Automator: merge upstream changes to openshift-service-mesh/istio@master

* upstream/master:
  validation: block invalid maglev table sizes (istio#50750)
  xds server: move files (istio#50708)
  ambient: fix auto-allow waypoint (istio#50710)
  Add ProxyConfig to list of non-stable resources (istio#50741)
  release notes for 50195 (istio#50722)
  Add keepalives to waypoint HBONE endpoint to mimic ztunnel (istio#50737)
  basic istio ascii art (istio#50699)
  add new retryon condition in validation code (istio#50726)
  Bump unshare-go dependency (istio#50725)
  Fix setting the merged service to servicesByHostname  (istio#50691)

go.mod

@@ -48,7 +48,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.6.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
-	github.com/howardjohn/unshare-go v0.3.0
+	github.com/howardjohn/unshare-go v0.4.0
 	github.com/kr/pretty v0.3.1
 	github.com/kylelemons/godebug v1.1.0
 	github.com/lestrrat-go/jwx v1.2.29

go.sum

@@ -419,8 +419,8 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
-github.com/howardjohn/unshare-go v0.3.0 h1:ZxNO46MubN+TVgA8PGFzhIv05aKjgaHi9tKXYnmWrtM=
-github.com/howardjohn/unshare-go v0.3.0/go.mod h1:cJjyFAN6qTA70ovC2VR23iAZuJ8X3J/ibAbT693pJ8g=
+github.com/howardjohn/unshare-go v0.4.0 h1:gqPNhMC5Ng4sJPv3XfIxKDjE7cyXRsRh+sPFPbesTgo=
+github.com/howardjohn/unshare-go v0.4.0/go.mod h1:cJjyFAN6qTA70ovC2VR23iAZuJ8X3J/ibAbT693pJ8g=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU=

manifests/charts/base/templates/validatingadmissionpolicy.yaml

@@ -24,11 +24,14 @@ spec:
       expression: "object.kind == 'EnvoyFilter'"
     - name: isWasmPlugin
       expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
     - name: isTelemetry
       expression: "object.kind == 'Telemetry'"
   validations:
     - expression: "!variables.isEnvoyFilter"
     - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
     - expression: |
         !(
           variables.isTelemetry && (

manifests/charts/istio-control/istio-discovery/templates/validatingadmissionpolicy.yaml

@@ -30,11 +30,14 @@ spec:
       expression: "object.kind == 'EnvoyFilter'"
     - name: isWasmPlugin
       expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
     - name: isTelemetry
       expression: "object.kind == 'Telemetry'"
   validations:
     - expression: "!variables.isEnvoyFilter"
     - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
     - expression: |
         !(
           variables.isTelemetry && (

operator/cmd/mesh/install.go

@@ -44,6 +44,7 @@ import (
 	"istio.io/istio/operator/pkg/verifier"
 	pkgversion "istio.io/istio/operator/pkg/version"
 	operatorVer "istio.io/istio/operator/version"
+	"istio.io/istio/pkg/art"
 	"istio.io/istio/pkg/config/constants"
 	"istio.io/istio/pkg/config/labels"
 	"istio.io/istio/pkg/kube"
@@ -131,6 +132,7 @@ func InstallCmdWithArgs(ctx cli.Context, rootArgs *RootArgs, iArgs *InstallArgs)
 			}
 			l := clog.NewConsoleLogger(cmd.OutOrStdout(), cmd.ErrOrStderr(), installerScope)
 			p := NewPrinterForWriter(cmd.OutOrStderr())
+			p.Printf("%v\n", art.IstioColoredArt())
 			return Install(kubeClient, rootArgs, iArgs, cmd.OutOrStdout(), l, p)
 		},
 	}

pilot/pkg/model/sidecar.go

@@ -980,7 +980,8 @@ func (sc *SidecarScope) appendSidecarServices(servicesAdded map[host.Name]sideca
 		// Update index as well, so that future reads will merge into the new service
 		foundSvc.svc = copied
 		servicesAdded[foundSvc.svc.Hostname] = foundSvc
-		sc.servicesByHostname[s.Hostname] = s
+		// update the existing service in the map to the merged one
+		sc.servicesByHostname[s.Hostname] = copied
 	}
 }
 

pilot/pkg/model/sidecar_test.go

@@ -2534,6 +2534,13 @@ func TestCreateSidecarScope(t *testing.T) {
 				} else if len(ports) > 0 && !portsMatched {
 					t.Errorf("Expected service %v found in SidecarScope but ports not merged correctly. want: %v, got: %v", s1.Hostname, ports, s1.Ports)
 				}
+
+				// validate service is also in sidecarScope.serviceByHostname
+				if s2, ok := sidecarScope.servicesByHostname[s1.Hostname]; !ok {
+					t.Errorf("Expected service %v should also in servicesByHostname", s1.Hostname)
+				} else if s1 != s2 {
+					t.Errorf("Expected service %v in SidecarScope.Services should equal to that in SidecarScope.servicesByHostname", s1.Hostname)
+				}
 			}
 
 			for _, s1 := range tt.expectedServices {

pilot/pkg/networking/core/listener_waypoint.go

@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"net/netip"
 	"strconv"
+	"time"
 
 	xds "github.com/cncf/xds/go/xds/core/v3"
 	matcher "github.com/cncf/xds/go/xds/type/matcher/v3"
@@ -28,6 +29,7 @@ import (
 	tcp "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/tcp_proxy/v3"
 	tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	any "google.golang.org/protobuf/types/known/anypb"
+	"google.golang.org/protobuf/types/known/durationpb"
 	wrappers "google.golang.org/protobuf/types/known/wrapperspb"
 
 	extensions "istio.io/api/extensions/v1alpha1"
@@ -53,6 +55,12 @@ import (
 	"istio.io/istio/pkg/wellknown"
 )
 
+// These are both the current defaults used by the ztunnel hyper http2 server
+const (
+	h2KeepaliveInterval = 10 * time.Second
+	h2KeepaliveTimeout  = 20 * time.Second
+)
+
 func (lb *ListenerBuilder) serviceForHostname(name host.Name) *model.Service {
 	return lb.push.ServiceForHostname(lb.node, name)
 }
@@ -110,6 +118,16 @@ func (lb *ListenerBuilder) buildHCMConnectTerminateChain(routes []*route.Route)
 		// TODO(https://github.com/istio/istio/issues/43443)
 		// All streams are bound to the same worker. Therefore, we need to limit for better fairness.
 		MaxConcurrentStreams: &wrappers.UInt32Value{Value: 100},
+		// well behaved clients should close connections.
+		// not all clients are well-behaved. This will prune
+		// connections when the client is not responding, to keep
+		// us from holding many stale conns from deceased clients
+		//
+		// Also TODO(https://github.com/hyperium/hyper/pull/3647)
+		ConnectionKeepalive: &core.KeepaliveSettings{
+			Interval: durationpb.New(h2KeepaliveInterval),
+			Timeout:  durationpb.New(h2KeepaliveTimeout),
+		},
 	}
 
 	// Filters needed to propagate the tunnel metadata to the inner streams.

pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex_test.go

@@ -1073,15 +1073,15 @@ func TestAmbientIndex_Policy(t *testing.T) {
 
 func TestDefaultAllowWaypointPolicy(t *testing.T) {
 	// while the Waypoint is in testNS, the policies live in the Pods' namespaces
-	policyName := "istio_allow_waypoint_" + testNS + "_" + "waypoint-ns"
+	policyName := "ns1/istio_allow_waypoint_" + testNS + "_" + "waypoint-ns"
 	test.SetForTest(t, &features.DefaultAllowFromWaypoint, true)
 
 	s := newAmbientTestServer(t, testC, testNW)
 	setupPolicyTest(t, s)
 
 	t.Run("policy with service accounts", func(t *testing.T) {
 		assert.EventuallyEqual(t, func() []string {
-			waypointPolicy := s.authorizationPolicies.GetKey(krt.Key[model.WorkloadAuthorization]("ns1/" + policyName))
+			waypointPolicy := s.authorizationPolicies.GetKey(krt.Key[model.WorkloadAuthorization](policyName))
 			if waypointPolicy == nil {
 				return nil
 			}
@@ -1090,8 +1090,8 @@ func TestDefaultAllowWaypointPolicy(t *testing.T) {
 				return sm.GetExact()
 			})
 		}, []string{
-			"spiffe://cluster.local/ns/ns1/sa/namespace-wide",
-			"spiffe://cluster.local/ns/ns1/sa/waypoint-sa",
+			"cluster.local/ns/ns1/sa/namespace-wide",
+			"cluster.local/ns/ns1/sa/waypoint-sa",
 		})
 	})
 

pilot/pkg/serviceregistry/kube/controller/ambient/policies.go

@@ -16,6 +16,8 @@
 package ambient
 
 import (
+	"strings"
+
 	v1 "k8s.io/api/core/v1"
 
 	securityclient "istio.io/client-go/pkg/apis/security/v1beta1"
@@ -124,7 +126,7 @@ func implicitWaypointPolicy(ctx krt.HandlerContext, waypoint Waypoint) *model.Wo
 							{
 								Principals: slices.Map(waypoint.ServiceAccounts, func(sa string) *security.StringMatch {
 									return &security.StringMatch{MatchType: &security.StringMatch_Exact{
-										Exact: spiffe.MustGenSpiffeURI(waypoint.Namespace, sa),
+										Exact: strings.TrimPrefix(spiffe.MustGenSpiffeURI(waypoint.Namespace, sa), spiffe.URIPrefix),
 									}}
 								}),
 							},

pilot/pkg/serviceregistry/kube/controller/ambient/workloads.go

@@ -507,6 +507,6 @@ func implicitWaypointPolicies(ctx krt.HandlerContext, Waypoints krt.Collection[W
 		if policy == "" {
 			return nil
 		}
-		return &policy
+		return ptr.Of(w.Namespace + "/" + policy)
 	})
 }