bump istio version to 1.17.1

Makefile

@@ -18,9 +18,9 @@ HELM_CHART_REL_TAG ?= chart/istio-operator/${CHART_VERSION}
 
 GOLANGCI_VERSION = 1.45.2
 LICENSEI_VERSION = 0.7.0
-ENVTEST_K8S_VERSION = 1.24.2
+ENVTEST_K8S_VERSION = 1.26.0
 KUSTOMIZE_VERSION = 4.1.2
-ISTIO_VERSION = 1.16.1
+ISTIO_VERSION = 1.17.1
 BUF_VERSION = 1.7.0
 
 PATH := $(PATH):$(PWD)/bin

README.md

@@ -82,12 +82,12 @@ istio-operator-controller-manager-6f764787c-rbnht   2/2     Running   0
 Deploy the [Istio control plane sample](config/samples/servicemesh_v1alpha1_istiocontrolplane.yaml) to the `istio-system` namespace
 ```
 $ kubectl -n istio-system apply -f config/samples/servicemesh_v1alpha1_istiocontrolplane.yaml
-istiocontrolplane.servicemesh.cisco.com/icp-v116x-sample created
+istiocontrolplane.servicemesh.cisco.com/icp-v117x-sample created
 ```
 
 Label the namespace, where you would like to enable sidecar injection for your pods. The label should consist of the name of the deployed IstioControlPlane and the namespace where it is deployed.
 ```
-$ kubectl label namespace demoapp istio.io/rev=icp-v116x-sample.istio-system
+$ kubectl label namespace demoapp istio.io/rev=icp-v117x-sample.istio-system
 namespace/demoapp labeled
 ```
 

api/go.mod

@@ -5,28 +5,28 @@ go 1.18
 require (
 	github.com/golang/protobuf v1.5.2
 	google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03
-	google.golang.org/protobuf v1.28.0
+	google.golang.org/protobuf v1.28.1
 	istio.io/api v0.0.0-20221208070204-0528cb6ce63b
-	k8s.io/api v0.24.2
-	k8s.io/apimachinery v0.24.2
-	sigs.k8s.io/controller-runtime v0.12.3
+	k8s.io/api v0.26.1
+	k8s.io/apimachinery v0.26.1
+	sigs.k8s.io/controller-runtime v0.14.4
 )
 
 require (
-	github.com/go-logr/logr v1.2.0 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect
+	golang.org/x/text v0.5.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.60.1 // indirect
-	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
-	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
+	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
 
 // needs a fork to support istio operator v2 api int64/uint64 marshalling to integers

api/v1alpha1/istiocontrolplane.gen.json

@@ -199,9 +199,6 @@
               "$ref": "#/components/schemas/istio.mesh.v1alpha1.Certificate"
             }
           },
-          "thriftConfig": {
-            "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ThriftConfig"
-          },
           "serviceSettings": {
             "type": "array",
             "items": {
@@ -422,7 +419,8 @@
                   ],
                   "properties": {
                     "lightstep": {
-                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider"
+                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider",
+                      "deprecated": true
                     }
                   }
                 },
@@ -566,7 +564,8 @@
             ],
             "properties": {
               "lightstep": {
-                "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider"
+                "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider",
+                "deprecated": true
               }
             }
           },
@@ -710,7 +709,8 @@
                   ],
                   "properties": {
                     "lightstep": {
-                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider"
+                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider",
+                      "deprecated": true
                     }
                   }
                 },
@@ -841,7 +841,8 @@
         "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider"
       },
       "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider": {
-        "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider"
+        "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider",
+        "deprecated": true
       },
       "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider": {
         "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider"
@@ -953,19 +954,6 @@
           "TLSV1_3"
         ]
       },
-      "istio.mesh.v1alpha1.MeshConfig.ThriftConfig": {
-        "type": "object",
-        "properties": {
-          "rateLimitUrl": {
-            "description": "Specify thrift rate limit service URL. If pilot has thrift protocol support enabled, this will enable the rate limit service for destinations that have matching rate limit configurations.",
-            "type": "string"
-          },
-          "rateLimitTimeout": {
-            "description": "Specify thrift rate limit service timeout, in milliseconds. Default is `50ms`",
-            "type": "string"
-          }
-        }
-      },
       "istio.mesh.v1alpha1.PrivateKeyProvider": {
         "description": "PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured mesh wide or individual per-workload basis.",
         "type": "object",
@@ -982,6 +970,16 @@
                       "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb"
                     }
                   }
+                },
+                {
+                  "required": [
+                    "qat"
+                  ],
+                  "properties": {
+                    "qat": {
+                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT"
+                    }
+                  }
                 }
               ]
             }
@@ -995,12 +993,25 @@
                 "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb"
               }
             }
+          },
+          {
+            "required": [
+              "qat"
+            ],
+            "properties": {
+              "qat": {
+                "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT"
+              }
+            }
           }
         ]
       },
       "istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb": {
         "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb"
       },
+      "istio.mesh.v1alpha1.PrivateKeyProvider.QAT": {
+        "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT"
+      },
       "istio.mesh.v1alpha1.ProxyConfig": {
         "description": "ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis as well as by the mesh-wide defaults. To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`. For example: ``` meshConfig: defaultConfig: discoveryAddress: istiod:15012 ``` This can also be configured on a per-workload basis by configuring the `proxy.istio.io/config` annotation on the pod. For example: ``` annotations: proxy.istio.io/config: | discoveryAddress: istiod:15012 ``` If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults. This is different than a deep merge provided by protobuf. For example, `\"tracing\": { \"sampling\": 5 }` would completely override a setting configuring a tracing provider such as `\"tracing\": { \"zipkin\": { \"address\": \"...\" } }`. Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.",
         "type": "object",
@@ -1031,10 +1042,6 @@
             "description": "The time in seconds that Envoy will drain connections during a hot restart. MUST be \u003e=1s (e.g., _1s/1m/1h_) Default drain duration is `45s`.",
             "type": "string"
           },
-          "parentShutdownDuration": {
-            "description": "The time in seconds that Envoy will wait before shutting down the parent process during a hot restart. MUST be \u003e=1s (e.g., `1s/1m/1h`). MUST BE greater than `drain_duration` parameter. Default shutdown duration is `60s`.",
-            "type": "string"
-          },
           "discoveryAddress": {
             "description": "Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value.",
             "type": "string"
@@ -1580,7 +1587,7 @@
             "type": "string"
           },
           "subjectAltNames": {
-            "description": "A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header, provided `VERIFY_CERT_AT_CLIENT` and `ENABLE_AUTO_SNI` environmental variables are set to `true`.",
+            "description": "A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` and `ENABLE_AUTO_SNI` environmental variables are set to `true`.",
             "type": "array",
             "items": {
               "type": "string"

api/v1alpha1/istiomesh.gen.json

@@ -199,9 +199,6 @@
               "$ref": "#/components/schemas/istio.mesh.v1alpha1.Certificate"
             }
           },
-          "thriftConfig": {
-            "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ThriftConfig"
-          },
           "serviceSettings": {
             "type": "array",
             "items": {
@@ -422,7 +419,8 @@
                   ],
                   "properties": {
                     "lightstep": {
-                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider"
+                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider",
+                      "deprecated": true
                     }
                   }
                 },
@@ -566,7 +564,8 @@
             ],
             "properties": {
               "lightstep": {
-                "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider"
+                "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider",
+                "deprecated": true
               }
             }
           },
@@ -710,7 +709,8 @@
                   ],
                   "properties": {
                     "lightstep": {
-                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider"
+                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider",
+                      "deprecated": true
                     }
                   }
                 },
@@ -841,7 +841,8 @@
         "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider"
       },
       "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider": {
-        "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider"
+        "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider",
+        "deprecated": true
       },
       "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider": {
         "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider"
@@ -953,19 +954,6 @@
           "TLSV1_3"
         ]
       },
-      "istio.mesh.v1alpha1.MeshConfig.ThriftConfig": {
-        "type": "object",
-        "properties": {
-          "rateLimitUrl": {
-            "description": "Specify thrift rate limit service URL. If pilot has thrift protocol support enabled, this will enable the rate limit service for destinations that have matching rate limit configurations.",
-            "type": "string"
-          },
-          "rateLimitTimeout": {
-            "description": "Specify thrift rate limit service timeout, in milliseconds. Default is `50ms`",
-            "type": "string"
-          }
-        }
-      },
       "istio.mesh.v1alpha1.PrivateKeyProvider": {
         "description": "PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured mesh wide or individual per-workload basis.",
         "type": "object",
@@ -982,6 +970,16 @@
                       "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb"
                     }
                   }
+                },
+                {
+                  "required": [
+                    "qat"
+                  ],
+                  "properties": {
+                    "qat": {
+                      "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT"
+                    }
+                  }
                 }
               ]
             }
@@ -995,12 +993,25 @@
                 "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb"
               }
             }
+          },
+          {
+            "required": [
+              "qat"
+            ],
+            "properties": {
+              "qat": {
+                "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT"
+              }
+            }
           }
         ]
       },
       "istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb": {
         "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb"
       },
+      "istio.mesh.v1alpha1.PrivateKeyProvider.QAT": {
+        "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT"
+      },
       "istio.mesh.v1alpha1.ProxyConfig": {
         "description": "ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis as well as by the mesh-wide defaults. To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`. For example: ``` meshConfig: defaultConfig: discoveryAddress: istiod:15012 ``` This can also be configured on a per-workload basis by configuring the `proxy.istio.io/config` annotation on the pod. For example: ``` annotations: proxy.istio.io/config: | discoveryAddress: istiod:15012 ``` If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults. This is different than a deep merge provided by protobuf. For example, `\"tracing\": { \"sampling\": 5 }` would completely override a setting configuring a tracing provider such as `\"tracing\": { \"zipkin\": { \"address\": \"...\" } }`. Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.",
         "type": "object",
@@ -1031,10 +1042,6 @@
             "description": "The time in seconds that Envoy will drain connections during a hot restart. MUST be \u003e=1s (e.g., _1s/1m/1h_) Default drain duration is `45s`.",
             "type": "string"
           },
-          "parentShutdownDuration": {
-            "description": "The time in seconds that Envoy will wait before shutting down the parent process during a hot restart. MUST be \u003e=1s (e.g., `1s/1m/1h`). MUST BE greater than `drain_duration` parameter. Default shutdown duration is `60s`.",
-            "type": "string"
-          },
           "discoveryAddress": {
             "description": "Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value.",
             "type": "string"
@@ -1580,7 +1587,7 @@
             "type": "string"
           },
           "subjectAltNames": {
-            "description": "A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header, provided `VERIFY_CERT_AT_CLIENT` and `ENABLE_AUTO_SNI` environmental variables are set to `true`.",
+            "description": "A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` and `ENABLE_AUTO_SNI` environmental variables are set to `true`.",
             "type": "array",
             "items": {
               "type": "string"

build/fixup_structs/main.go

@@ -76,7 +76,7 @@ var (
 	regexJSONTagIllegal = regexp.MustCompile(`json\:"_`)
 )
 
-//nolint: gocognit
+// nolint: gocognit
 func main() {
 	var filePath string