diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml index f620c75ded..147f9d4734 100644 --- a/.github/bundles/aks/uds-bundle.yaml +++ b/.github/bundles/aks/uds-bundle.yaml @@ -19,8 +19,6 @@ packages: # x-release-please-start-version ref: 0.39.0 # x-release-please-end - optionalComponents: - - istio-ambient overrides: istio-admin-gateway: gateway: diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml index 12a120dcc2..e0b16d69bb 100644 --- a/.github/bundles/eks/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -20,7 +20,6 @@ packages: ref: 0.39.0 # x-release-please-end optionalComponents: - - istio-ambient - metrics-server # note: metrics-server is not available as an EKS addon in govcloud overrides: velero: diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index 7f3508b7b4..734d555a30 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -41,7 +41,6 @@ packages: ref: 0.39.0 # x-release-please-end optionalComponents: - - istio-ambient - metrics-server overrides: velero: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index f8d5b52e28..888489b9d2 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -40,7 +40,6 @@ packages: ref: 0.39.0 # x-release-please-end optionalComponents: - - istio-ambient - istio-passthrough-gateway - metrics-server overrides: diff --git a/docs/reference/UDS Core/prerequisites.md b/docs/reference/UDS Core/prerequisites.md index 9faf310e56..a0dd207f3b 100644 --- a/docs/reference/UDS Core/prerequisites.md +++ b/docs/reference/UDS Core/prerequisites.md @@ -68,7 +68,7 @@ In addition, to run Istio ingress gateways (part of Core) you will need to ensur ##### Ambient Mode -Istio can be deployed in [Ambient Mode](https://istio.io/latest/docs/ambient/overview/) by deploying the optional `istio-ambient` component. This mode is still in alpha release and is not recommended for production use. Also note that only the `unicorn` and `registry1` flavors of core contain `FIPS` compliant images. The `istio-ambient` component is **required** if you want to use UDS Packages with `spec.network.serviceMesh.mode: ambient`. If Ambient mode is not deployed in the cluster, packages configured for ambient mode will automatically fall back to sidecar mode. +[Ambient Mode](https://istio.io/latest/docs/ambient/overview/) in Istio is now integrated directly into the `istio-controlplane` component and enabled by default. Also note that only the `unicorn` and `registry1` flavors of core contain `FIPS` compliant images. When using ambient mode with UDS Packages, you can benefit from: - Reduced resource overhead compared to sidecar mode, as workloads don't require an injected sidecar container @@ -77,7 +77,7 @@ When using ambient mode with UDS Packages, you can benefit from: Note that Packages with Authservice clients are not currently supported in ambient mode and will be rejected by the UDS Operator. -The `istio-ambient` component installs the Istio CNI plugin which requires specifying the `CNI_CONF_DIR` and `CNI_BIN_DIR` variables. These values can change based on the environment Istio is being deployed into. By default the package will attempt to auto-detect these values and will use the following values if not specified: +The `istio-controlplane` component installs the Istio CNI plugin which requires specifying the `CNI_CONF_DIR` and `CNI_BIN_DIR` variables. These values can change based on the environment Istio is being deployed into. By default the package will attempt to auto-detect these values and will use the following values if not specified: ```yaml # K3d cluster @@ -93,7 +93,7 @@ cniConfDir: /etc/cni/net.d cniBinDir: /opt/cni/bin/ ``` -These values can be overwritten when installing core by setting the `cniConfDir` and `cniBinDir` values in the `istio-ambient` component. +These values can be overwritten when installing core by setting the `cniConfDir` and `cniBinDir` values in the `istio-controlplane` component. To set these values add the following to the `uds-config.yaml` file: diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml index 1932db8fbc..9186e93e24 100644 --- a/packages/base/zarf.yaml +++ b/packages/base/zarf.yaml @@ -35,10 +35,10 @@ components: import: path: ../../src/istio - - name: istio-ambient - required: false + - name: gateway-api-crds + required: true import: - path: ../../src/istio + path: ../../src/istio/common - name: istio-admin-gateway required: true diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 2bd465cb92..1075a4f4c9 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -34,10 +34,10 @@ components: import: path: ../base - - name: istio-ambient - required: false + - name: gateway-api-crds + required: true import: - path: ../base + path: ../../src/istio/common - name: istio-admin-gateway required: true diff --git a/src/istio/ambient/.helmignore b/src/istio/ambient/.helmignore deleted file mode 100644 index 0e8a0eb36f..0000000000 --- a/src/istio/ambient/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/src/istio/ambient/chart/Chart.yaml b/src/istio/ambient/chart/Chart.yaml deleted file mode 100644 index b6b21cd286..0000000000 --- a/src/istio/ambient/chart/Chart.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial -apiVersion: v2 -name: uds-istio-ambient-config -description: Istio ambient configuration for UDS - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 diff --git a/src/istio/ambient/zarf.yaml b/src/istio/ambient/zarf.yaml deleted file mode 100644 index cd5d3b6f33..0000000000 --- a/src/istio/ambient/zarf.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -kind: ZarfPackageConfig -metadata: - name: uds-core-istio-ambient - description: "UDS Core Istio Ambient" - url: https://istio.io/latest/ -variables: - - name: CNI_CONF_DIR - description: "CNI configuration directory" - default: "" - - name: CNI_BIN_DIR - description: "CNI binary directory" - default: "" - -components: - - name: istio-ambient - required: false - charts: - - name: uds-istio-ambient-config - namespace: istio-system - version: 0.1.0 - localPath: chart - - name: cni - url: https://istio-release.storage.googleapis.com/charts - version: 1.25.1 - namespace: istio-system - valuesFiles: - - "../values/base-cni.yaml" - - name: ztunnel - url: https://istio-release.storage.googleapis.com/charts - version: 1.25.1 - namespace: istio-system - valuesFiles: - - "../values/base-ztunnel.yaml" - actions: - onDeploy: - before: - - description: "Ensure CNI_CONF_DIR is set" - cmd: | - if [ \"${ZARF_VAR_CNI_CONF_DIR}\" = \"\" ]; then - if ./zarf tools kubectl version -o json 2>/dev/null | ./zarf tools yq '.serverVersion.gitVersion' 2>/dev/null | grep -q "k3s"; then - echo "/var/lib/rancher/k3s/agent/etc/cni/net.d" - else - echo "/etc/cni/net.d" - fi - else - echo "${ZARF_VAR_CNI_CONF_DIR}" - fi - setVariables: - - name: CNI_CONF_DIR - - description: "Ensure CNI_BIN_DIR is set" - cmd: | - if [ \"${ZARF_VAR_CNI_BIN_DIR}\" = \"\" ]; then - if ./zarf tools kubectl version -o json 2>/dev/null | ./zarf tools yq '.serverVersion.gitVersion' 2>/dev/null | grep -q "k3s"; then - # Note: this was previously the k3d bin dir, but with k3s 1.31.7 it has changed to the default k3s dir - # if ./zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}' 2>/dev/null | grep -q "k3d"; then - # echo "/bin/" - echo "/var/lib/rancher/k3s/data/cni" - else - echo "/opt/cni/bin" - fi - else - echo "${ZARF_VAR_CNI_BIN_DIR}" - fi - setVariables: - - name: CNI_BIN_DIR - - # Enable this when ready to switch Core components to use ambient - # after: - # - description: "Ensure istio ambient is enabled for Pepr" - # cmd: "./zarf tools kubectl label namespace pepr-system istio.io/dataplane-mode=ambient --overwrite" - # - description: "Ensure istio-injection is disabled for Pepr" - # cmd: "./zarf tools kubectl label namespace pepr-system istio-injection=disabled --overwrite" - # - description: "Cycle Pepr to refresh connections post-ambient" - # cmd: | - # ./zarf tools kubectl rollout restart -n pepr-system deploy/pepr-uds-core-watcher - # ./zarf tools kubectl rollout restart -n pepr-system deploy/pepr-uds-core diff --git a/src/istio/ambient/chart/templates/exemptions.yaml b/src/istio/common/chart/templates/exemptions.yaml similarity index 100% rename from src/istio/ambient/chart/templates/exemptions.yaml rename to src/istio/common/chart/templates/exemptions.yaml diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index e031d67e63..6e656447d4 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -6,6 +6,13 @@ metadata: name: uds-core-istio-common description: "UDS Core Istio Common" url: https://istio.io/latest/ +variables: + - name: CNI_CONF_DIR + description: "CNI configuration directory" + default: "" + - name: CNI_BIN_DIR + description: "CNI binary directory" + default: "" components: - name: istio-controlplane @@ -27,16 +34,54 @@ components: localPath: chart valuesFiles: - "chart/values.yaml" + - name: cni + url: https://istio-release.storage.googleapis.com/charts + version: 1.25.1 + namespace: istio-system + valuesFiles: + - "../values/base-cni.yaml" + - name: ztunnel + url: https://istio-release.storage.googleapis.com/charts + version: 1.25.1 + namespace: istio-system + valuesFiles: + - "../values/base-ztunnel.yaml" actions: onDeploy: before: - description: "Add helm ownership if necessary for clean helm upgrade" mute: true cmd: | - # Commands pulled from https://istio.io/latest/news/releases/1.24.x/announcing-1.24/upgrade-notes/#istio-crds-are-templated-by-default-and-can-be-installed-and-upgraded-via-helm-install-istio-base - ./zarf tools kubectl label $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "app.kubernetes.io/managed-by=Helm" --overwrite || true - ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-name=base" --overwrite || true - ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-namespace=istio-system" --overwrite || true + ./zarf tools kubectl annotate exemption istio -n uds-policy-exemptions "meta.helm.sh/release-name=uds-global-istio-config" --overwrite || true + - description: "Ensure CNI_CONF_DIR is set" + cmd: | + if [ \"${ZARF_VAR_CNI_CONF_DIR}\" = \"\" ]; then + if ./zarf tools kubectl version -o json 2>/dev/null | ./zarf tools yq '.serverVersion.gitVersion' 2>/dev/null | grep -q "k3s"; then + echo "/var/lib/rancher/k3s/agent/etc/cni/net.d" + else + echo "/etc/cni/net.d" + fi + else + echo "${ZARF_VAR_CNI_CONF_DIR}" + fi + setVariables: + - name: CNI_CONF_DIR + - description: "Ensure CNI_BIN_DIR is set" + cmd: | + if [ \"${ZARF_VAR_CNI_BIN_DIR}\" = \"\" ]; then + if ./zarf tools kubectl version -o json 2>/dev/null | ./zarf tools yq '.serverVersion.gitVersion' 2>/dev/null | grep -q "k3s"; then + # Note: this was previously the k3d bin dir, but with k3s 1.31.7 it has changed to the default k3s dir + # if ./zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}' 2>/dev/null | grep -q "k3d"; then + # echo "/bin/" + echo "/var/lib/rancher/k3s/data/cni" + else + echo "/opt/cni/bin" + fi + else + echo "${ZARF_VAR_CNI_BIN_DIR}" + fi + setVariables: + - name: CNI_BIN_DIR after: - description: "Ensure istio-injection is enabled for Pepr" mute: true @@ -59,3 +104,23 @@ components: echo "Deployment 'pepr-uds-core' does not exist. Skipping restart." fi fi + # Enable this when ready to switch Core components to use ambient + # after: + # - description: "Ensure istio ambient is enabled for Pepr" + # cmd: "./zarf tools kubectl label namespace pepr-system istio.io/dataplane-mode=ambient --overwrite" + # - description: "Ensure istio-injection is disabled for Pepr" + # cmd: "./zarf tools kubectl label namespace pepr-system istio-injection=disabled --overwrite" + # - description: "Cycle Pepr to refresh connections post-ambient" + # cmd: | + # ./zarf tools kubectl rollout restart -n pepr-system deploy/pepr-uds-core-watcher + # ./zarf tools kubectl rollout restart -n pepr-system deploy/pepr-uds-core + + - name: gateway-api-crds + required: true + manifests: + - name: gateway-api-crds + files: + - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.1/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml + - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.1/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml + - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.1/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml + - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.1/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 9682fcd5a9..d6180bf410 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -26,17 +26,6 @@ components: - name: istiod valuesFiles: - "values/upstream/istiod.yaml" - images: - - "docker.io/istio/pilot:1.25.1-distroless" - - "docker.io/istio/proxyv2:1.25.1-distroless" - - - name: istio-ambient - required: false - only: - flavor: upstream - import: - path: ambient - charts: - name: cni valuesFiles: - "values/upstream/cni.yaml" @@ -44,6 +33,8 @@ components: valuesFiles: - "values/upstream/ztunnel.yaml" images: + - "docker.io/istio/pilot:1.25.1-distroless" + - "docker.io/istio/proxyv2:1.25.1-distroless" - "docker.io/istio/install-cni:1.25.1-distroless" - "docker.io/istio/ztunnel:1.25.1-distroless" @@ -57,17 +48,6 @@ components: - name: istiod valuesFiles: - "values/registry1/istiod.yaml" - images: - - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.25.1-tetratefipslatest1 - - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.25.1-tetratefipslatest1 - - - name: istio-ambient - required: false - only: - flavor: registry1 - import: - path: ambient - charts: - name: cni valuesFiles: - "values/registry1/cni.yaml" @@ -75,6 +55,8 @@ components: valuesFiles: - "values/registry1/ztunnel.yaml" images: + - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.25.1-tetratefipslatest1 + - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.25.1-tetratefipslatest1 - registry1.dso.mil/ironbank/tetrate/istio/install-cni:1.25.1-tetratefipslatest1 - registry1.dso.mil/ironbank/tetrate/istio/ztunnel:1.25.1-tetratefipslatest1 @@ -88,17 +70,6 @@ components: - name: istiod valuesFiles: - "values/unicorn/istiod.yaml" - images: - - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.25.1 - - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.25.1 - - - name: istio-ambient - required: false - only: - flavor: unicorn - import: - path: ambient - charts: - name: cni valuesFiles: - "values/unicorn/cni.yaml" @@ -106,6 +77,8 @@ components: valuesFiles: - "values/unicorn/ztunnel.yaml" images: + - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.25.1 + - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.25.1 - cgr.dev/du-uds-defenseunicorns/istio-install-cni:1.25.1 - cgr.dev/du-uds-defenseunicorns/ztunnel-fips:1.25.1 diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 8906939652..baca994b4e 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -47,7 +47,7 @@ tasks: actions: - description: "Deploy UDS Core Base Layer without Ambient (must set UDS_LAYER environment variable)" if: ${{ eq .inputs.layer "base"}} - cmd: uds zarf package deploy build/zarf-package-core-${{ index .inputs "layer" }}-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '-istio-ambient,*' + cmd: uds zarf package deploy build/zarf-package-core-${{ index .inputs "layer" }}-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*' - description: "Deploy a single UDS Core Layer (must set UDS_LAYER environment variable)" if: ${{ ne .inputs.layer "base"}} cmd: uds zarf package deploy build/zarf-package-core-${{ index .inputs "layer" }}-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*'