Merge pull request #587 from banzaicloud/istio-1.9.0

Support Istio 1.9.0

Author: Laci21

Makefile

@@ -13,7 +13,7 @@ GOLANGCI_VERSION = 1.31.0
 LICENSEI_VERSION = 0.1.0
 KUBEBUILDER_VERSION = 2.3.1
 KUSTOMIZE_VERSION = 2.0.3
-ISTIO_VERSION = 1.8.2
+ISTIO_VERSION = 1.9.0
 
 KUSTOMIZE_BASE = config/overlays/specific-manager-version
 

README.md

@@ -73,7 +73,7 @@ For a complete list of [Backyards](https://banzaicloud.com/products/backyards/)
 
 ## Istio operator installation
 
-The operator (`release-1.8` branch) installs the 1.8.2 version of Istio, and can run on Minikube v1.1.1+ and Kubernetes 1.16.0+.
+The operator (`release-1.9` branch) installs the 1.9.0 version of Istio, and can run on Minikube v1.1.1+ and Kubernetes 1.17.0+.
 
 As a pre-requisite it needs a Kubernetes cluster (you can create one using [Pipeline](https://github.com/banzaicloud/pipeline)).
 
@@ -99,7 +99,7 @@ Alternatively, if you just can’t let go of Helm completely, you can deploy the
 
 ```bash
 helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com/
-helm install istio-operator-v17x --create-namespace --namespace=istio-system banzaicloud-stable/istio-operator
+helm install istio-operator-v19x --create-namespace --namespace=istio-system banzaicloud-stable/istio-operator
 ```
 
 ### Installation with Kustomize
@@ -108,8 +108,8 @@ You can also have your own `kustomization.yaml` file with a reference to Istio o
 
 ```bash
 bases:
-  - github.com/banzaicloud/istio-operator/config?ref=release-1.8
-  - github.com/banzaicloud/istio-operator/config/overlays/auth-proxy-enabled?ref=release-1.8
+  - github.com/banzaicloud/istio-operator/config?ref=release-1.9
+  - github.com/banzaicloud/istio-operator/config/overlays/auth-proxy-enabled?ref=release-1.9
 ```
 
 ## Istio upgrade

config/README.md

@@ -4,38 +4,38 @@ Developers can have their own `kustomization.yaml` file with a reference to Isti
 
 You can install the operator with multiple possible configurations with the use of overlays (choose one option):
 
-> Note that in all cases, first you'll need to install the necessary crds and namespace with the following base: `github.com/banzaicloud/istio-operator/config?ref=release-1.8`
+> Note that in all cases, first you'll need to install the necessary crds and namespace with the following base: `github.com/banzaicloud/istio-operator/config?ref=release-1.9`
 
 - `basic`: installs the clusterrole, clusterrolebinding and statefulset for the operator
 
     ```bash
     bases:
-      - github.com/banzaicloud/istio-operator/config?ref=release-1.8
-      - github.com/banzaicloud/istio-operator/config/overlays/basic?ref=release-1.8
+      - github.com/banzaicloud/istio-operator/config?ref=release-1.9
+      - github.com/banzaicloud/istio-operator/config/overlays/basic?ref=release-1.9
     ```
 
 - `auth-proxy-enabled`: besides the basic configs, installs the auth proxy resources as well
 
     ```bash
     bases:
-      - github.com/banzaicloud/istio-operator/config?ref=release-1.8
-      - github.com/banzaicloud/istio-operator/config/overlays/auth-proxy-enabled?ref=release-1.8
+      - github.com/banzaicloud/istio-operator/config?ref=release-1.9
+      - github.com/banzaicloud/istio-operator/config/overlays/auth-proxy-enabled?ref=release-1.9
     ```
 
 - `prometheus-scpraping-enabled`: besides the basic configs, enables Prometheus scraping for the manager pod
 
     ```bash
     bases:
-      - github.com/banzaicloud/istio-operator/config?ref=release-1.8
-      - github.com/banzaicloud/istio-operator/config/overlays/prometheus-scpraping-enabled?ref=release-1.8
+      - github.com/banzaicloud/istio-operator/config?ref=release-1.9
+      - github.com/banzaicloud/istio-operator/config/overlays/prometheus-scpraping-enabled?ref=release-1.9
     ```
 
 - `psp`: besides the basic configs, add basic pod security policy for the operator and the Istio component pods
 
     ```bash
     bases:
-      - github.com/banzaicloud/istio-operator/config?ref=release-1.8
-      - github.com/banzaicloud/istio-operator/config/overlays/psp?ref=release-1.8
+      - github.com/banzaicloud/istio-operator/config?ref=release-1.9
+      - github.com/banzaicloud/istio-operator/config/overlays/psp?ref=release-1.9
     ```
 
     The default istio init container runs as root, which won't work in this psp enabled case, so make sure that you use Istio CNI, e.g. with the `samples/istio_v1beta1_istio_cni.yaml` Istio CR.

config/base/crds/istio.banzaicloud.io_istios.yaml

@@ -2965,6 +2965,11 @@ spec:
                     type: boolean
                   exposeWebhookPort:
                     type: boolean
+                  externalIstiod:
+                    properties:
+                      enabled:
+                        type: boolean
+                    type: object
                   multiClusterSupport:
                     type: boolean
                   multiControlPlaneSupport:

config/base/manager/manager.yaml

@@ -39,7 +39,7 @@ spec:
       containers:
       - command:
         - /manager
-        image: banzaicloud/istio-operator:latest-1.8
+        image: banzaicloud/istio-operator:latest-1.9
         imagePullPolicy: Always
         name: manager
         env:

config/base/rbac/role.yaml

@@ -32,6 +32,8 @@ rules:
   verbs:
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
   - ""
@@ -116,18 +118,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - authentication.istio.io
-  - cloud.istio.io
-  - config.istio.io
-  - istio.istio.io
-  - networking.istio.io
-  - scalingpolicy.istio.io
-  - security.istio.io
-  resources:
-  - '*'
-  verbs:
-  - '*'
 - apiGroups:
   - authentication.k8s.io
   resources:
@@ -172,6 +162,15 @@ rules:
   - signers
   verbs:
   - approve
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - update
 - apiGroups:
   - discovery.k8s.io
   resources:
@@ -286,6 +285,13 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - networking.istio.io
+  - security.istio.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
 - apiGroups:
   - networking.k8s.io
   resources:

config/samples/istio_v1beta1_istio.yaml

@@ -3,17 +3,15 @@ kind: Istio
 metadata:
   labels:
     controller-tools.k8s.io: "1.0"
-  name: istio-sample-v18x
+  name: istio-sample-v19x
 spec:
-  version: "1.8.2"
+  version: "1.9.0"
   global: false
   meshPolicy:
     mtlsMode: PERMISSIVE
   autoMtls: true
   includeIPRanges: "*"
   excludeIPRanges: ""
-  autoInjectionNamespaces:
-  - "default"
   controlPlaneAuthPolicy: "MUTUAL_TLS"
   mountMtlsCerts: false
   # priorityClassName: system-cluster-critical
@@ -26,9 +24,11 @@ spec:
     enabled: true
     enableAnalysis: true
     enableStatus: true
+    externalIstiod:
+      enabled: false
   pilot:
     enabled: true
-    image: "docker.io/istio/pilot:1.8.2"
+    image: "docker.io/istio/pilot:1.9.0"
     replicaCount: 1
     minReplicas: 1
     maxReplicas: 5
@@ -101,18 +101,18 @@ spec:
       enabled: false
   policy:
     enabled: false
-    image: "docker.io/istio/mixer:1.8.2"
+    image: "docker.io/istio/mixer:1.9.0"
     replicaCount: 1
     minReplicas: 1
     maxReplicas: 5
   telemetry:
     enabled: false
-    image: "docker.io/istio/mixer:1.8.2"
+    image: "docker.io/istio/mixer:1.9.0"
     replicaCount: 1
     minReplicas: 1
     maxReplicas: 5
   proxy:
-    image: "docker.io/istio/proxyv2:1.8.2"
+    image: "docker.io/istio/proxyv2:1.9.0"
     accessLogFile: "/dev/stdout"
     accessLogFormat: ""
     accessLogEncoding: "TEXT"
@@ -126,7 +126,7 @@ spec:
         cpu: 2000m
         memory: 1024Mi
   proxyInit:
-    image: "docker.io/istio/proxyv2:1.8.2"
+    image: "docker.io/istio/proxyv2:1.9.0"
   defaultPodDisruptionBudget:
     enabled: true
   outboundTrafficPolicy:

config/samples/istio_v1beta1_istio_cni.yaml

@@ -3,14 +3,12 @@ kind: Istio
 metadata:
   labels:
     controller-tools.k8s.io: "1.0"
-  name: istio-sample-v18x
+  name: istio-sample-v19x
 spec:
-  version: "1.8.2"
+  version: "1.9.0"
   global: false
   meshPolicy:
     mtlsMode: PERMISSIVE
-  autoInjectionNamespaces:
-  - "default"
   gateways:
     ingress:
       runAsRoot: false
@@ -28,5 +26,5 @@ spec:
         brokenPodLabelKey: "cni.istio.io/uninitialized"
         brokenPodLabelValue: "true"
   proxy:
-    image: "docker.io/istio/proxyv2:1.8.2"
+    image: "docker.io/istio/proxyv2:1.9.0"
   jwtPolicy: "first-party-jwt"

config/samples/istio_v1beta1_istio_cni_gke.yaml

@@ -3,14 +3,12 @@ kind: Istio
 metadata:
   labels:
     controller-tools.k8s.io: "1.0"
-  name: istio-sample-v18x
+  name: istio-sample-v19x
 spec:
-  version: "1.8.2"
+  version: "1.9.0"
   global: false
   meshPolicy:
     mtlsMode: PERMISSIVE
-  autoInjectionNamespaces:
-  - "default"
   gateways:
     ingress:
       runAsRoot: false
@@ -29,5 +27,5 @@ spec:
         brokenPodLabelKey: "cni.istio.io/uninitialized"
         brokenPodLabelValue: "true"
   proxy:
-    image: "docker.io/istio/proxyv2:1.8.2"
+    image: "docker.io/istio/proxyv2:1.9.0"
   jwtPolicy: "first-party-jwt"

config/samples/istio_v1beta1_istio_meshexpansion.yaml

@@ -3,16 +3,13 @@ kind: Istio
 metadata:
   labels:
     controller-tools.k8s.io: "1.0"
-  name: istio-sample-v18x
+  name: istio-sample-v19x
 spec:
-  version: "1.8.2"
+  version: "1.9.0"
   global: false
-  autoInjectionNamespaces:
-  - "default"
-  useMCP: false
   meshPolicy:
     mtlsMode: STRICT
   meshExpansion: true
   proxy:
-    image: "docker.io/istio/proxyv2:1.8.2"
+    image: "docker.io/istio/proxyv2:1.9.0"
   jwtPolicy: "first-party-jwt"