,10 @@ helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-istio.io/api v1.23.1-0.20240906150629-ba126bb830f0 h1:utRdmZryJWw71X1flREUJFLk56QCl2JdVuP3xsvDcMI=
-istio.io/api v1.23.1-0.20240906150629-ba126bb830f0/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM=
-istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43 h1:/HbrtBiDEiTsQRrzkdcfNgKr+GUp/JFWc5U3ZL/QUmk=
-istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43/go.mod h1:E08wpMtUulJk2tlWOCUVakjy1bKFxUNm22tM1R1QY0Y=
+istio.io/api v1.23.3-0.20241007150425-eb56b2cffca7 h1:c8RwLi4qSqCn36t5B2WFkwRDY+qPZ1XhlLMEIoJDCcs=
+istio.io/api v1.23.3-0.20241007150425-eb56b2cffca7/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM=
+istio.io/client-go v1.23.3-0.20241007150824-1455e2e0ee0a h1:MZyree5xnOHalv93KgXLX9hb3EINj8EgLp7ztjWObos=
+istio.io/client-go v1.23.3-0.20241007150824-1455e2e0ee0a/go.mod h1:Lfa3anzx7/kCOpcAciR+JiRMj/SYuzDcbXQDjkThnLg=
 k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
 k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
 k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY=

istio.deps

@@ -4,13 +4,13 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "6c72b2179f5a58988b920a55b0be8346de3f7b35"
+    "lastStableSHA": "cbd889517ed13455bf2d88facc5685d958eb54a6"
   },
   {
     "_comment": "",
     "name": "ZTUNNEL_REPO_SHA",
     "repoName": "ztunnel",
     "file": "",
-    "lastStableSHA": "3ead5b81415936e1d3d7f4e81b0d87178817b289"
+    "lastStableSHA": "906d9c34eb40703fe07a9d14e1bd09da2e370f61"
   }
 ]

manifests/charts/istio-cni/templates/daemonset.yaml

@@ -76,6 +76,10 @@ spec:
 {{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }}
           imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }}
 {{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
           readinessProbe:
             httpGet:
               path: /readyz

manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml

@@ -104,6 +104,9 @@ spec:
           runAsGroup: {{ .ProxyGID | default "1337" }}
           runAsNonRoot: true
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/cluster-ip.yaml

@@ -134,6 +134,9 @@ spec:
         image: test/proxyv2:test
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/custom-class.yaml

@@ -131,6 +131,9 @@ spec:
         image: test/proxyv2:test
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/infrastructure-labels-annotations.yaml

@@ -137,6 +137,9 @@ spec:
         image: test/proxyv2:test
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect-infra.yaml

@@ -131,6 +131,9 @@ spec:
         image: test/proxyv2:test
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/kube-gateway-ambient-redirect.yaml

@@ -131,6 +131,9 @@ spec:
         image: test/proxyv2:test
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/manual-ip.yaml

@@ -131,6 +131,9 @@ spec:
         image: test/proxyv2:test
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/manual-sa.yaml

@@ -131,6 +131,9 @@ spec:
         image: test/proxyv2:test
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/multinetwork.yaml

@@ -138,6 +138,9 @@ spec:
         image: test/proxyv2:test
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/proxy-config-crd.yaml

@@ -131,6 +131,9 @@ spec:
         image: test/proxyv2:test-distroless
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/config/kube/gateway/testdata/deployment/simple.yaml

@@ -137,6 +137,9 @@ spec:
         image: test/proxyv2:test
         name: istio-proxy
         ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
         - containerPort: 15021
           name: status-port
           protocol: TCP

pilot/pkg/model/cluster_local.go

@@ -19,26 +19,29 @@ import (
 	"sync"
 
 	"istio.io/istio/pkg/config/host"
-	"istio.io/istio/pkg/util/sets"
 )
 
 var (
 	defaultClusterLocalNamespaces = []string{"kube-system"}
 	defaultClusterLocalServices   = []string{"kubernetes.default.svc"}
 )
 
-// ClusterLocalHosts is a map of host names or wildcard patterns which should only
-// be made accessible from within the same cluster.
+// ClusterLocalHosts is a map of host names or wildcard patterns which indicate
+// whether a host be made accessible from within the same cluster or not.
 type ClusterLocalHosts struct {
-	specific sets.Set[host.Name]
-	wildcard sets.Set[host.Name]
+	specific map[host.Name]bool
+	wildcard map[host.Name]bool
 }
 
 // IsClusterLocal indicates whether the given host should be treated as a
 // cluster-local destination.
 func (c ClusterLocalHosts) IsClusterLocal(h host.Name) bool {
-	_, _, ok := MostSpecificHostMatch(h, c.specific, c.wildcard)
-	return ok
+	_, local, ok := MostSpecificHostMatch(h, c.specific, c.wildcard)
+	// Explicitly set clusterLocal to false if host is not found in clusterLocal settings
+	if !ok {
+		local = false
+	}
+	return local
 }
 
 // ClusterLocalProvider provides the cluster-local hosts.
@@ -98,22 +101,15 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) {
 
 	// Collect the cluster-local hosts.
 	hosts := ClusterLocalHosts{
-		specific: make(map[host.Name]struct{}, 0),
-		wildcard: make(map[host.Name]struct{}, 0),
+		specific: make(map[host.Name]bool),
+		wildcard: make(map[host.Name]bool),
 	}
+
 	for _, serviceSettings := range e.Mesh().ServiceSettings {
-		if serviceSettings.GetSettings().GetClusterLocal() {
-			for _, h := range serviceSettings.GetHosts() {
-				hostname := host.Name(h)
-				if hostname.IsWildCarded() {
-					hosts.wildcard.Insert(hostname)
-				} else {
-					hosts.specific.Insert(hostname)
-				}
-			}
-		} else {
-			// Remove defaults if specified to be non-cluster-local.
-			for _, h := range serviceSettings.GetHosts() {
+		isClusterLocal := serviceSettings.GetSettings().GetClusterLocal()
+		for _, h := range serviceSettings.GetHosts() {
+			// If clusterLocal false, check to see if we should remove a default clusterLocal host.
+			if !isClusterLocal {
 				for i, defaultClusterLocalHost := range defaultClusterLocalHosts {
 					if len(defaultClusterLocalHost) > 0 {
 						if h == string(defaultClusterLocalHost) ||
@@ -126,15 +122,25 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) {
 				}
 			}
 		}
+
+		// Add hosts with their clusterLocal setting to sets.
+		for _, h := range serviceSettings.GetHosts() {
+			hostname := host.Name(h)
+			if hostname.IsWildCarded() {
+				hosts.wildcard[hostname] = isClusterLocal
+			} else {
+				hosts.specific[hostname] = isClusterLocal
+			}
+		}
 	}
 
 	// Add any remaining defaults to the end of the list.
 	for _, defaultClusterLocalHost := range defaultClusterLocalHosts {
 		if len(defaultClusterLocalHost) > 0 {
 			if defaultClusterLocalHost.IsWildCarded() {
-				hosts.wildcard.Insert(defaultClusterLocalHost)
+				hosts.wildcard[defaultClusterLocalHost] = true
 			} else {
-				hosts.specific.Insert(defaultClusterLocalHost)
+				hosts.specific[defaultClusterLocalHost] = true
 			}
 		}
 	}