istio: Remove Multus settings from the default Istio config

[ormergi]

What this PR does / why we need it:
Following recent Istio bump a regression has been introduced in CDI+Istio lane
https://prow.ci.kubevirt.io/view/gs/kubevirt-prow/pr-logs/pull/kubevirt_containerized-data-importer/3694/pull-containerized-data-importer-e2e-istio/1909911853820022784

The default Istio config 'istio-operator.cr.yaml' is intended to be used when Multus is not installed in the cluster.
Multus depends on the NetworkAttachmentDefinition CRD to be installed.

Currently the default Istio config is invalid, because it specify setting that installs the istio-cni NetworkAttachmentDefinition CR, where it should be used when no Multus is installed. For setups that have Multus installed, the 'istio-operator-with-cnao.cr.yaml' config should be used.

Remove Multus related settings from the default Istio config.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

• Design: A design document was considered and is present (link) or not required
• PR: The PR description is expressive enough and will help future contributors
• Code: Write code that humans can understand and Keep it simple
• Refactor: You have left the code cleaner than you found it (Boy Scout Rule)
• Upgrade: Impact of this change on upgrade flows was considered and addressed if required
• Testing: New code requires new unit tests. New features and bug fixes require at least on e2e test
• Documentation: A user-guide update was considered and is present (link) or not required. You want a user-guide update if it's a user facing feature / API change.
• Community: Announcement to kubevirt-dev was considered

Release note:

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request removes Multus-related configurations from the default Istio operator configuration file (istio-operator.cr.yaml). This change addresses a regression introduced after an Istio update, where the default Istio config was incorrectly including settings for Multus, making it invalid when Multus is not installed. By removing these settings, the default config is now suitable for environments without Multus.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Removed Multus-specific settings from the default Istio configuration.	Removed the provider: multus setting under spec.cni.	cluster-provision/gocli/opts/istio/manifests/istio-operator.cr.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @ormergi - I've reviewed your changes - here's some feedback:

Overall Comments:

• Consider adding a comment in the file itself explaining why the provider: multus setting was removed.

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[ormergi]

/cc @akalenyu @nirdothan

[ormergi]

@akalenyu could you please verify this PR changes fixes the issue on CDI+Istio lane?

[ormergi]

@brianmcarey could you please have a look? 🙏

[ormergi]

@nirdothan PTAL

[nirdothan]

@ormergi I'm OK to temporarily remove the NAD once @akalenyu confirms that his NFS tests are passing with this config.
I expect k8snetworkplumbingwg/multus-cni#1424 to solve the root cause of the issue. If/Once it goes through I will want to revert.

/LGTM
/hold

@akalenyu please remove the hold once tested.

[ormergi]

@nirdothan this change is necessary regardless of the issues on CDI repo CI.
The config is just wrong, its not intended to be used when Multus is installed.
It expect not Muluts to be installed but configure Istio to work as if Multus is installed.

[nirdothan]

@nirdothan this change is necessary regardless of the issues on CDI repo CI. The config is just wrong, its not intended to be used when Multus is installed. It expect not Muluts to be installed but configure Istio to work as if Multus is installed.

This value is used in 2 places:

1. https://github.com/istio/istio/blob/1.24.4/manifests/charts/istio-cni/templates/network-attachment-definition.yaml#L1
2. https://github.com/istio/istio/blob/1.24.4/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml#L49 (I'm not entirely sure if it propagates into pilot values.)

#1 is the NAD, and #2 is injecting network annotation by the webhook.
It definately does not install multus, and it is not wrong to use in a cluster that has multus installed. I believe that on the contrary it was intended to be used by multus users.

I guess that the test that we are trying to fix runs in a setup that does not install multus, and is therefore working with CNI chaining. Since the KubeVirt project does assume multus installed (does it?) I think that we should have a common installation configuration that is optimized for the needs of the project.
I will try to get Istio SMEs' POV, but until then, assuming this PR's config is tested, it is LGTM by me.

[akalenyu]

/hold cancel
tested a provider built from this commit

SUCCESS! -- 1 Passed | 0 Failed | 3 Pending | 647 Skipped

and I don't have to deploy multus too. thanks!
/lgtm
/cc @dhiller

[ormergi]

I guess that the test that we are trying to fix runs in a setup that does not install multus, and is therefore working with CNI chaining.

The existing configuration (this PR changes) is not valid in the first place.
This Istio config should be used when Multus is not installed, this is why it sets Istio to work in chained mode and remove any Multus related configuration.

Since the KubeVirt project does assume multus installed (does it?) I think that we should have a common installation configuration that is optimized for the needs of the project.

We have, once for setups where Multus is installed and nother once when Multus is not installed.

I will try to get Istio SMEs' POV, but until then, assuming this PR's config is tested, it is LGTM by me.

Last time I checked with Istio community, there is no reference config for vanilla k8s with Multus installed.
There is a config for Openshift but it doesnt work for kubevirtci clusters out-of-the-box.

Its nice that you placed your LGTM, effectively you blocked this PR by placing a hold earlier, which I dont understand why..

[nirdothan]

Its nice that you placed your LGTM, effectively you blocked this PR by placing a hold earlier, which I dont understand why..

I wrote why: It's for @akalenyu to remove once tested.

[nirdothan]

@ormergi I looked at it again and recalled that we have two setups one for multus and the other without. This one should of course be without the multus provider, and of course, you were right. My bad.

[brianmcarey]

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brianmcarey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [brianmcarey]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-bot]

@ormergi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
check-provision-k8s-1.31-s390x	55c1860	link	false	/test check-provision-k8s-1.31-s390x
check-provision-k8s-1.30	55c1860	link	unknown	/test check-provision-k8s-1.30

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.