Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: optional istio cni ztunnel component #1175

Merged
merged 32 commits into from
Jan 27, 2025
Merged

feat: optional istio cni ztunnel component #1175

merged 32 commits into from
Jan 27, 2025

Conversation

sgettys
Copy link
Contributor

@sgettys sgettys commented Jan 14, 2025
edited
Loading

Description

  • optional Istio cni and ztunnel component
  • required exemptions for CNI and ztunnel to operate
  • CNI config via zarf variables

Related Issue

Fixes #1033
Fixes #1027

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Steps to Validate

  • If this PR introduces new functionality to UDS Core or addresses a bug, please document the steps to test the changes.

Checklist before merging

@sgettys sgettys force-pushed the feat/istio-cni-ztunnel branch from 8ecf164 to 9b98732 Compare January 14, 2025 23:56
@sgettys sgettys changed the title Feat/istio cni ztunnel feat: optional istio cni ztunnel component Jan 14, 2025
@sgettys sgettys force-pushed the feat/istio-cni-ztunnel branch from a7dce2c to a376e06 Compare January 15, 2025 21:48
@sgettys sgettys marked this pull request as ready for review January 15, 2025 22:12
@sgettys sgettys requested a review from a team as a code owner January 15, 2025 22:12
@sgettys
Copy link
Contributor Author

sgettys commented Jan 17, 2025

Tested on AWS EKS, K3d, and K3s. Ambient component installs without issue

@sgettys sgettys force-pushed the feat/istio-cni-ztunnel branch 3 times, most recently from a38f9aa to 433b65e Compare January 23, 2025 22:29
mjnagel
mjnagel reviewed Jan 23, 2025
View reviewed changes
Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my testing everything seemed to work well on k3d. Given that this is optional I'm not overly concerned about anything here but have a handful of comments.

README.md Outdated Show resolved Hide resolved
bundles/k3d-standard/uds-bundle.yaml Show resolved Hide resolved
docs/reference/UDS Core/prerequisites.md Show resolved Hide resolved
src/istio/common/zarf.yaml Outdated Show resolved Hide resolved
src/istio/zarf.yaml Outdated Show resolved Hide resolved
src/istio/ambient/chart/templates/exemptions.yaml Outdated Show resolved Hide resolved
src/istio/ambient/chart/templates/exemptions.yaml Outdated Show resolved Hide resolved
@sgettys sgettys force-pushed the feat/istio-cni-ztunnel branch from 1383b09 to 66959d6 Compare January 24, 2025 22:15
@mjnagel mjnagel mentioned this pull request Jan 24, 2025
Closed
sgettys added 18 commits January 24, 2025 15:57
@sgettys
chore: fixed istio ambient flavor
19466c5
@sgettys
chore: fixed tetrate image reference
d76db3b
@sgettys
fix: ambient auto-detection sh compatible action
0fdea59
@sgettys
chore: trying out non-tetrate image for install-cni
4e0d92c
@sgettys
chore: registry1 images not working
bc417cc
@sgettys
chore: added reference to open issue with ironbank images
5455847
@sgettys
docs: added ambient to README
e739135
@sgettys
docs: added FIPS warning
cba4978
@sgettys
chore: fixed lint issues
3ececf6
@sgettys
docs: fixed layer name for ambient
844fc30
@sgettys
chore: using chainguard ztunnel image
411ce37
@sgettys
chore: fixed valuves file for ztunnel
11b612d
@sgettys
chore: removed comments about chainguard ztunnel image
cba49bb
@sgettys
chore: addressed review comments
f53c550
@sgettys
chore: addressed review comments
240ea0c
@sgettys
chore: fixed lint error
47950e4
@sgettys
chore: removed ambient from slim-dev
864d5d6
@sgettys
chore: addressed review comments
c040b72
@sgettys sgettys force-pushed the feat/istio-cni-ztunnel branch from 0dfaf6d to c040b72 Compare January 24, 2025 23:57
@sgettys sgettys enabled auto-merge (squash) January 27, 2025 17:01
@sgettys sgettys merged commit e003924 into main Jan 27, 2025
31 of 34 checks passed
@sgettys sgettys deleted the feat/istio-cni-ztunnel branch January 27, 2025 17:11
@github-actions github-actions bot mentioned this pull request Jan 27, 2025
Merged
noahpb pushed a commit that referenced this pull request Jan 28, 2025
@github-actions
chore(main): release 0.35.0 (#1219)
c31c608 
🤖 I have created a release *beep* *boop*
---


##
[0.35.0](v0.34.1...v0.35.0)
(2025-01-27)


### Features

* add logic to handle updates to operator config
([#1186](#1186))
([004e8b4](004e8b4))
* optional istio cni ztunnel component
([#1175](#1175))
([e003924](e003924))


### Bug Fixes

* add healthz port to neuvector services
([#1223](#1223))
([ec55729](ec55729))
* checkpoint ci issue
([#1234](#1234))
([548ff6a](548ff6a))
* denied user permissions policy messaging
([#1227](#1227))
([1ccf4f7](1ccf4f7))
* istio package no longer assumes pepr deployments exist
([#1232](#1232))
([ab11592](ab11592))


### Miscellaneous

* **deps:** update authservice to v1.0.4
([#1211](#1211))
([da4d043](da4d043))
* **deps:** update pepr
([#1197](#1197))
([652c925](652c925))


### Documentation

* add documentation on metrics/dashboards for apps
([#1221](#1221))
([d9062da](d9062da))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Jan 29, 2025
Merged
mjnagel pushed a commit that referenced this pull request Feb 4, 2025
@github-actions
chore(main): release 0.35.0 (#1237)
2787bb2 
🤖 I have created a release *beep* *boop*
---


##
[0.35.0](v0.34.1...v0.35.0)
(2025-02-03)


### Features

* add logic to handle updates to operator config
([#1186](#1186))
([004e8b4](004e8b4))
* optional istio cni ztunnel component
([#1175](#1175))
([e003924](e003924))


### Bug Fixes

* add healthz port to neuvector services
([#1223](#1223))
([ec55729](ec55729))
* add patch for adding nv enforcer readiness probe
([#1239](#1239))
([098ef3d](098ef3d))
* address AKS ci flakiness
([#1238](#1238))
([262ba3e](262ba3e))
* checkpoint ci issue
([#1234](#1234))
([548ff6a](548ff6a))
* denied user permissions policy messaging
([#1227](#1227))
([1ccf4f7](1ccf4f7))
* istio package no longer assumes pepr deployments exist
([#1232](#1232))
([ab11592](ab11592))


### Miscellaneous

* **ci:** disable rds parameter group creation
([#1230](#1230))
([b4cb499](b4cb499))
* **deps:** update authservice to v1.0.4
([#1211](#1211))
([da4d043](da4d043))
* **deps:** update grafana
([#1213](#1213))
([54ddd23](54ddd23))
* **deps:** update pepr
([#1197](#1197))
([652c925](652c925))
* **deps:** update prometheus-stack
([#1189](#1189))
([e02c14c](e02c14c))
* **deps:** update support-deps
([#1204](#1204))
([d477f6a](d477f6a))
* **deps:** update support-deps
([#1243](#1243))
([d4179ae](d4179ae))
* **deps:** update support-deps to v1.50.1
([#1241](#1241))
([6c14208](6c14208))
* **docs:** cleanup diagrams
([#1246](#1246))
([f6bffb9](f6bffb9))
* **main:** release 0.35.0
([#1219](#1219))
([c31c608](c31c608))
* switch registry1 ztunnel to proper source
([#1249](#1249))
([defa586](defa586))
* switch unicorn ztunnel to fips image
([#1240](#1240))
([dd63ac6](dd63ac6))


### Documentation

* add documentation on metrics/dashboards for apps
([#1221](#1221))
([d9062da](d9062da))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjnagel mjnagel mjnagel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add ztunnel/cni components to Istio Make least-privilege exemptions for ztunnel and install-cni pods
2 participants
@sgettys @mjnagel