Add --force-apply flag to istio-iptables (istio#52899)

* Add --force-apply flag to istio-iptables * add release notes * add option in injection template * update comment * fix variable name and update injection template * update comments * fix comment * add flags to config print
MorrisLaw · Aug 29, 2024 · 3efb85e · 3efb85e
1 parent e8b4357
commit 3efb85e
Show file tree

Hide file tree

Showing 59 changed files with 112 additions and 3 deletions.
diff --git a/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml
@@ -125,6 +125,8 @@ spec:
     {{ if .Values.pilot.cni.enabled -}}
     - "--run-validation"
     - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
     {{ end -}}
     {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
   {{- if .ProxyConfig.ProxyMetadata }}

diff --git a/manifests/charts/istio-control/istio-discovery/values.yaml b/manifests/charts/istio-control/istio-discovery/values.yaml
@@ -377,6 +377,9 @@ defaults:
     proxy_init:
       # Base name for the proxy_init container, used to configure iptables.
       image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
 
     # configure remote pilot and istiod service and endpoint
     remotePilotAddress: ""

diff --git a/manifests/charts/istiod-remote/files/injection-template.yaml b/manifests/charts/istiod-remote/files/injection-template.yaml
@@ -125,6 +125,8 @@ spec:
     {{ if .Values.pilot.cni.enabled -}}
     - "--run-validation"
     - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
     {{ end -}}
     {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
   {{- if .ProxyConfig.ProxyMetadata }}

diff --git a/manifests/charts/istiod-remote/values.yaml b/manifests/charts/istiod-remote/values.yaml
@@ -315,6 +315,9 @@ defaults:
     proxy_init:
       # Base name for the proxy_init container, used to configure iptables.
       image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
     # configure remote pilot and istiod service and endpoint
     remotePilotAddress: ""
     ##############################################################################################

diff --git a/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml b/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.values.gen.yaml b/pkg/kube/inject/testdata/inputs/custom-template.yaml.40.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/default.template.gen.yaml b/pkg/kube/inject/testdata/inputs/default.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/default.values.gen.yaml b/pkg/kube/inject/testdata/inputs/default.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.values.gen.yaml b/pkg/kube/inject/testdata/inputs/enable-core-dump.yaml.5.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks-json.yaml.16.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-existing-cncf-networks.yaml.15.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-image-pull-secret.yaml.11.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-openshift-custom-injection.yaml.48.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-openshift.yaml.47.values.gen.yaml
diff --git a/...testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml b/...testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.template.gen.yaml
diff --git a/...t/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.values.gen.yaml b/...t/testdata/inputs/hello-probes-noProxyHoldApplication-ProxyConfig.yaml.20.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello-probes.yaml.18.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.0.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.0.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.0.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.1.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.1.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.1.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.10.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.10.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.10.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.12.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.12.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.12.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.13.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.13.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.13.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.14.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.14.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.14.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.17.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.17.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.17.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.3.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.3.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.3.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.4.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/hello.yaml.4.values.gen.yaml b/pkg/kube/inject/testdata/inputs/hello.yaml.4.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml b/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.values.gen.yaml b/pkg/kube/inject/testdata/inputs/kubevirtInterfaces.yaml.9.values.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml b/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.template.gen.yaml
diff --git a/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.values.gen.yaml b/pkg/kube/inject/testdata/inputs/merge-probers.yaml.43.values.gen.yaml