bump istio to v1.20.2 (knative-extensions#1237)

Author: dprotaso

go.mod

@@ -7,8 +7,8 @@ require (
 go.uber.org/zap v1.26.0
 golang.org/x/sync v0.6.0
 google.golang.org/protobuf v1.32.0
-istio.io/api v1.20.0
-istio.io/client-go v1.20.0
+istio.io/api v1.20.2
+istio.io/client-go v1.20.2
 k8s.io/api v0.28.5
 k8s.io/apimachinery v0.28.5
 k8s.io/client-go v0.28.5

go.sum

@@ -666,10 +666,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-istio.io/api v1.20.0 h1:heE1eQoMsuZlwWOf7Xm8TKqKLNKVs11G/zMe5QyR1u4=
-istio.io/api v1.20.0/go.mod h1:hm1PE/mGdIAsjCDkTIAplP53H7TjO5LUQCiVvF26SVg=
-istio.io/client-go v1.20.0 h1:TSSv6A4sYvuBtoKOwyuRmBmPwSb4s++lWlh7RB7+7gY=
-istio.io/client-go v1.20.0/go.mod h1:6D76gZsdjz8JtVeIarUYdOn3WA8Zh+j8fIv2+2K3M+Q=
+istio.io/api v1.20.2 h1:VjkJB1EfrZt77bcavr1P/3PrO8AP3lOSQsYiYOnGGBU=
+istio.io/api v1.20.2/go.mod h1:hm1PE/mGdIAsjCDkTIAplP53H7TjO5LUQCiVvF26SVg=
+istio.io/client-go v1.20.2 h1:FL99qw5f5W+QFPHutLpGOoPmoKgLwNFrGCEemAvLm00=
+istio.io/client-go v1.20.2/go.mod h1:mub0nwPDAj98cjns7KYLzbvDk0Fg9rx0k2o+KZ4UIUY=
 k8s.io/api v0.28.5 h1:XIPNr3nBgTEaCdEiwZ+dXaO9SB4NeTOZ2pNDRrFgfb4=
 k8s.io/api v0.28.5/go.mod h1:98zkTCc60iSnqqCIyCB1GI7PYDiRDYTSfL0PRIxpM4c=
 k8s.io/apiextensions-apiserver v0.28.5 h1:YKW9O9T/0Gkyl6LTFDLIhCbouSRh+pHt2vMLB38Snfc=

hack/update-k8s-deps.sh

@@ -16,4 +16,4 @@
 
 source "$(dirname $0)/../library.sh"
 
-generate "1.20.0" "$(dirname $0)"
+generate "1.20.2" "$(dirname $0)"

third_party/istio-latest/generate-manifests.sh

@@ -85,31 +85,48 @@ metadata:
  istio.io/rev: default
  operator.istio.io/component: Cni
  release: istio
- name: istio-cni-repair-role
+ name: istio-cni-ambient
 rules:
  - apiGroups:
  - ""
  resources:
- - pods
+ - pods/status
  verbs:
- - get
- - list
- - watch
- - delete
  - patch
  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app: istio-cni
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: Cni
+ release: istio
+ name: istio-cni-repair-role
+rules:
  - apiGroups:
  - ""
  resources:
  - events
  verbs:
+ - create
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - watch
  - get
  - list
- - watch
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
  - delete
- - patch
- - update
- - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -466,6 +483,24 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+metadata:
+ labels:
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ k8s-app: istio-cni-repair
+ operator.istio.io/component: Cni
+ name: istio-cni-ambient
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-cni-ambient
+subjects:
+ - kind: ServiceAccount
+ name: istio-cni
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
  labels:
  install.operator.istio.io/owning-resource: unknown
@@ -828,14 +863,19 @@ spec:
  type: object
  type: object
  targetRef:
+ description: Optional.
  properties:
  group:
+ description: group is the group of the target resource.
  type: string
  kind:
+ description: kind is kind of the target resource.
  type: string
  name:
+ description: name is the name of the target resource.
  type: string
  namespace:
+ description: namespace is the namespace of the referent.
  type: string
  type: object
  type: object
@@ -1023,14 +1063,19 @@ spec:
  type: object
  type: object
  targetRef:
+ description: Optional.
  properties:
  group:
+ description: group is the group of the target resource.
  type: string
  kind:
+ description: kind is kind of the target resource.
  type: string
  name:
+ description: name is the name of the target resource.
  type: string
  namespace:
+ description: namespace is the namespace of the referent.
  type: string
  type: object
  type: object
@@ -1607,7 +1652,7 @@ spec:
  description: The name of the secret that holds the TLS certs for the client including the CA certificates.
  type: string
  insecureSkipVerify:
- description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.
+ description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.'
  nullable: true
  type: boolean
  mode:
@@ -1645,7 +1690,7 @@ spec:
  description: The name of the secret that holds the TLS certs for the client including the CA certificates.
  type: string
  insecureSkipVerify:
- description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.
+ description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.'
  nullable: true
  type: boolean
  mode:
@@ -2191,7 +2236,7 @@ spec:
  description: The name of the secret that holds the TLS certs for the client including the CA certificates.
  type: string
  insecureSkipVerify:
- description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.
+ description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.'
  nullable: true
  type: boolean
  mode:
@@ -2229,7 +2274,7 @@ spec:
  description: The name of the secret that holds the TLS certs for the client including the CA certificates.
  type: string
  insecureSkipVerify:
- description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.
+ description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.'
  nullable: true
  type: boolean
  mode:
@@ -2827,7 +2872,7 @@ spec:
  description: The name of the secret that holds the TLS certs for the client including the CA certificates.
  type: string
  insecureSkipVerify:
- description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.
+ description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.'
  nullable: true
  type: boolean
  mode:
@@ -2865,7 +2910,7 @@ spec:
  description: The name of the secret that holds the TLS certs for the client including the CA certificates.
  type: string
  insecureSkipVerify:
- description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.
+ description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.'
  nullable: true
  type: boolean
  mode:
@@ -3411,7 +3456,7 @@ spec:
  description: The name of the secret that holds the TLS certs for the client including the CA certificates.
  type: string
  insecureSkipVerify:
- description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.
+ description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.'
  nullable: true
  type: boolean
  mode:
@@ -3449,7 +3494,7 @@ spec:
  description: The name of the secret that holds the TLS certs for the client including the CA certificates.
  type: string
  insecureSkipVerify:
- description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.
+ description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.'
  nullable: true
  type: boolean
  mode:
@@ -4344,14 +4389,19 @@ spec:
  type: object
  type: object
  targetRef:
+ description: Optional.
  properties:
  group:
+ description: group is the group of the target resource.
  type: string
  kind:
+ description: kind is kind of the target resource.
  type: string
  name:
+ description: name is the name of the target resource.
  type: string
  namespace:
+ description: namespace is the namespace of the referent.
  type: string
  type: object
  type: object
@@ -4442,14 +4492,19 @@ spec:
  type: object
  type: object
  targetRef:
+ description: Optional.
  properties:
  group:
+ description: group is the group of the target resource.
  type: string
  kind:
+ description: kind is kind of the target resource.
  type: string
  name:
+ description: name is the name of the target resource.
  type: string
  namespace:
+ description: namespace is the namespace of the referent.
  type: string
  type: object
  type: object
@@ -5587,14 +5642,19 @@ spec:
  type: object
  type: object
  targetRef:
+ description: Optional.
  properties:
  group:
+ description: group is the group of the target resource.
  type: string
  kind:
+ description: kind is kind of the target resource.
  type: string
  name:
+ description: name is the name of the target resource.
  type: string
  namespace:
+ description: namespace is the namespace of the referent.
  type: string
  type: object
  tracing:
@@ -7467,14 +7527,19 @@ spec:
  pattern: (^$|^[a-f0-9]{64}$)
  type: string
  targetRef:
+ description: Optional.
  properties:
  group:
+ description: group is the group of the target resource.
  type: string
  kind:
+ description: kind is kind of the target resource.
  type: string
  name:
+ description: name is the name of the target resource.
  type: string
  namespace:
+ description: namespace is the namespace of the referent.
  type: string
  type: object
  type:
@@ -9911,7 +9976,7 @@ data:
  "sts": {
  "servicePort": 0
  },
- "tag": "1.20.0",
+ "tag": "1.20.2",
  "tracer": {
  "datadog": {},
  "lightstep": {},
@@ -10061,7 +10126,7 @@ spec:
  valueFrom:
  fieldRef:
  fieldPath: spec.nodeName
- image: docker.io/istio/proxyv2:1.20.0
+ image: docker.io/istio/proxyv2:1.20.2
  name: istio-proxy
  ports:
  - containerPort: 15021
@@ -10265,7 +10330,7 @@ spec:
  resource: limits.cpu
  - name: PLATFORM
  value: ""
- image: docker.io/istio/pilot:1.20.0-distroless
+ image: docker.io/istio/pilot:1.20.2-distroless
  name: discovery
  ports:
  - containerPort: 8080
@@ -10713,9 +10778,11 @@ spec:
  fieldRef:
  fieldPath: spec.nodeName
  - name: REPAIR_LABEL_PODS
- value: "true"
+ value: "false"
  - name: REPAIR_DELETE_PODS
  value: "true"
+ - name: REPAIR_REPAIR_PODS
+ value: "false"
  - name: REPAIR_RUN_AS_DAEMON
  value: "true"
  - name: REPAIR_SIDECAR_ANNOTATION
@@ -10743,7 +10810,7 @@ spec:
  valueFrom:
  resourceFieldRef:
  resource: limits.cpu
- image: docker.io/istio/install-cni:1.20.0
+ image: docker.io/istio/install-cni:1.20.2
  name: install-cni
  readinessProbe:
  httpGet:
@@ -10859,7 +10926,7 @@ spec:
  valueFrom:
  fieldRef:
  fieldPath: spec.serviceAccountName
- image: docker.io/istio/ztunnel:1.20.0-distroless
+ image: docker.io/istio/ztunnel:1.20.2-distroless
  name: istio-proxy
  ports:
  - containerPort: 15020