chore(release): Add a new release: metrics-server

A new release is added to the cluster:
		  Name: metrics-server 
		  Namespace: kube-system
		  Version: 3.11.0
		  Chart: metrics-server/metrics-server

charts/base-istio-base/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.23.0
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.23.0

charts/base-istio-base/README.md

@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.

charts/base-istio-base/files/profile-ambient.yaml

@@ -0,0 +1,20 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
+
+# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel
+variant: distroless

charts/base-istio-base/files/profile-compatibility-version-1.20.yaml

@@ -0,0 +1,26 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.21 behavioral changes
+    ENABLE_EXTERNAL_NAME_ALIAS: "false"
+    PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+    VERIFY_CERTIFICATE_AT_CLIENT: "false"
+    ENABLE_AUTO_SNI: "false"
+
+    # 1.22 behavioral changes
+    ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
+    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # 1.22 behavioral changes
+      ISTIO_DELTA_XDS: "false"
+      # 1.23 behavioral changes
+      ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+    tracing:
+      zipkin:
+        address: zipkin.istio-system:9411

charts/base-istio-base/files/profile-compatibility-version-1.21.yaml

@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.22 behavioral changes
+    ENABLE_ENHANCED_RESOURCE_SCOPING: "false"
+    ENABLE_RESOLUTION_NONE_TARGET_PORT: "false"
+meshConfig:
+  # 1.22 behavioral changes
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_DELTA_XDS: "false"
+      # 1.23 behavioral changes
+      ENABLE_DELIMITED_STATS_TAG_REGEX: "false"
+    tracing:
+      zipkin:
+        address: zipkin.istio-system:9411

charts/base-istio-base/files/profile-compatibility-version-1.22.yaml

@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # 1.22 behavioral changes
+      ENABLE_DEFERRED_CLUSTER_CREATION: "false"
+      # 1.23 behavioral changes
+      ENABLE_DELIMITED_STATS_TAG_REGEX": "false"

charts/base-istio-base/files/profile-demo.yaml

@@ -0,0 +1,73 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi

charts/base-istio-base/files/profile-openshift-ambient.yaml

@@ -0,0 +1,33 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+global:
+  platform: openshift
+cni:
+  ambient:
+    enabled: true
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  logLevel: info
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+  variant: distroless
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+    # Allow sidecars/ingress to send/receive HBONE. This is required for interop.
+    PILOT_ENABLE_SENDING_HBONE: "true"
+    PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true"
+platform: openshift
+variant: distroless
+seLinuxOptions:
+  type: spc_t

charts/base-istio-base/files/profile-openshift.yaml

@@ -0,0 +1,20 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  logLevel: info
+  provider: "multus"
+global:
+  platform: openshift
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+platform: openshift

charts/base-istio-base/files/profile-preview.yaml

@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"

charts/base-istio-base/files/profile-stable.yaml

@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true

charts/base-istio-base/templates/NOTES.txt

@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}

charts/base-istio-base/templates/crds.yaml

@@ -0,0 +1,3 @@
+{{- if .Values.base.enableCRDTemplates }}
+{{ .Files.Get "crds/crd-all.gen.yaml" }}
+{{- end }}

charts/base-istio-base/templates/default.yaml

@@ -0,0 +1,54 @@
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}

charts/base-istio-base/templates/endpoints.yaml

@@ -0,0 +1,23 @@
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+# if the remotePilotAddress is an IP addr
+apiVersion: v1
+kind: Endpoints
+metadata:
+  {{- if .Values.pilot.enabled }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+subsets:
+- addresses:
+  - ip: {{ .Values.global.remotePilotAddress }}
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 15017
+    name: tcp-webhook
+    protocol: TCP
+---
+{{- end }}

charts/base-istio-base/templates/reader-serviceaccount.yaml

@@ -0,0 +1,16 @@
+# This service account aggregates reader permissions for the revisions in a given cluster
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}

charts/base-istio-base/templates/services.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.pilot.enabled }}
+  # when local istiod is enabled, we can't use istiod service name to reach the remote control plane
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}

charts/base-istio-base/templates/validatingadmissionpolicy.yaml

@@ -0,0 +1,51 @@
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}

charts/base-istio-base/templates/zzz_profile.yaml

@@ -0,0 +1,43 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $globals := $.Values.global | default dict | deepCopy }}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults $globals  }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}

charts/base-istio-base/values.yaml

@@ -0,0 +1,42 @@
+# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
+defaults:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+
+    externalIstiod: false
+    remotePilotAddress: ""
+
+    # Platform where Istio is deployed. Possible values are: "openshift", "gcp".
+    # An empty value means it is a vanilla Kubernetes distribution, therefore no special
+    # treatment will be considered.
+    platform: ""
+
+    # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+    # This is intended only for use with external istiod.
+    ipFamilyPolicy: ""
+    ipFamilies: []
+
+  base:
+    # Used for helm2 to add the CRDs to templates.
+    enableCRDTemplates: false
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false