Feat: Migrated to Istio 1.26.1 and merged istio and istio cni

[madmecodes]

✏️ Summary of Changes

• Merged istio-1-24 and istio-cni-1-24 into unified common/istio
• CNI-enabled Istio as default configuration
• Minimal insecure overlay for environments without CNI support
• Updated from Istio 1.24.3 to 1.26.1
• Updated all references across codebase

Installation Options

# Default CNI (recommended)
kubectl apply -k common/istio/istio-install/overlays/oauth2-proxy

# Insecure (CNI-disabled)
kubectl apply -k common/istio/istio-install/overlays/insecure

Verification

CNI Installation (Default):

kubectl logs -n istio-system deployment/istiod | grep cni
# Output: CniNamespace: istio-system

kubectl label namespace default istio-injection=enabled
kubectl create deployment test --image=nginx
kubectl get pod -l app=test -o yaml | grep "name: istio-proxy"
# Output: Shows istio-proxy sidecar injected

Insecure Installation:

kubectl logs -n istio-system deployment/istiod | grep cni  
# Output: CniNamespace: ""

kubectl create deployment test --image=nginx
kubectl get pod -l app=test -o yaml | grep initContainers
# Output: No initContainers, no sidecar injection

Dependencies

none

Related Issues

none

✅ Contributor Checklist

• I have tested these changes with kustomize. See Installation Prerequisites.
• All commits are signed-off to satisfy the DCO check.
• I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).

---

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

[juliusvonkohout]

Please rebase, there were a lot of test file changes.

[juliusvonkohout]

Lets also use istio-install/overlays/legacy instead of standard. Or maybe even just "insecure"

[madmecodes]

@juliusvonkohout
The Problem i'm facing right now is on applying, common/istio-1-26/istio-install/overlays/insecure, istio-cni daemon set still present its not getting deleted, looking into this.

PS: solved, pushing the code

[madmecodes]

@juliusvonkohout Open for feedback

[madmecodes]

Kserve failing tests were fixed in this PR #3148

[juliusvonkohout]

I think you can leave out the switch documentation and we shall always apply istio with the oauth2-proxy configuration

[madmecodes]

removed

[juliusvonkohout]

Please also remove the version number and make sure that a diff -u of the manifests for istio yields exactly the same

[juliusvonkohout]

Kserve failing tests were fixed in this PR #3148

Are you really sure. The other PR also has to be reworked.

[juliusvonkohout]

And let's remove the version number 1-26 from the folder path and update the script in /scripts accordingly. It should be an in-place upgrade from now on.

[madmecodes]

@juliusvonkohout There was a small issue in the Kserve test, this passed success: #3155

shall i do the changes in this PR only or rebase?

[madmecodes]

rebased

[juliusvonkohout]

Please redo this from scratch. It should only patch out the CNI enablement in the sidecar. Nothing else. More than 30 line sin total is probably not the right way. Especially more than 20.000 lines. We dont want to maintain this many lines.

[juliusvonkohout]

What did you do with

        - name: EXTERNAL_ISTIOD
          value: "false"
        - name: PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY
          value: "true"
        - name: PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION
          value: "true"
        - name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN
          value: "true"

Why did you add this? WHy is it needed to disable istio-cni?

where is the simple inline delete patch for the daemonset?

[juliusvonkohout]

Please test locally execttly the GHA with a fresh cluster, nothing else. I assume that for the insecure version you have to patch the kuberflwo, knative-serving, auth etc. namepsace PSS labels from enforce to warning in the insecure overlay.

[juliusvonkohout]

kubeflow, oauth2-proxy. auth, knative-serving, the user namespace etc. are missing.

[madmecodes]

adding them in a new commit

[madmecodes]

@juliusvonkohout Kserve and Istio tests have passed now

[juliusvonkohout]

Why is this needed? i think the profile controller creates it by default

[juliusvonkohout]

- name: Apply Pod Security Standards baseline levels
  if: matrix.istio-mode == 'cni'
  run: ./tests/PSS_baseline_enable.sh can be removed. Most of them are PSS restricted by default now.

[juliusvonkohout]

Thank you.

Please check https://github.com/kubeflow/manifests/pull/3153/files#r2154276621 in a follow up PR
/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment