[1.17] Merge staging to release branch (#1462)

* Update release script * Default to last prod release for CURRENT_RELEASE (#1425) * Add logging output file * Revert "Add logging output file" This reverts commit c148527. * Add logging output file in output dir (#1426) * Add logging output file in output dir * Create logs after determination of OUTPUT_DIR * Remove unused log file relocation logic * Remove unused log file relocation logic * Remove unused log file relocation logic * Remove unused log file relocation logic * Remove unused log file relocation logic * Add --working-dir alias for output directory (#1428) * Bump revision 1.17.2-asm.8 (#1432) * Remove unsupported cni-gke-autopilot.yaml (#1433) Autopilot requires MCP * Merge main into staging-1.17 (#1434) * Update release script * Default to last prod release for CURRENT_RELEASE (#1425) * Add logging output file * Revert "Add logging output file" This reverts commit c148527. * Add logging output file in output dir (#1426) * Add logging output file in output dir * Create logs after determination of OUTPUT_DIR * Remove unused log file relocation logic * Remove unused log file relocation logic * Remove unused log file relocation logic * Remove unused log file relocation logic * Remove unused log file relocation logic * Add --working-dir alias for output directory (#1428) * Bump revision 1.17.2-asm.8 (#1432) * Remove unsupported cni-gke-autopilot.yaml (#1433) Autopilot requires MCP --------- Co-authored-by: Clayton Pence <[email protected]> Co-authored-by: Wonje Kang <[email protected]> Co-authored-by: Wonje Kang <[email protected]> Co-authored-by: John Howard <[email protected]> * remove fetching redundant spiffe bundle endpoints (#1441) * cleanup: remove dead env var (#1443) Removed 2 years ago in #29688 * Switch to gke.gcr.io alias (#1447) * Support offline mode in create-mesh (#1448) * Switch to gke.gcr.io alias (#1447) * Support offline mode in create-mesh (#1448) * Remove obsolete MCP IOP (#1449) This doesn't really make sense? You cannot use this to install MCP * Compatibility for create-mesh offline fixes (#1452) * Compatibility for create-mesh offline fixes (#1452) * Hpa v2 swap (#1451) * Rename samples/gateways/istio-ingressgateway/autoscalingv2/autoscaling-v2.yaml to samples/gateways/istio-ingressgateway/autoscaling-v2.yaml swap hpa v2 with v2beta1 * Rename samples/gateways/istio-ingressgateway/autoscaling-v2beta1.yaml to samples/gateways/istio-ingressgateway/autoscaling-v2-beta1/autoscaling-v2beta1.yaml * Bump asm 1.17.3-asm.1 (#1455) * Better handling of offline mode for create-mesh (#1454) * Better handling of offline mode for create-mesh * Fix usage message * Use relative istioctl location if possible * Better handling of offline mode for create-mesh (#1454) * Better handling of offline mode for create-mesh * Fix usage message * Use relative istioctl location if possible --------- Co-authored-by: Clayton Pence <[email protected]> Co-authored-by: Wonje Kang <[email protected]> Co-authored-by: Wonje Kang <[email protected]> Co-authored-by: John Howard <[email protected]> Co-authored-by: shankgan <[email protected]> Co-authored-by: Cody Clark <[email protected]>
GoogleCloudPlatform · Jun 13, 2023 · c163891 · c163891
1 parent 201a047
commit c163891
Show file tree

Hide file tree

Showing 14 changed files with 79 additions and 88 deletions.
diff --git a/asm/Kptfile b/asm/Kptfile
@@ -71,12 +71,12 @@ openAPI:
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.hub
-          value: gcr.io/gke-release/asm
+          value: gke.gcr.io/asm
     io.k8s.cli.setters.anthos.servicemesh.tag:
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.tag
-          value: 1.17.2-asm.8
+          value: 1.17.3-asm.1
           isSet: true
     io.k8s.cli.setters.anthos.servicemesh.managed-controlplane.vpcsc.enabled:
       type: string
@@ -113,7 +113,7 @@ openAPI:
       x-k8s-cli:
         setter:
           name: anthos.servicemesh.canonicalServiceHub
-          value: gcr.io/gke-release/asm/canonical-service-controller:1.7.3-asm.6
+          value: gke.gcr.io/asm/canonical-service-controller:1.7.3-asm.6
           isSet: true
     io.k8s.cli.setters.anthos.servicemesh.idp-url:
       type: string

diff --git a/asm/canonical-service/controller.yaml b/asm/canonical-service/controller.yaml
@@ -327,7 +327,7 @@ spec:
         - --enable-leader-election
         command:
         - /manager
-        image: gcr.io/gke-release/asm/canonical-service-controller:1.10.3-asm.16 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.canonicalServiceHub"}
+        image: gke.gcr.io/asm/canonical-service-controller:1.10.3-asm.16 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.canonicalServiceHub"}
         name: manager
         resources:
           limits:

diff --git a/asm/istio/expansion/vm-eastwest-gateway.yaml b/asm/istio/expansion/vm-eastwest-gateway.yaml
@@ -19,7 +19,7 @@ metadata:
   name: eastwest
 spec:
   profile: empty
-  hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
+  hub: gke.gcr.io/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
   tag: 1.10.2-asm.1 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
   components:
     ingressGateways:

diff --git a/asm/istio/istio-operator.yaml b/asm/istio/istio-operator.yaml
@@ -17,7 +17,7 @@ apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
 spec:
   profile: empty
-  hub: gcr.io/gke-release/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
+  hub: gke.gcr.io/asm # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.hub"}
   tag: 1.10.2-asm.1 # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.tag"}
   meshConfig:
     trustDomainAliases: # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.trustDomainAliases"}
@@ -29,7 +29,6 @@ spec:
         GCP_METADATA: "PROJECT_ID|PROJECT_NUMBER|asm-cluster|us-central1-c" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
         CA_PROVIDER: "GoogleCA"
         PLUGINS: "GoogleTokenExchange"
-        USE_TOKEN_FOR_CSR: "true"
         GCE_METADATA_HOST: "metadata.google.internal"
     # Locality load balancing is not supported
     localityLbSetting:
@@ -67,8 +66,6 @@ spec:
             value: "" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.idp-url"}
           - name: GCP_METADATA
             value: "PROJECT_ID|PROJECT_NUMBER|asm-cluster|us-central1-c" # {"$ref":"#/definitions/io.k8s.cli.substitutions.gke-metadata"}
-          - name: SPIFFE_BUNDLE_ENDPOINTS
-            value: "" # {"$ref":"#/definitions/io.k8s.cli.substitutions.spiffe-bundle-endpoints"}
           - name: ENABLE_STACKDRIVER_MONITORING
             value: "true" # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.controlplane.monitoring.enabled"}
           - name: TOKEN_AUDIENCES

diff --git a/asm/istio/options/managed-control-plane.yaml b/asm/istio/options/managed-control-plane.yaml
diff --git a/asmcli/asmcli b/asmcli/asmcli
diff --git a/asmcli/asmcli.sh b/asmcli/asmcli.sh
@@ -36,8 +36,8 @@ _CI_I_AM_A_TEST_ROBOT="${_CI_I_AM_A_TEST_ROBOT:=0}"; readonly _CI_I_AM_A_TEST_RO
 ### Internal variables ###
 MAJOR="${MAJOR:=1}"; readonly MAJOR;
 MINOR="${MINOR:=17}"; readonly MINOR;
-POINT="${POINT:=2}"; readonly POINT;
-REV="${REV:=8}"; readonly REV;
+POINT="${POINT:=3}"; readonly POINT;
+REV="${REV:=1}"; readonly REV;
 CONFIG_VER="${CONFIG_VER:="1"}"; readonly CONFIG_VER;
 K8S_MINOR=0
 

diff --git a/asmcli/commands/create-mesh.sh b/asmcli/commands/create-mesh.sh
@@ -64,6 +64,10 @@ create-mesh_parse_args() {
         context_set-option "TRUST_FLEET_IDENTITY" 0
         shift 1
         ;;
+      --offline)
+        context_set-option "OFFLINE" 1
+        shift 1
+        ;;
       *)
         if [ -f "$1" ]; then
           local KCF; KCF="${1}"
@@ -218,16 +222,28 @@ create-mesh_prepare_environment() {
   fi
 
   if needs_asm && needs_kpt; then
-    download_kpt
+      if is_offline; then
+        warn "Skipping downloading kpt because offline mode was specified."
+      else
+        download_kpt
+      fi
   fi
   readonly AKPT
 
   if needs_asm; then
     if ! necessary_files_exist; then
-      download_asm
+      if is_offline; then
+        warn "Skipping downloading mesh tarball because offline mode was specified."
+      else
+        download_asm
+      fi
     fi
     if should_download_kpt_package; then
-      download_kpt_package
+      if is_offline; then
+        warn "Skipping downloading configuration templates because offline mode was specified."
+      else
+        download_kpt_package
+      fi
     fi
     organize_kpt_files
   fi

diff --git a/asmcli/commands/help.sh b/asmcli/commands/help.sh
@@ -328,6 +328,10 @@ FLAGS:
                                       downloading them again.
   The following several flags are used to display help texts and the version message.
   -v|--verbose                        Print commands before and after execution.
+     --offline                        Perform an offline configuration using the pre-downloaded
+                                      package in the output directory. If the directory is not
+                                      specified or does not contain the required files, the
+                                      script will exit with error.
   -h|--help                           Show this message and exit.
   --version                           Print the version of this tool and exit.
 
@@ -356,6 +360,7 @@ Use -h|--help with -v|--verbose to show detailed descriptions.
 FLAGS:
   -D|--output_dir <DIR PATH>
   -v|--verbose
+     --offline
   -h|--help
   --version
 EOF

diff --git a/asmcli/lib/config.sh b/asmcli/lib/config.sh
@@ -55,9 +55,7 @@ configure_package() {
 
   kpt cfg set asm anthos.servicemesh.trustDomain "${FLEET_ID}.svc.id.goog"
   kpt cfg set asm anthos.servicemesh.tokenAudiences "istio-ca,${FLEET_ID}.svc.id.goog"
-  if [[ "${CA}" == "mesh_ca" ]]; then
-    kpt cfg set asm anthos.servicemesh.spiffeBundleEndpoints "${FLEET_ID}.svc.id.goog|https://storage.googleapis.com/mesh-ca-resources/spiffe_bundle.json"
-  fi
+
   if [[ "${USE_VPCSC}" -eq 1 ]]; then
     kpt cfg set asm anthos.servicemesh.managed-controlplane.vpcsc.enabled "true"
   fi

diff --git a/asmcli/lib/util.sh b/asmcli/lib/util.sh
@@ -280,12 +280,15 @@ prepare_environment() {
     # Offline mode should not trigger any download
     if is_offline; then
       if needs_kpt || ! necessary_files_exist || should_download_kpt_package; then
-        { read -r -d '' MSG; fatal "${MSG}"; } <<EOF || true
+        { read -r -d '' MSG; warn_pause "${MSG}"; } <<EOF || true
 Critical components not found in the offline mode. Note that if the installation configuration has changed,
 kpt packages would have to be re-downloaded. Please run "asmcli build-offline-package"
 and pass the directory containing the required files to install ASM successfully offline.
+
+Installation will continue, but may not succeed.
 EOF
       fi
+      return
     fi
 
     if needs_kpt; then
@@ -430,8 +433,12 @@ istioctl() {
 }
 
 istioctl_path() {
+  local OUTPUT_DIR; OUTPUT_DIR="$(context_get-option "OUTPUT_DIR")"
+
   if [[ -n "${_CI_ISTIOCTL_REL_PATH}" && -f "${_CI_ISTIOCTL_REL_PATH}" ]]; then
     echo "${_CI_ISTIOCTL_REL_PATH}"
+  elif [[ -f "${OUTPUT_DIR}/istioctl" ]]; then
+    echo "${OUTPUT_DIR}/istioctl"
   else
     echo "./${ISTIOCTL_REL_PATH}"
   fi

diff --git a/...o-ingressgateway/autoscaling-v2beta1.yaml → ...scaling-v2-beta1/autoscaling-v2beta1.yaml b/...o-ingressgateway/autoscaling-v2beta1.yaml → ...scaling-v2-beta1/autoscaling-v2beta1.yaml
diff --git a/...gateway/autoscalingv2/autoscaling-v2.yaml → .../istio-ingressgateway/autoscaling-v2.yaml b/...gateway/autoscalingv2/autoscaling-v2.yaml → .../istio-ingressgateway/autoscaling-v2.yaml
diff --git a/scripts/migration/migrate-addon b/scripts/migration/migrate-addon
@@ -295,7 +295,7 @@ configure_mesh_ca_16() {
   # The operator probably won't actually update Istiod faster than we will manually below, but this ensures it
   # will not be reverted back
   kube patch -n istio-system  istiooperators.install.istio.io istio-1-6-11-gke-0 --type=merge -p='{"spec":{
-    "components":{"pilot":{"hub":"gcr.io/gke-release/istio","tag":"1.6.14-gke.7"}}}
+    "components":{"pilot":{"hub":"gke.gcr.io/istio","tag":"1.6.14-gke.7"}}}
   }'
 
   # Next we insert the mesh ca root cert so that it is trusted
@@ -313,7 +313,7 @@ EOF
   # Patch the new image, in case operator isn't fast enough, and insert an annotation to make sure we are change something
   kube patch deploy istiod-istio-1611 -n istio-system -p='{"spec":{"template":{"spec":{"containers":[{
     "name":"discovery",
-    "image":"gcr.io/gke-release/istio/pilot:1.6.14-gke.7"
+    "image":"gke.gcr.io/istio/pilot:1.6.14-gke.7"
   }]}}},
   "metadata":{"annotations":{"istio-addon-migrate-start":"true"}}}'
   echo "Restarting 1.6 istiod"
@@ -403,7 +403,7 @@ EOF
   kube get deploy istio-pilot -n istio-system -o yaml > configure_mesh_ca_istio_pilot_deploy.yaml
   kube patch deploy istio-pilot -n istio-system -p='{"spec":{"template":{"spec":{"containers":[{
     "name":"discovery",
-    "image":"gcr.io/gke-release/istio/pilot:1.4.10-gke.21",
+    "image":"gke.gcr.io/istio/pilot:1.4.10-gke.21",
     "env":[{"name":"PILOT_SKIP_VALIDATE_TRUST_DOMAIN","value":"true"}]
   }]}}}}'