Migrate Istio images from DockerHub to GCR

.yamllint.yaml

@@ -11,4 +11,6 @@ rules:
   line-length:
     max: 400
   truthy:
-    allowed-values: ['on', 'off', 'true', 'false']
+    allowed-values: ['on', 'off', 'true', 'false']
+  empty-lines: 
+    level: warning

README.md

@@ -78,7 +78,7 @@ used from the different projects of Kubeflow:
 
 | Component | Local Manifests Path | Upstream Revision |
 | - | - | - |
-| Istio | common/istio-1-24 | [1.24.2](https://github.com/istio/istio/releases/tag/1.24.2) |
+| Istio | common/istio-1-24 | [1.24.3](https://github.com/istio/istio/releases/tag/1.24.3) |
 | Knative | common/knative/knative-serving <br /> common/knative/knative-eventing | [v1.16.2](https://github.com/knative/serving/releases/tag/knative-v1.16.2) <br /> [v1.16.4](https://github.com/knative/eventing/releases/tag/knative-v1.16.4) |
 | Cert Manager | common/cert-manager | [1.16.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.16.1) |
 

common/istio-1-24/README.md

@@ -8,61 +8,45 @@ In this section, we explain how to upgrade our istio kustomize packages
 by leveraging `istioctl`. Assuming the new version is `X.Y.Z` and the
 old version is `X1.Y1.Z1`:
 
-1.  Make a copy of the old istio manifests tree, which will become the
+1. Make a copy of the old istio manifests tree, which will become the
     kustomization for the new Istio version:
 
-        $ export MANIFESTS_SRC=<path/to/manifests/repo>
-        $ export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1
-        $ export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y
-        $ cp -a $ISTIO_OLD $ISTIO_NEW
+        export MANIFESTS_SRC=<path/to/manifests/repo>
+        export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1
+        export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y
+        cp -a $ISTIO_OLD $ISTIO_NEW
 
-2.  Download `istioctl` for version `X.Y.Z`:
+2. Download `istioctl` for version `X.Y.Z`:
 
         $ ISTIO_VERSION="X.Y.Z"
         $ wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz"
         $ tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz
         # sudo mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl
 
-3.  Use `istioctl` to generate an `IstioOperator` resource, the
-    CustomResource used to describe the Istio Control Plane:
-
-        $ cd $ISTIO_NEW
-        $ istioctl profile dump default > profile.yaml
-
-    ---
-    **NOTE**
-
-    `istioctl` comes with a bunch of [predefined profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/)
-    (`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default.
-
-    ---
-
-4.  Generate manifests and add them to their respective packages. We
+3. Generate manifests and add them to their respective packages. We
     will generate manifests using `istioctl`, the
     `profile.yaml` file from upstream and the
     `profile-overlay.yaml` file that contains our desired
     changes:
 
-        $ export PATH="$MANIFESTS_SRC/scripts:$PATH"
-        $ cd $ISTIO_NEW
-        $ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml
-        $ ./split-istio-packages -f dump.yaml
-        $ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
-        $ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base
-        $ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base
-        $ rm dump.yaml
+        export PATH="$MANIFESTS_SRC/scripts:$PATH"
+        cd $ISTIO_NEW
+        istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml
+        ./split-istio-packages -f dump.yaml
+        mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
+        mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base
+        mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base
+        rm dump.yaml
 
     ---
     **NOTE**
 
     `split-istio-packages` is a python script in the same folder as this file.
     The `ruamel.yaml` version used is 0.16.12.
 
-    `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically 
-    detect default settings. Ensure you have a target cluster ready before running the above commands. 
-    We set this flag because `istioctl manifest generate` generates manifest files with resources that are no 
-    longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220
-
+    `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically detect default settings. Ensure you have a target cluster ready before running the above commands.
+    We target Kubernetes 1.32+ for compatibility. The `--cluster-specific` flag helps ensure generated resources are compatible with your cluster version and configuration.
+
     ---
 
 ## Changes to Istio's upstream manifests
@@ -71,24 +55,23 @@ old version is `X1.Y1.Z1`:
 
 Changes to Istio's upstream profile `default` are the following:
 
--   Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59.
--   Disable the EgressGateway component. We do not use it and it adds unnecessary complexity.
+- Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete <https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59>.
+- Disable the EgressGateway component. We do not use it and it adds unnecessary complexity.
 
-Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml)
-file.
+These changes are captured in the [profile-overlay.yaml](profile-overlay.yaml) file.
 
 ### Changes to the upstream manifests using kustomize
 
 The Istio kustomizations make the following changes:
 
 - Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. See:
-    - https://github.com/istio/istio/issues/12602
-    - https://github.com/istio/istio/issues/24000
+  - <https://github.com/istio/istio/issues/12602>
+  - <https://github.com/istio/istio/issues/24000>
 - Add Istio AuthorizationPolicy to allow all requests to the Istio Ingressgateway and the Istio cluster-local gateway.
 - Add Istio AuthorizationPolicy in Istio's root namespace, so that sidecars deny traffic by default (explicit deny-by-default authorization model).
 - Add Gateway CRs for the Istio Ingressgateway and the Istio cluster-local gateway, as `istioctl` stopped generating them in later versions.
 - Add the istio-system namespace object to `istio-namespace`, as `istioctl` stopped generating it in later versions.
 - Configure TCP KeepAlives.
 - Disable tracing as it causes DNS breakdown. See:
-  https://github.com/istio/istio/issues/29898
-- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane
+  <https://github.com/istio/istio/issues/29898>
+- Set ENABLE_DEBUG_ON_HTTP=false according to <https://istio.io/latest/docs/ops/best-practices/security/#control-plane>

common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml

@@ -7,8 +7,8 @@
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -16,7 +16,7 @@
     release: istio
   name: cluster-local-gateway-service-account
   namespace: istio-system
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -26,8 +26,8 @@
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -58,9 +58,9 @@
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: istio-ingressgateway
         app.kubernetes.io/part-of: istio
-        app.kubernetes.io/version: 1.24.2
+        app.kubernetes.io/version: 1.24.3
         chart: gateways
-        helm.sh/chart: istio-ingress-1.24.2
+        helm.sh/chart: istio-ingress-1.24.3
         heritage: Tiller
         install.operator.istio.io/owning-resource: unknown
         istio: cluster-local-gateway
@@ -127,8 +127,7 @@
         - name: ISTIO_META_WORKLOAD_NAME
           value: cluster-local-gateway
         - name: ISTIO_META_OWNER
-          value: 
-            kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
+          value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
         - name: ISTIO_META_MESH_ID
           value: cluster.local
         - name: TRUST_DOMAIN
@@ -141,7 +140,7 @@
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        image: docker.io/istio/proxyv2:1.24.2
+        image: gcr.io/istio-release/proxyv2:1.24.2
         name: istio-proxy
         ports:
         - containerPort: 15020
@@ -248,7 +247,7 @@
         secret:
           optional: true
           secretName: istio-ingressgateway-ca-certs
 ---
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
@@ -258,8 +257,8 @@
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -273,7 +272,7 @@
     matchLabels:
       app: cluster-local-gateway
       istio: cluster-local-gateway
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -282,8 +281,8 @@
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: IngressGateways
@@ -299,7 +298,7 @@
   - get
   - watch
   - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -308,8 +307,8 @@
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: IngressGateways
@@ -323,7 +322,7 @@
 subjects:
 - kind: ServiceAccount
   name: cluster-local-gateway-service-account
 ---
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
@@ -333,8 +332,8 @@
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -356,7 +355,7 @@
     apiVersion: apps/v1
     kind: Deployment
     name: cluster-local-gateway
 ---
 apiVersion: v1
 kind: Service
 metadata:
@@ -367,8 +366,8 @@
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default