Merge pull request istio#7 from openshift-service-mesh-bot/none-maste…

…r-merge_upstream_istio_master-6253864e

Automator: merge upstream changes to openshift-service-mesh/istio@master

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= master-2024-04-19T19-01-19
+BASE_VERSION ?= 1.22-2024-04-26T19-01-49
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

go.mod

@@ -19,13 +19,13 @@ require (
 	github.com/census-instrumentation/opencensus-proto v0.4.1
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/cheggaaa/pb/v3 v3.1.5
-	github.com/cncf/xds/go v0.0.0-20240329184929-0c46c01016dc
+	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.4.1
 	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/docker/cli v26.0.0+incompatible
-	github.com/envoyproxy/go-control-plane v0.12.1-0.20240419124334-0cebb2f428b3
+	github.com/envoyproxy/go-control-plane v0.12.1-0.20240425230418-212e93054f1a
 	github.com/evanphx/json-patch/v5 v5.9.0
 	github.com/fatih/color v1.16.0
 	github.com/felixge/fgprof v0.9.4

go.sum

@@ -109,8 +109,8 @@ github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38
 github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/xds/go v0.0.0-20240329184929-0c46c01016dc h1:Xo7J+m6Iq9pGYXnooTSpxZ11PzNzI7cKU9V81dpKSRQ=
-github.com/cncf/xds/go v0.0.0-20240329184929-0c46c01016dc/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
+github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw=
+github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=
 github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
@@ -180,8 +180,8 @@ github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.12.1-0.20240419124334-0cebb2f428b3 h1:/eklMEyfPvB7C8dULCt9GYwpYDy6shwe7vqHMS+82bI=
-github.com/envoyproxy/go-control-plane v0.12.1-0.20240419124334-0cebb2f428b3/go.mod h1:rlr50u7tACJ1Y9jCUMndkfLvGCAX3fWXVVAkj+OfzT4=
+github.com/envoyproxy/go-control-plane v0.12.1-0.20240425230418-212e93054f1a h1:OmSlDWdXUzNgoMWOtrcEAmiO9BxTt6cGotwz7cZwIyw=
+github.com/envoyproxy/go-control-plane v0.12.1-0.20240425230418-212e93054f1a/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A=
 github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=

istio.deps

@@ -11,6 +11,6 @@
     "name": "ZTUNNEL_REPO_SHA",
     "repoName": "ztunnel",
     "file": "",
-    "lastStableSHA": "4549e63e2d5120c4a386ea41288dd08b9f823fc9"
+    "lastStableSHA": "56a4f6543927ff8708d5c1f018cb71b046abef38"
   }
 ]

manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml

@@ -81,7 +81,7 @@ spec:
       value: grpc
     - name: OUTPUT_CERTS
       value: /var/lib/istio/data
-    {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }}
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
     - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
       value: "true"
     {{- end }}

manifests/charts/istio-control/istio-discovery/files/injection-template.yaml

@@ -238,7 +238,7 @@ spec:
           - drain
   {{- end }}
     env:
-    {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }}
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
     - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
       value: "true"
     {{- end }}

manifests/charts/istiod-remote/files/injection-template.yaml

@@ -238,7 +238,7 @@ spec:
           - drain
   {{- end }}
     env:
-    {{- if eq (env .InboundTrafficPolicyMode "localhost") "passthrough" }}
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
     - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
       value: "true"
     {{- end }}

pilot/pkg/leaderelection/leaderelection_test.go

@@ -78,9 +78,8 @@ func createElectionMulticluster(t *testing.T,
 		cycle:          atomic.NewInt32(0),
 		enabled:        true,
 	}
-	gotLeader := make(chan struct{})
 	l.AddRunFunction(func(stop <-chan struct{}) {
-		gotLeader <- struct{}{}
+		<-stop
 	})
 	for _, fn := range fns {
 		l.AddRunFunction(fn)

pilot/pkg/leaderelection/leak_test.go

@@ -0,0 +1,26 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package leaderelection
+
+import (
+	"testing"
+
+	"istio.io/istio/tests/util/leak"
+)
+
+func TestMain(m *testing.M) {
+	// CheckMain asserts that no goroutines are leaked after a test package exits.
+	leak.CheckMain(m)
+}

pilot/pkg/server/instance_test.go

@@ -159,9 +159,12 @@ func newFakeComponent(d time.Duration) *fakeComponent {
 	}
 }
 
-func (c *fakeComponent) Run(_ <-chan struct{}) error {
+func (c *fakeComponent) Run(stop <-chan struct{}) error {
 	c.started.Store(true)
-	time.Sleep(c.d)
+	select {
+	case <-time.After(c.d):
+	case <-stop:
+	}
 	c.completed.Store(true)
 	return nil
 }

pilot/pkg/server/leak_test.go

@@ -0,0 +1,26 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package server
+
+import (
+	"testing"
+
+	"istio.io/istio/tests/util/leak"
+)
+
+func TestMain(m *testing.M) {
+	// CheckMain asserts that no goroutines are leaked after a test package exits.
+	leak.CheckMain(m)
+}

pilot/pkg/serviceregistry/aggregate/controller_test.go

@@ -443,7 +443,7 @@ func TestDeferredRun(t *testing.T) {
 
 	t.Run("AddRegistry before aggregate Run does not run", func(t *testing.T) {
 		ctrl.AddRegistry(runnableRegistry("earlyAdd"))
-		ctrl.AddRegistryAndRun(runnableRegistry("earlyAddAndRun"), nil)
+		ctrl.AddRegistryAndRun(runnableRegistry("earlyAddAndRun"), stop)
 		expectRunningOrFail(t, ctrl, false)
 	})
 	t.Run("aggregate Run starts all registries", func(t *testing.T) {
@@ -459,7 +459,7 @@ func TestDeferredRun(t *testing.T) {
 		expectRunningOrFail(t, ctrl, true)
 	})
 	t.Run("AddRegistryAndRun after aggregate Run starts registry", func(t *testing.T) {
-		ctrl.AddRegistryAndRun(runnableRegistry("late"), nil)
+		ctrl.AddRegistryAndRun(runnableRegistry("late"), stop)
 		expectRunningOrFail(t, ctrl, true)
 	})
 }

pilot/pkg/serviceregistry/aggregate/leak_test.go

@@ -0,0 +1,26 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package aggregate
+
+import (
+	"testing"
+
+	"istio.io/istio/tests/util/leak"
+)
+
+func TestMain(m *testing.M) {
+	// CheckMain asserts that no goroutines are leaked after a test package exits.
+	leak.CheckMain(m)
+}

pilot/pkg/xds/endpoints/endpoint_builder.go

@@ -40,6 +40,7 @@ import (
 	"istio.io/istio/pkg/network"
 	"istio.io/istio/pkg/slices"
 	"istio.io/istio/pkg/util/hash"
+	netutil "istio.io/istio/pkg/util/net"
 )
 
 var (
@@ -337,6 +338,13 @@ func (b *EndpointBuilder) BuildClusterLoadAssignment(endpointIndex *model.Endpoi
 		if svcPort.Name != ep.ServicePortName {
 			return false
 		}
+		// filter out endpoint that has invalid ip address, mostly domain name. Because this is generated from ServiceEntry.
+		// There are other two cases that should not be filtered out:
+		// 1. ep.Address can be empty since https://github.com/istio/istio/pull/45150, in this case we will replace it with gateway ip.
+		// 2. ep.Address can be uds when EndpointPort = 0
+		if ep.Address != "" && ep.EndpointPort != 0 && !netutil.IsValidIPAddress(ep.Address) {
+			return false
+		}
 		// filter out endpoints that don't match the subset
 		if !b.subsetLabels.SubsetOf(ep.Labels) {
 			return false

pilot/pkg/xds/endpoints/ep_filters_test.go

@@ -834,6 +834,7 @@ func testShards() *model.EndpointIndex {
 		// network1 has one endpoint in each cluster
 		{Cluster: "cluster1a"}: {
 			{Network: "network1", Address: "10.0.0.1"},
+			{Network: "network1", Address: "foo.bar"}, // endpoint generated from ServiceEntry
 		},
 		{Cluster: "cluster1b"}: {
 			{Network: "network1", Address: "10.0.0.2"},

pkg/config/validation/validation.go

@@ -2498,7 +2498,7 @@ var ValidateWorkloadEntry = RegisterValidateFunc("ValidateWorkloadEntry",
 		return validateWorkloadEntry(we, nil, true).Unwrap()
 	})
 
-func validateWorkloadEntry(we *networking.WorkloadEntry, servicePorts map[string]bool, allowFQDNAddresses bool) Validation {
+func validateWorkloadEntry(we *networking.WorkloadEntry, servicePorts sets.String, allowFQDNAddresses bool) Validation {
 	errs := Validation{}
 	unixEndpoint := false
 
@@ -2530,7 +2530,7 @@ func validateWorkloadEntry(we *networking.WorkloadEntry, servicePorts map[string
 	errs = AppendValidation(errs,
 		labels.Instance(we.Labels).Validate())
 	for name, port := range we.Ports {
-		if servicePorts != nil && !servicePorts[name] {
+		if servicePorts != nil && !servicePorts.Contains(name) {
 			errs = AppendValidation(errs, fmt.Errorf("endpoint port %v is not defined by the service entry", port))
 		}
 		errs = AppendValidation(errs,
@@ -2678,21 +2678,19 @@ var ValidateServiceEntry = RegisterValidateFunc("ValidateServiceEntry",
 			}
 		}
 
-		servicePortNumbers := make(map[uint32]bool)
-		servicePorts := make(map[string]bool, len(serviceEntry.Ports))
+		servicePortNumbers := sets.New[uint32]()
+		servicePorts := sets.NewWithLength[string](len(serviceEntry.Ports))
 		for _, port := range serviceEntry.Ports {
 			if port == nil {
 				errs = AppendValidation(errs, fmt.Errorf("service entry port may not be null"))
 				continue
 			}
-			if servicePorts[port.Name] {
+			if servicePorts.InsertContains(port.Name) {
 				errs = AppendValidation(errs, fmt.Errorf("service entry port name %q already defined", port.Name))
 			}
-			servicePorts[port.Name] = true
-			if servicePortNumbers[port.Number] {
+			if servicePortNumbers.InsertContains(port.Number) {
 				errs = AppendValidation(errs, fmt.Errorf("service entry port %d already defined", port.Number))
 			}
-			servicePortNumbers[port.Number] = true
 			if port.TargetPort != 0 {
 				errs = AppendValidation(errs, agent.ValidatePort(int(port.TargetPort)))
 				if serviceEntry.Resolution == networking.ServiceEntry_NONE && !features.PassthroughTargetPort {
@@ -2754,7 +2752,7 @@ var ValidateServiceEntry = RegisterValidateFunc("ValidateServiceEntry",
 				errs = AppendValidation(errs,
 					labels.Instance(endpoint.Labels).Validate())
 				for name, port := range endpoint.Ports {
-					if !servicePorts[name] {
+					if !servicePorts.Contains(name) {
 						errs = AppendValidation(errs, fmt.Errorf("endpoint port %v is not defined by the service entry", port))
 					}
 					errs = AppendValidation(errs,

pkg/kube/inject/inject_test.go

@@ -358,6 +358,16 @@ func TestInjection(t *testing.T) {
 				test.SetEnvForTest(t, platform.Platform.Name, platform.OpenShift)
 			},
 		},
+		{
+			// Validates localhost probes get injected correctly
+			in:   "hello-probes-localhost.yaml",
+			want: "hello-probes-localhost.yaml.injected",
+			mesh: func(m *meshapi.MeshConfig) {
+				m.InboundTrafficPolicy = &meshapi.MeshConfig_InboundTrafficPolicy{
+					Mode: meshapi.MeshConfig_InboundTrafficPolicy_LOCALHOST,
+				}
+			},
+		},
 	}
 	// Keep track of tests we add options above
 	// We will search for all test files and skip these ones

pkg/kube/inject/leak_test.go

@@ -0,0 +1,26 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package inject
+
+import (
+	"testing"
+
+	"istio.io/istio/tests/util/leak"
+)
+
+func TestMain(m *testing.M) {
+	// CheckMain asserts that no goroutines are leaked after a test package exits.
+	leak.CheckMain(m)
+}

pkg/kube/inject/testdata/inject/hello-probes-localhost.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hello
+spec:
+  replicas: 7
+  selector:
+    matchLabels:
+      app: hello
+      tier: backend
+      track: stable
+  template:
+    metadata:
+      labels:
+        app: hello
+        tier: backend
+        track: stable
+    spec:
+      containers:
+        - name: hello
+          image: "fake.docker.io/google-samples/hello-go-gke:1.0"
+          ports:
+            - name: http
+              containerPort: 80
+          livenessProbe:
+            httpGet:
+              port: http
+          readinessProbe:
+            httpGet:
+              port: 3333
+        - name: world
+          image: "fake.docker.io/google-samples/hello-go-gke:1.0"
+          ports:
+            - name: http
+              containerPort: 90
+          livenessProbe:
+            httpGet:
+              port: http
+          readinessProbe:
+            exec:
+              command:
+                - cat
+                - /tmp/healthy