feat!: make istio ambient components default in uds core

.github/bundles/aks/uds-bundle.yaml

@@ -19,8 +19,6 @@ packages:
     # x-release-please-start-version
     ref: 0.39.0
     # x-release-please-end
-    optionalComponents:
-      - istio-ambient
     overrides:
       istio-admin-gateway:
         gateway:

.github/bundles/eks/uds-bundle.yaml

@@ -20,7 +20,6 @@ packages:
     ref: 0.39.0
     # x-release-please-end
     optionalComponents:
-      - istio-ambient
       - metrics-server # note: metrics-server is not available as an EKS addon in govcloud
     overrides:
       velero:

.github/bundles/rke2/uds-bundle.yaml

@@ -41,7 +41,6 @@ packages:
     ref: 0.39.0
     # x-release-please-end
     optionalComponents:
-      - istio-ambient
       - metrics-server
     overrides:
       velero:

bundles/k3d-standard/uds-bundle.yaml

@@ -40,7 +40,6 @@ packages:
     ref: 0.39.0
     # x-release-please-end
     optionalComponents:
-      - istio-ambient
       - istio-passthrough-gateway
       - metrics-server
     overrides:

docs/reference/UDS Core/prerequisites.md

@@ -68,7 +68,7 @@ In addition, to run Istio ingress gateways (part of Core) you will need to ensur
 
 ##### Ambient Mode
 
-Istio can be deployed in [Ambient Mode](https://istio.io/latest/docs/ambient/overview/) by deploying the optional `istio-ambient` component. This mode is still in alpha release and is not recommended for production use. Also note that only the `unicorn` and `registry1` flavors of core contain `FIPS` compliant images. The `istio-ambient` component is **required** if you want to use UDS Packages with `spec.network.serviceMesh.mode: ambient`. If Ambient mode is not deployed in the cluster, packages configured for ambient mode will automatically fall back to sidecar mode.
+[Ambient Mode](https://istio.io/latest/docs/ambient/overview/) in Istio is now integrated directly into the `istio-controlplane` component and enabled by default. Also note that only the `unicorn` and `registry1` flavors of core contain `FIPS` compliant images.
 
 When using ambient mode with UDS Packages, you can benefit from:
 - Reduced resource overhead compared to sidecar mode, as workloads don't require an injected sidecar container
@@ -77,7 +77,7 @@ When using ambient mode with UDS Packages, you can benefit from:
 
 Note that Packages with Authservice clients are not currently supported in ambient mode and will be rejected by the UDS Operator.
 
-The `istio-ambient` component installs the Istio CNI plugin which requires specifying the `CNI_CONF_DIR` and `CNI_BIN_DIR` variables. These values can change based on the environment Istio is being deployed into. By default the package will attempt to auto-detect these values and will use the following values if not specified:
+The `istio-controlplane` component installs the Istio CNI plugin which requires specifying the `CNI_CONF_DIR` and `CNI_BIN_DIR` variables. These values can change based on the environment Istio is being deployed into. By default the package will attempt to auto-detect these values and will use the following values if not specified:
 
 ```yaml
 # K3d cluster
@@ -93,7 +93,7 @@ cniConfDir: /etc/cni/net.d
 cniBinDir: /opt/cni/bin/
 ```
 
-These values can be overwritten when installing core by setting the `cniConfDir` and `cniBinDir` values in the `istio-ambient` component.
+These values can be overwritten when installing core by setting the `cniConfDir` and `cniBinDir` values in the `istio-controlplane` component.
 
 To set these values add the following to the `uds-config.yaml` file:
 

packages/base/zarf.yaml

@@ -35,10 +35,10 @@ components:
     import:
       path: ../../src/istio
 
-  - name: istio-ambient
-    required: false
+  - name: gateway-api-crds
+    required: true
     import:
-      path: ../../src/istio
+      path: ../../src/istio/common
 
   - name: istio-admin-gateway
     required: true

packages/standard/zarf.yaml

@@ -34,10 +34,10 @@ components:
     import:
       path: ../base
 
-  - name: istio-ambient
-    required: false
+  - name: gateway-api-crds
+    required: true
     import:
-      path: ../base
+      path: ../../src/istio/common
 
   - name: istio-admin-gateway
     required: true

src/istio/common/zarf.yaml

@@ -6,6 +6,13 @@ metadata:
   name: uds-core-istio-common
   description: "UDS Core Istio Common"
   url: https://istio.io/latest/
+variables:
+  - name: CNI_CONF_DIR
+    description: "CNI configuration directory"
+    default: ""
+  - name: CNI_BIN_DIR
+    description: "CNI binary directory"
+    default: ""
 
 components:
   - name: istio-controlplane
@@ -27,16 +34,54 @@ components:
         localPath: chart
         valuesFiles:
           - "chart/values.yaml"
+      - name: cni
+        url: https://istio-release.storage.googleapis.com/charts
+        version: 1.25.1
+        namespace: istio-system
+        valuesFiles:
+          - "../values/base-cni.yaml"
+      - name: ztunnel
+        url: https://istio-release.storage.googleapis.com/charts
+        version: 1.25.1
+        namespace: istio-system
+        valuesFiles:
+          - "../values/base-ztunnel.yaml"
     actions:
       onDeploy:
         before:
           - description: "Add helm ownership if necessary for clean helm upgrade"
             mute: true
             cmd: |
-              # Commands pulled from https://istio.io/latest/news/releases/1.24.x/announcing-1.24/upgrade-notes/#istio-crds-are-templated-by-default-and-can-be-installed-and-upgraded-via-helm-install-istio-base
-              ./zarf tools kubectl label $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "app.kubernetes.io/managed-by=Helm" --overwrite || true
-              ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-name=base" --overwrite || true
-              ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-namespace=istio-system" --overwrite || true
+              ./zarf tools kubectl annotate exemption istio -n uds-policy-exemptions "meta.helm.sh/release-name=uds-global-istio-config" --overwrite || true
+          - description: "Ensure CNI_CONF_DIR is set"
+            cmd: |
+              if [ \"${ZARF_VAR_CNI_CONF_DIR}\" = \"\" ]; then
+                if ./zarf tools kubectl version -o json 2>/dev/null | ./zarf tools yq '.serverVersion.gitVersion' 2>/dev/null | grep -q "k3s"; then
+                  echo "/var/lib/rancher/k3s/agent/etc/cni/net.d"
+                else
+                  echo "/etc/cni/net.d"
+                fi
+              else
+                echo "${ZARF_VAR_CNI_CONF_DIR}"
+              fi
+            setVariables:
+              - name: CNI_CONF_DIR
+          - description: "Ensure CNI_BIN_DIR is set"
+            cmd: |
+              if [ \"${ZARF_VAR_CNI_BIN_DIR}\" = \"\" ]; then
+                if ./zarf tools kubectl version -o json 2>/dev/null | ./zarf tools yq '.serverVersion.gitVersion' 2>/dev/null | grep -q "k3s"; then
+                  # Note: this was previously the k3d bin dir, but with k3s 1.31.7 it has changed to the default k3s dir
+                  # if ./zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}' 2>/dev/null | grep -q "k3d"; then
+                  #   echo "/bin/"
+                  echo "/var/lib/rancher/k3s/data/cni"
+                else
+                  echo "/opt/cni/bin"
+                fi
+              else
+                echo "${ZARF_VAR_CNI_BIN_DIR}"
+              fi
+            setVariables:
+              - name: CNI_BIN_DIR
         after:
           - description: "Ensure istio-injection is enabled for Pepr"
             mute: true
@@ -59,3 +104,23 @@ components:
                       echo "Deployment 'pepr-uds-core' does not exist. Skipping restart."
                   fi
               fi
+    # Enable this when ready to switch Core components to use ambient
+    #     after:
+    #       - description: "Ensure istio ambient is enabled for Pepr"
+    #         cmd: "./zarf tools kubectl label namespace pepr-system istio.io/dataplane-mode=ambient --overwrite"
+    #       - description: "Ensure istio-injection is disabled for Pepr"
+    #         cmd: "./zarf tools kubectl label namespace pepr-system istio-injection=disabled --overwrite"
+    #       - description: "Cycle Pepr to refresh connections post-ambient"
+    #         cmd: |
+    #           ./zarf tools kubectl rollout restart -n pepr-system deploy/pepr-uds-core-watcher
+    #           ./zarf tools kubectl rollout restart -n pepr-system deploy/pepr-uds-core
+
+  - name: gateway-api-crds
+    required: true
+    manifests:
+      - name: gateway-api-crds
+        files:
+          - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.1/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml
+          - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.1/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
+          - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.1/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml
+          - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.1/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml

src/istio/zarf.yaml

@@ -26,24 +26,15 @@ components:
       - name: istiod
         valuesFiles:
           - "values/upstream/istiod.yaml"
-    images:
-      - "docker.io/istio/pilot:1.25.1-distroless"
-      - "docker.io/istio/proxyv2:1.25.1-distroless"
-
-  - name: istio-ambient
-    required: false
-    only:
-      flavor: upstream
-    import:
-      path: ambient
-    charts:
       - name: cni
         valuesFiles:
           - "values/upstream/cni.yaml"
       - name: ztunnel
         valuesFiles:
           - "values/upstream/ztunnel.yaml"
     images:
+      - "docker.io/istio/pilot:1.25.1-distroless"
+      - "docker.io/istio/proxyv2:1.25.1-distroless"
       - "docker.io/istio/install-cni:1.25.1-distroless"
       - "docker.io/istio/ztunnel:1.25.1-distroless"
 
@@ -57,24 +48,15 @@ components:
       - name: istiod
         valuesFiles:
           - "values/registry1/istiod.yaml"
-    images:
-      - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.25.1-tetratefipslatest1
-      - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.25.1-tetratefipslatest1
-
-  - name: istio-ambient
-    required: false
-    only:
-      flavor: registry1
-    import:
-      path: ambient
-    charts:
       - name: cni
         valuesFiles:
           - "values/registry1/cni.yaml"
       - name: ztunnel
         valuesFiles:
           - "values/registry1/ztunnel.yaml"
     images:
+      - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.25.1-tetratefipslatest1
+      - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.25.1-tetratefipslatest1
       - registry1.dso.mil/ironbank/tetrate/istio/install-cni:1.25.1-tetratefipslatest1
       - registry1.dso.mil/ironbank/tetrate/istio/ztunnel:1.25.1-tetratefipslatest1
 
@@ -88,24 +70,15 @@ components:
       - name: istiod
         valuesFiles:
           - "values/unicorn/istiod.yaml"
-    images:
-      - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.25.1
-      - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.25.1
-
-  - name: istio-ambient
-    required: false
-    only:
-      flavor: unicorn
-    import:
-      path: ambient
-    charts:
       - name: cni
         valuesFiles:
           - "values/unicorn/cni.yaml"
       - name: ztunnel
         valuesFiles:
           - "values/unicorn/ztunnel.yaml"
     images:
+      - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.25.1
+      - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.25.1
       - cgr.dev/du-uds-defenseunicorns/istio-install-cni:1.25.1
       - cgr.dev/du-uds-defenseunicorns/ztunnel-fips:1.25.1
 

tasks/deploy.yaml

@@ -47,7 +47,7 @@ tasks:
     actions:
       - description: "Deploy UDS Core Base Layer without Ambient (must set UDS_LAYER environment variable)"
         if: ${{ eq .inputs.layer "base"}}
-        cmd: uds zarf package deploy build/zarf-package-core-${{ index .inputs "layer" }}-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '-istio-ambient,*'
+        cmd: uds zarf package deploy build/zarf-package-core-${{ index .inputs "layer" }}-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*'
       - description: "Deploy a single UDS Core Layer (must set UDS_LAYER environment variable)"
         if: ${{ ne .inputs.layer "base"}}
         cmd: uds zarf package deploy build/zarf-package-core-${{ index .inputs "layer" }}-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*'