chore(deps): update istio to v1.3.0

[renovate]

This PR contains the following updates:

Package	Update	Change
kubernetes-sigs/gateway-api	minor	v1.2.1 -> v1.3.0

---

Release Notes

kubernetes-sigs/gateway-api (kubernetes-sigs/gateway-api)

v1.3.0

Compare Source

Changes since v1.3.0-rc.2

• Fixed typo in Retry Budget configuration (#​3762,@​zirain)

Changes since v1.2.1

Noteworthy Changes for Implementors

This section is intended to be a guide for API changes that might inspire or require implementation changes.
None of these API changes represent breaking changes.

OverlappingTLSConfig for Connection Coalescing

A new OverlappingTLSConfig condition has been added to Gateway Listeners to indicate situations where
Connection Coalescing could be problematic. The Gateway specification for handling Hostname and SNI matching for HTTPS
requests has been clarified and now recommends that implementations return 421 HTTP code responses in certain cases.

• Implementation of GEP-3567 - TLS Updates for Connection Coalescing. (#​3630,@​robscott)
• Add GEP-3567: Gateway TLS Updates for HTTP/2 Connection Coalescing. (#​3572,@​robscott)

Move BackendTLSPolicy SubjectAltNames from Core to Extended

• The SubjectAltNames field of BackendTLSPolicy changed from Core to Extended feature. (#​3591,@​mlavacca)

The backendRef filter must send traffic to the correct backends when weighted routing is configured

• A new conformance test was added to ensure backendRef filters don't affect weighted routing. (#​3604,@​dprotaso)

Clarify reasons for certain object status conditions

• Set proper reason for Gateway parametersRef Accepted condition when parametersRef is invalid. (#​3579,@​mlavacca)
• Improve GatewayClass GatewayClassReasonInvalidParameters reason description. (#​3553,@​mlavacca)

BackendTLSPolicy

• CEL validation for target references in BackendTLSPolicy. (#​3496,@​snorwin)

GRPCRoute

• Increase the GRPCRoute match limit from 8 -> 64 (#​3601,@​EyalPazz)

Gateway.Spec.Addresses changes

A new type GatewaySpecAddress replaces GatewayAddress. In GatewayAddress the Value field was required. In
GatewaySpecAddress the Value field is optional. When the Value is unspecified, if an implementation supports that,
it SHOULD automatically assign an address. If an implementation does not support an empty Value, it MUST set the
Programmed condition in status to false with a reason of "AddressNotAssigned". The Addresses field in
Gateway.Spec has changed from type []GatewayAddress to []GatewaySpecAddress.

• Make the value field in Gateway.Spec.Addresses array optional (#​3616,@​EyalPazz)

Standard Channel Additions and Changes

The Standard channel is Gateway API's set of maximally-stable install files.
Only features with the best testing and support are added to the standard
channel. This channel should be considered GA or stable, and future changes will
be fully backwards compatible.

Percentage-Based Request Mirroring 🎉

This feature enhances the existing request mirroring feature
by allowing users to specify a percentage of requests to be mirrored in both HTTPRoute
and GRPCRoute objects.

This feature has graduated to Standard and is now considered GA or Stable.

This feature's name for conformance tests (and GatewayClass status reporting) is
HTTPRouteRequestPercentageMirror.

This feature's status is Extended, meaning that it is optional for
implementations to support. If you're using Experimental Channel, you can refer
to the supportedFeatures field in the status of any GatewayClass.

Relevant PRs:

• Promote percentage-based-request-mirroring GEP-3171 to standard (#​3638,@​LiorLieberman)
• Add conformance tests for percentage-based request mirroring (#​3508,@​LiorLieberman)

Experimental Channel Additions and Changes

The Experimental Channel is Gateway API's channel for testing out changes and
gaining confidence with them before allowing them to go to Standard.

This channel may include features that are changed or removed later!

New experimental resources now start with "X"

This release introduces 2 new experimental resources:

• XBackendTrafficPolicy
• XListenerSet

Both of these resources are described in more detail below. As you may notice,
these resource names start with X and are part of an effort to distinguish
experimental channel resources from standard channel resources.

In addition to the separate names, these resources are also part of the
x-k8s.io API group instead of k8s.io, as a further effort to signal the
experimental nature of these resources.

In practice this means two things:

1. These resources can coexist with standard channel resources
2. Migrating to standard channel will require recreating these resources with
   the standard channel names and API Group (both lacking the "x" prefix)

For more context on this change, refer to the related discussion.

CORS (Cross Origin Resource Sharing) Filter

GEP-1767 describes how to add
configuration of CORS filters on HTTPRoute objects, and in this release, this change
has moved to Experimental.

Please see the GEP reference document or the API reference for the details.

This feature has graduated to Experimental and should now be used for testing
and verification purposes only. Experimental features may be changed or removed
in a future version.

This feature does not currently have a feature name defined.

This feature's status is Extended, meaning that it is optional for
implementations to support.

As there is no feature name or conformance testing available for this feature
yet, please check your implementation's documentation to see if it is supported.

Relevant PRs:

• Implementing CORS Filter for HTTPRoute (#​3637,@​robscott)
• Change HTTPRouteFilter.CORS.AllowCredentials to expect a boolean and not a string (#​3656,@​EyalPazz)
• Add CORS to HTTPRouteFilterType (#​3668,@​EyalPazz)

XListenerSets (Standard Mechanism to Merge Gateways)

GEP-1713 defines a new mechanism to merge listeners into a single
Gateway, and in this release, this change has moved to Experimental. Following a new naming convention, an
experimental object name is prefaced with an X, thus ListenerSet has changed to XListenerSet.
The object group name has changed from gateway.networking.k8s.io to gateway.networking.x-k8s.io.

Please see the GEP reference document or the API reference for the details.

This feature has graduated to Experimental and should now be used for testing
and verification purposes only. Experimental features may be changed or removed
in a future version.

This feature does not currently have a feature name defined.

This feature's status is Extended, meaning that it is optional for
implementations to support.

As there is no feature name or conformance testing available for this feature
yet, please check your implementation's documentation to see if it is supported.

Relevant PRs:

• Clarified what it means for Gateway Listeners to be distinct (#​3477,@​youngnick)
• GEP-1713: Standard Mechanism to Merge Multiple Gateways (#​3213),@​dprotaso)
• Update GEP-1713 - Support attaching ListenerSets across namespaces (#​3632,@​dprotaso)
• GEP-1713: Standard Mechanism to Merge Multiple Gateways - move GEP Link to Experimental (#​3664),@​gcs278)
• Refactor codegen scripts to make it easier to generate two clients (#​3589,@​dprotaso)
• Add ListenerSet GEP-1713 to the website (#​3587,@​dprotaso)
• Introduces ListenerSet API & Generate Clients (in the group gateway.networking.k8s-x.io) (#​3588,@​dprotaso)
• The resource ListenerSet has been renamed to XListenerSet. The Resource BackendTrafficPolicy has been renamed to
  XBackendTrafficPolicy. (#​3682,@​mlavacca)

XBackendTrafficPolicy (Retry Budgets)

GEP-3388
specifies the configuration of a "retry budget" across all endpoints of a destination service in order to prevent
additional client-side retries after reaching a configured threshold. The budget can be configured using a maximum
percentage of active requests, or an interval during which requests will be considered. In this release, this change has
moved to Experimental. Following a new naming convention, an experimental object name is prefaced with an X, thus
BackendTrafficPolicy has changed to XBackendTrafficPolicy. The object group name has changed from
gateway.networking.k8s.io to gateway.networking.x-k8s.io.

Please see the GEP reference document or the API reference for the details.

This feature has graduated to Experimental and should now be used for testing
and verification purposes only. Experimental features may be changed or removed
in a future version.

This feature does not currently have a feature name defined.

This feature's status is Extended, meaning that it is optional for
implementations to support.

As there is no feature name or conformance testing available for this feature
yet, please check your implementation's documentation to see if it is supported.

Relevant PRs:

• Adds a new BackendTrafficPolicy with ability to configure budgeted retries (#​3607,@​ericdbishop)
• Add GEP-3388 HTTP Retry Budget (#​3488,@​ericdbishop)
• The resource ListenerSet has been renamed to XListenerSet. The Resource BackendTrafficPolicy has been renamed to
  XBackendTrafficPolicy. (#​3682,@​mlavacca)
• Retry budget fields are now in their own struct, moving from budgetPercent and budgetInterval to budget.percent
  and budget.interval respectively. (#​3695,@​youngnick)

BackendLBPolicy has been replaced by XBackendTrafficPolicy

In the interest of combining similar concepts in a single policy, we've decided
to merge the contents of BackendLBPolicy (session persistence) into
XBackendTrafficPolicy (retry budgets).

• BackendLBPolicy has been renamed to XBackendTrafficPolicy (#​3692,@​robscott)

GEPs

• Initial draft of Auth GEP-1494 (#​3500,@​youngnick)

Documentation

• For the Gateway infrastructure stanza, the InvalidParameters reason SHOULD be used with the Accepted condition in case the object referenced does not exist, is of an unsupported kind, or is malformed. (#​3579,@​mlavacca)
• Specify default type for sessionPersistence.cookieConfig.lifetimeType (#​3540,@​arkodg)
• Updates docs for the Kuadrant implementation (#​3598,@​jasonmadigan)
• Updates comparison of Gateway API and API Gateway to use the CNCF's definition of the latter (#​3653,@​craigbox)
• Fix 'mkdocs serve' endless build loop (#​3662,@​blake)
• Fix several MkDocs info and warning messages (#​3663,@​blake)
• Fix broken links and spelling (#​3655,@​blake), (#​3615,@​jsoref),
  (#​3657,@​blake),
  (#​3400,@​jsoref),
  (#​3626,@​zirain),
  (#​3565,@​Vaniog),
  (#​3485,@​fatsheep9146)
• GRPCRoute name is not set (#​3639,@​Xunhuo)
• Update GEPs in navbar (#​3634,@​blake)
• Remove experimental callout on GRPCRoute guide (#​3595,@​blake)
• Fix GRPCRoute structure definition error in the document (#​3344,@​0xff-dev)
• Add Gateway For Mesh section to the GEP template (#​3577,@​LiorLieberman)
• Fix group description in LocalObjectReference (empty string infers core API group) (#​3597,@​EyalPazz)
• Remove "experimental" language from gamma implementations (#​3580,@​LiorLieberman)
• Clarify frontend/backend relationship in GEP-91 (#​3571,@​htuch)

Cleanup

• Remove mkdocs-material-extensions from requirements.txt (#​3666, @​gcs278)
• Remove extra newlines and format descriptions of items for code generation (#​3574,@​snorwin)
• Fix mkdocs so at least 3 conformance reports are uploaded before update (#​3549,@​xtineskim)
• Dependencies have been upgraded to Kubernetes v1.32 and Go v1.24 (#​3697,@​robscott)

Bug or Regression

• Sort api versions when updating clientset during code generation (#​3652,@​bentheelder)
• Retry failed calls when waiting for namespace ready in tests (#​3627,@​aojea)
• Some tests are not formatted properly (#​3610,@​EyalPazz)
• Doesn't allow a user to provide both an asterisk and another method/s along with it in HTTPCORSFilter.AllowMethods
  (#​3667,@​EyalPazz)

Dependencies

Added

• github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.25.0
• github.com/Masterminds/goutils: v1.1.1
• github.com/Masterminds/semver: v1.5.0
• github.com/Masterminds/sprig: v2.22.0+incompatible
• github.com/elastic/crd-ref-docs: v0.1.0
• github.com/envoyproxy/go-control-plane/envoy: v1.32.4
• github.com/envoyproxy/go-control-plane/ratelimit: v0.1.0
• github.com/go-playground/locales: v0.13.0
• github.com/go-playground/universal-translator: v0.17.0
• github.com/go-playground/validator/v10: v10.4.1
• github.com/goccy/go-yaml: v1.11.3
• github.com/huandu/xstrings: v1.3.3
• github.com/leodido/go-urn: v1.2.0
• github.com/mitchellh/copystructure: v1.2.0
• github.com/mitchellh/reflectwalk: v1.0.2
• go.opentelemetry.io/auto/sdk: v1.1.0
• go.opentelemetry.io/contrib/detectors/gcp: v1.34.0
• go.opentelemetry.io/otel/sdk/metric: v1.34.0

Changed

• cel.dev/expr: v0.16.0 → v0.19.1
• cloud.google.com/go/compute/metadata: v0.5.0 → v0.6.0
• github.com/cncf/xds/go: 024c85f → cff3c89
• github.com/envoyproxy/go-control-plane: v0.13.0 → v0.13.4
• github.com/envoyproxy/protoc-gen-validate: v1.1.0 → v1.2.1
• github.com/evanphx/json-patch/v5: v5.9.0 → v5.9.11
• github.com/golang/glog: v1.2.2 → v1.2.4
• github.com/google/btree: v1.0.1 → v1.1.3
• github.com/google/cel-go: v0.20.1 → v0.22.0
• github.com/google/pprof: 4bfdf5a → d1b30fe
• github.com/gregjones/httpcache: 9cad4c3 → 901d907
• github.com/imdario/mergo: v0.3.16 → v0.3.11
• github.com/jessevdk/go-flags: v1.4.0 → v1.6.1
• github.com/jonboulle/clockwork: v0.2.2 → v0.4.0
• github.com/miekg/dns: v1.1.62 → v1.1.64
• github.com/moby/spdystream: v0.4.0 → v0.5.0
• github.com/onsi/ginkgo/v2: v2.19.0 → v2.22.0
• github.com/onsi/gomega: v1.34.2 → v1.36.2
• github.com/spf13/pflag: v1.0.5 → v1.0.6
• github.com/stoewer/go-strcase: v1.2.0 → v1.3.0
• github.com/xiang90/probing: 43a291a → a49e3df
• go.etcd.io/bbolt: v1.3.9 → v1.3.11
• go.etcd.io/etcd/api/v3: v3.5.14 → v3.5.16
• go.etcd.io/etcd/client/pkg/v3: v3.5.14 → v3.5.16
• go.etcd.io/etcd/client/v2: v2.305.13 → v2.305.16
• go.etcd.io/etcd/client/v3: v3.5.14 → v3.5.16
• go.etcd.io/etcd/pkg/v3: v3.5.13 → v3.5.16
• go.etcd.io/etcd/raft/v3: v3.5.13 → v3.5.16
• go.etcd.io/etcd/server/v3: v3.5.13 → v3.5.16
• go.opentelemetry.io/otel/metric: v1.28.0 → v1.34.0
• go.opentelemetry.io/otel/sdk: v1.28.0 → v1.34.0
• go.opentelemetry.io/otel/trace: v1.28.0 → v1.34.0
• go.opentelemetry.io/otel: v1.28.0 → v1.34.0
• go.uber.org/zap: v1.26.0 → v1.27.0
• golang.org/x/crypto: v0.29.0 → v0.33.0
• golang.org/x/exp: fe59bbe → 8a7402a
• golang.org/x/mod: v0.21.0 → v0.23.0
• golang.org/x/net: v0.31.0 → v0.35.0
• golang.org/x/oauth2: v0.22.0 → v0.25.0
• golang.org/x/sync: v0.9.0 → v0.11.0
• golang.org/x/sys: v0.27.0 → v0.30.0
• golang.org/x/term: v0.26.0 → v0.29.0
• golang.org/x/text: v0.20.0 → v0.22.0
• golang.org/x/time: v0.5.0 → v0.7.0
• golang.org/x/tools: v0.26.0 → v0.30.0
• golang.org/x/xerrors: 04be3eb → 104605a
• google.golang.org/genproto: b8732ec → ef43131
• google.golang.org/genproto/googleapis/api: ddb44da → 5f5ef82
• google.golang.org/genproto/googleapis/rpc: ddb44da → 1a7da9e
• google.golang.org/grpc: v1.67.1 → v1.71.0
• google.golang.org/protobuf: v1.35.2 → v1.36.5
• k8s.io/api: v0.31.3 → v0.32.2
• k8s.io/apiextensions-apiserver: v0.31.3 → v0.32.2
• k8s.io/apimachinery: v0.31.3 → v0.32.2
• k8s.io/apiserver: v0.31.3 → v0.32.2
• k8s.io/client-go: v0.31.3 → v0.32.2
• k8s.io/code-generator: v0.31.3 → v0.32.2
• k8s.io/component-base: v0.31.3 → v0.32.2
• k8s.io/gengo/v2: 51d4e06 → 2b36238
• k8s.io/kms: v0.31.3 → v0.32.2
  k8s.io/kube-openapi: 8948a66 → 32ad38e
• k8s.io/utils: 18e509b → 3ea5e8c
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.30.3 → v0.31.0
• sigs.k8s.io/controller-runtime: v0.19.1 → v0.20.3
• sigs.k8s.io/controller-tools: v0.16.5 → v0.17.2
• sigs.k8s.io/json: bc3834c → 9aa6b5e
• sigs.k8s.io/structured-merge-diff/v4: v4.4.3 → v4.5.0

Removed

• github.com/ahmetb/gen-crd-api-reference-docs: v0.3.0
• github.com/census-instrumentation/opencensus-proto: v0.4.1
• github.com/golang/groupcache: 41bb18b
• github.com/kr/pty: v1.1.1
• github.com/shurcooL/sanitized_anchor_name: v1.0.0
• k8s.io/gengo: 9cce18d
• k8s.io/klog: v0.2.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.