Merge branch 'master' into tarilabs-20251210

tarilabs · web-flow · commit c19f18fe1067 · 2025-12-10T18:01:28.000+01:00
Signed-off-by: Matteo Mortari &lt;matteo.mortari@gmail.com&gt;
diff --git a/.github/workflows/model_registry_test.yaml b/.github/workflows/model_registry_test.yaml
@@ -19,11 +19,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     - name: Install KinD, Create KinD cluster and Install kustomize
       run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh
 
+    # TODO it works well for KFP and other MySQL deployments and should be removed.
     - name: Remove AppArmor profile for mysql in KinD on GHA # https://github.com/kubeflow/manifests/issues/2507
       run: |
         set -x
diff --git a/README.md b/README.md
@@ -107,10 +107,10 @@ The `example` directory contains an example kustomization for the single command
 :warning: In both options, we use a default email (`user@example.com`) and password (`12341234`). For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password).
 
 ### Prerequisites
-- This is the master branch, which targets Kubernetes version 1.32.
+- This is the master branch, which targets Kubernetes version 1.34+.
 - For the specific Kubernetes version per release, consult the [release notes](https://github.com/kubeflow/manifests/releases).
 - Either our local Kind (installed below) or your own Kubernetes cluster with a default [StorageClass](https://kubernetes.io/docs/concepts/storage/storage-classes/).
-- Kustomize version [5.4.3+](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.4.3).
+- Kustomize version [5.7.1](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.7.1).
 - Kubectl version compatible with your Kubernetes cluster ([Version Skew Policy](https://kubernetes.io/releases/version-skew-policy/#kubectl)).
 
 ---
@@ -139,7 +139,7 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
 - role: control-plane
-  image: kindest/node:v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf63ad1bf49600cb027
+  image: kindest/node:v1.34.0@sha256:7416a61b42b1662ca6ca89f02028ac133a309a2a30ba309614e8ec94d976dc5a
   kubeadmConfigPatches:
   - |
     kind: ClusterConfiguration
@@ -767,3 +767,5 @@ pre-commit run
 
 
 
+
+
diff --git a/common/istio/istio-install/base/install.yaml b/common/istio/istio-install/base/install.yaml
@@ -2904,11 +2904,13 @@ data:
               "memory": "1024Mi"
             },
             "requests": {
-              "cpu": "100m",
-              "memory": "128Mi"
+              "cpu": "10m",
+              "memory": "40Mi"
             }
           },
-          "seccompProfile": {},
+          "seccompProfile": {
+            "type": "RuntimeDefault"
+          },
           "startupProbe": {
             "enabled": true,
             "failureThreshold": 600
@@ -2917,8 +2919,17 @@ data:
           "tracer": "none"
         },
         "proxy_init": {
-          "forceApplyIptables": false,
-          "image": "proxyv2"
+          "image": "proxyv2",
+          "resources": {
+            "limits": {
+              "cpu": "2000m",
+              "memory": "1024Mi"
+            },
+            "requests": {
+              "cpu": "10m",
+              "memory": "10Mi"
+            }
+          }
         },
         "remotePilotAddress": "",
         "resourceScope": "all",
@@ -2941,7 +2952,7 @@ data:
               "memory": "1Gi"
             },
             "requests": {
-              "cpu": "100m",
+              "cpu": "10m",
               "memory": "128Mi"
             }
           },
diff --git a/common/istio/istio-install/base/kustomization.yaml b/common/istio/istio-install/base/kustomization.yaml
@@ -13,6 +13,7 @@ resources:
 patches:
 - path: patches/service.yaml
 - path: patches/istio-configmap-disable-tracing.yaml
+- path: patches/istio-sidecar-injector-patch.yaml
 - path: patches/disable-debugging.yaml
 - path: patches/seccomp-istio-ingressgateway.yaml
 - path: patches/seccomp-istiod.yaml
diff --git a/common/istio/istio-install/base/patches/istio-sidecar-injector-patch.yaml b/common/istio/istio-install/base/patches/istio-sidecar-injector-patch.yaml
@@ -0,0 +1,153 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector
+  namespace: istio-system
+data:
+  values: |-
+    {
+      "gateways": {
+        "seccompProfile": {
+          "type": "RuntimeDefault"
+        },
+        "securityContext": {}
+      },
+      "global": {
+        "caAddress": "",
+        "caName": "",
+        "certSigners": [],
+        "configCluster": false,
+        "configValidation": true,
+        "defaultPodDisruptionBudget": {
+          "enabled": true
+        },
+        "defaultResources": {
+          "requests": {
+            "cpu": "10m"
+          }
+        },
+        "externalIstiod": false,
+        "hub": "gcr.io/istio-release",
+        "imagePullPolicy": "",
+        "imagePullSecrets": [],
+        "istioNamespace": "istio-system",
+        "istiod": {
+          "enableAnalysis": false
+        },
+        "logAsJson": false,
+        "logging": {
+          "level": "default:info"
+        },
+        "meshID": "",
+        "meshNetworks": {},
+        "mountMtlsCerts": false,
+        "multiCluster": {
+          "clusterName": ""
+        },
+        "nativeNftables": false,
+        "network": "",
+        "networkPolicy": {
+          "enabled": false
+        },
+        "omitSidecarInjectorConfigMap": false,
+        "operatorManageWebhooks": false,
+        "pilotCertProvider": "istiod",
+        "priorityClassName": "",
+        "proxy": {
+          "autoInject": "enabled",
+          "clusterDomain": "cluster.local",
+          "componentLogLevel": "misc:error",
+          "excludeIPRanges": "",
+          "excludeInboundPorts": "",
+          "excludeOutboundPorts": "",
+          "image": "proxyv2",
+          "includeIPRanges": "*",
+          "includeInboundPorts": "*",
+          "includeOutboundPorts": "",
+          "logLevel": "warning",
+          "outlierLogPath": "",
+          "privileged": false,
+          "readinessFailureThreshold": 4,
+          "readinessInitialDelaySeconds": 0,
+          "readinessPeriodSeconds": 15,
+          "resources": {
+            "limits": {
+              "cpu": "2000m",
+              "memory": "1024Mi"
+            },
+            "requests": {
+              "cpu": "10m",
+              "memory": "40Mi"
+            }
+          },
+          "seccompProfile": {
+            "type": "RuntimeDefault"
+          },
+          "startupProbe": {
+            "enabled": true,
+            "failureThreshold": 600
+          },
+          "statusPort": 15020,
+          "tracer": "none"
+        },
+        "proxy_init": {
+          "image": "proxyv2",
+          "resources": {
+            "limits": {
+              "cpu": "2000m",
+              "memory": "1024Mi"
+            },
+            "requests": {
+              "cpu": "10m",
+              "memory": "10Mi"
+            }
+          }
+        },
+        "remotePilotAddress": "",
+        "resourceScope": "all",
+        "sds": {
+          "token": {
+            "aud": "istio-ca"
+          }
+        },
+        "sts": {
+          "servicePort": 0
+        },
+        "tag": "1.28.0",
+        "variant": "",
+        "waypoint": {
+          "affinity": {},
+          "nodeSelector": {},
+          "resources": {
+            "limits": {
+              "cpu": "2",
+              "memory": "1Gi"
+            },
+            "requests": {
+              "cpu": "10m",
+              "memory": "128Mi"
+            }
+          },
+          "tolerations": [],
+          "topologySpreadConstraints": []
+        }
+      },
+      "pilot": {
+        "cni": {
+          "enabled": true,
+          "provider": "default"
+        },
+        "env": {}
+      },
+      "revision": "",
+      "sidecarInjectorWebhook": {
+        "alwaysInjectSelector": [],
+        "defaultTemplates": [],
+        "enableNamespacesByDefault": false,
+        "injectedAnnotations": {},
+        "neverInjectSelector": [],
+        "reinvocationPolicy": "Never",
+        "rewriteAppHTTPProbe": true,
+        "templates": {}
+      }
+    }
diff --git a/scripts/synchronize-istio-manifests.sh b/scripts/synchronize-istio-manifests.sh
@@ -38,10 +38,6 @@ mv $ISTIO_DIRECTORY/install.yaml $ISTIO_DIRECTORY/istio-install/base/
 mv $ISTIO_DIRECTORY/cluster-local-gateway.yaml $ISTIO_DIRECTORY/cluster-local-gateway/base/
 rm dump.yaml
 
-echo "Generating non-CNI manifests (insecure overlay)..."
-$ISTIOCTL manifest generate -f profile.yaml -f profile-overlay.yaml \
-  --set components.cni.enabled=false > istio-install/overlays/insecure/install-insecure.yaml
-
 echo "Generating ztunnel manifests (ambient mode)..."
 $ISTIOCTL manifest generate -f profile.yaml -f profile-overlay.yaml \
   --set components.cni.enabled=true \
@@ -52,6 +48,9 @@ rm dump-ztunnel.yaml crd.yaml install.yaml cluster-local-gateway.yaml
 
 check_uncommitted_changes
 
+echo "Updating tag in istio-sidecar-injector-patch.yaml..."
+sed -i "s/\"tag\": \".*\"/\"tag\": \"$COMMIT\"/" $ISTIO_DIRECTORY/istio-install/base/patches/istio-sidecar-injector-patch.yaml
+
 SOURCE_TEXT="\[.*\](https://github.com/istio/istio/releases/tag/.*)"
 DESTINATION_TEXT="\[$COMMIT\](https://github.com/istio/istio/releases/tag/$COMMIT)"
 
diff --git a/tests/install_KinD_create_KinD_cluster_install_kustomize.sh b/tests/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -20,7 +20,7 @@ if [ -e /swapfile ]; then
 fi
 
 {
-    curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.29.0/kind-linux-amd64
+    curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.30.0/kind-linux-amd64
     chmod +x ./kind
     sudo mv kind /usr/local/bin
 } || { echo "Failed to install KinD"; exit 1; }
@@ -49,19 +49,19 @@ kubeadmConfigPatches:
         \"service-account-signing-key-file\": \"/etc/kubernetes/pki/sa.key\"
 nodes:
 - role: control-plane
-  image: kindest/node:v1.33.1@sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34f
+  image: kindest/node:v1.34.0@sha256:7416a61b42b1662ca6ca89f02028ac133a309a2a30ba309614e8ec94d976dc5a
 - role: worker
-  image: kindest/node:v1.33.1@sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34f
+  image: kindest/node:v1.34.0@sha256:7416a61b42b1662ca6ca89f02028ac133a309a2a30ba309614e8ec94d976dc5a
 - role: worker
-  image: kindest/node:v1.33.1@sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34f
+  image: kindest/node:v1.34.0@sha256:7416a61b42b1662ca6ca89f02028ac133a309a2a30ba309614e8ec94d976dc5a
 " | kind create cluster --config - --wait 120s
 
 kubectl cluster-info
 
 echo "Install Kustomize ..."
 {
-    curl --silent --location --remote-name "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.3/kustomize_v5.4.3_linux_amd64.tar.gz"
-    tar -xzvf kustomize_v5.4.3_linux_amd64.tar.gz
+    curl --silent --location --remote-name "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.7.1/kustomize_v5.7.1_linux_amd64.tar.gz"
+    tar -xzvf kustomize_v5.7.1_linux_amd64.tar.gz
     chmod a+x kustomize
     sudo mv kustomize /usr/local/bin/kustomize
 } || { echo "Failed to install Kustomize"; exit 1; }
