Proposal: Move Istio to Graduation stage #1000
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Proposal for moving to graduated stage. Signed-off-by: Craig Box <craigb@armosec.io>
|
congrats on issue 1000 :)
…On Wed, Feb 1, 2023 at 2:54 PM Craig Box ***@***.***> wrote:
On behalf of the Istio Steering Committee, please find attached a proposal
for Istio to become a graduated project.
What is Istio?
Istio <https://istio.io> is an open source service mesh that provides a
uniform, efficient and transparent way to secure, connect, and monitor
services in cloud native applications. It supports zero-trust networking,
policy enforcement, traffic management, load balancing, and monitoring; all
without requiring applications to be rewritten.
Istio applied to join the CNCF <#827> in
April 2022 and was accepted in September 2022
<https://www.cncf.io/blog/2022/09/28/istio-sails-into-the-cloud-native-computing-foundation/>.
The proposal
<https://github.com/cncf/toc/blob/main/proposals/incubation/istio.md> and due
diligence
<https://docs.google.com/document/d/1cQiigR5WHQHvo_krUXO6uEaGSB2dWNRkR0cHCAoF5QA/edit>
from that application are linked for reference. As the due diligence was
completed within the last few months, we believe the information contained
within remains relevant.
We believe that Istio's maturity is commensurate with the "Graduated"
maturity level <https://www.cncf.io/projects/#maturity-levels> and
recommendation for adoption to a majority of enterprise users.
Why are we ready to graduate?
Istio is a top 10 CNCF project by 2022 velocity
<https://docs.google.com/spreadsheets/d/1NifFdE45BlscO6j7vlDspccQ-i9Ksgip6yx2bmhmCCs/edit#gid=976519966>,
and is in the top 3 CNCF projects by measures such as 7DA average PRs
merged
<https://all.devstats.cncf.io/d/24/prs-merged-repository-groups?orgId=1&var-period=d7&var-repogroups=All>
.
The project has had 9,500 GitHub contributors
<https://istio.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=Last%20decade&var-metric=contributions&var-repogroup_name=All&var-country_name=All&var-companies=All>
with 1950 contributors in the last 12 months
<https://istio.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=Last%20year&var-metric=contributions&var-repogroup_name=All&var-country_name=All&var-companies=All>.
In that time we have had over 330 different contributors with merged PRs
<https://istio.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=Last%20year&var-metric=merged_prs&var-repogroup_name=All&var-country_name=All&var-companies=All>
representing over 85 companies.
Our latest security assessment
<https://istio.io/latest/blog/2023/ada-logics-security-assessment/>
concluded "Istio is a very well-maintained and secure project with a sound
code base, well-established security practices and a responsive product
security team."
We have almost 10,000 members on our community Slack
<https://slack.istio.io/> and 32,000 GitHub stars
<https://github.com/istio/istio>.
Among our many public adopters
<https://istio.io/latest/about/case-studies/> are End User Community
members including Airbnb
<https://istio.io/latest/about/case-studies/airbnb/>, Curve, eBay, iHerb,
Intuit, Lowes, Thought Machine, Salesforce
<https://istio.io/latest/about/case-studies/salesforce/>, SAP, Spotify,
Walmart, Wayfair, WP Engine
<https://istio.io/latest/about/case-studies/wp-engine/>, Yahoo and
Zendesk.
How you can help today
- If you're a fan of Istio, please show us by a 👍, ❤️, and 🚀 on this
PR.
- If you're using Istio in production, add your logo to our wall
<https://github.com/istio/community/blob/master/CONTRIBUTING.md#tell-the-world-youre-using-istio>
- Tweet, toot or otherwise share this issue with your friends!
------------------------------
You can view, comment on, or merge this pull request online at:
#1000
Commit Summary
- 5a34533
<5a34533>
Create istio.md
File Changes
(1 file <https://github.com/cncf/toc/pull/1000/files>)
- *A* proposals/graduation/istio.md
<https://github.com/cncf/toc/pull/1000/files#diff-0b377f857b8b9914f2519d8fd30e09e5dc0ef62982b6a742b84545342eaf3552>
(37)
Patch Links:
- https://github.com/cncf/toc/pull/1000.patch
- https://github.com/cncf/toc/pull/1000.diff
—
Reply to this email directly, view it on GitHub
<#1000>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAPSIMQANI6SF55ZHXJX4LWVLSQVANCNFSM6AAAAAAUOJ34PQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Cheers,
Chris Aniszczyk
https://aniszczyk.org
|
It will go nicely next to kubernetes/kubernetes#100000 |
|
niubi |
|
Glad to hear that! +1 |
|
+1! |
|
+1! |
|
+1! |
|
Wow, it's the next big move for Istio. Hope it goes well. |
|
Awesome!!! A big step forward! |
|
Let's all add fuel to the fire! :-) |
|
nice |
|
yay! This is huge for Istio! nice work @craigbox for putting this forward for us!! |
|
This is exciting! Cheers to everyone involved! 🎉 |
|
+1. Extremely deserved! |
|
Congrats! |
|
Hi Folks! @nikhita and I will be sponsoring Istio's graduation. |
Thank you ! @nikhita @TheFoxAtWork :) |
|
Please ping me once Istio graduates, I'll update DevStats immediately. |
|
congratulation~ |
|
We are now in the public comment period for Istio moving to graduation - https://lists.cncf.io/g/cncf-toc/message/8004 |
|
@nikhita TAG-CS has added a governance review for Istio to our backlog. |
|
Thank you Josh! The project will address any findings once the review is complete. Once we have the PR in to cover governance review, this will go into effect for projects moving levels prior to public comment. Thank you again! |
istio-testing
pushed a commit
to istio/istio
that referenced
this pull request
May 26, 2023
eBPF support is temporarily disabled pending CNCF establishing guidance around dual-licensed eBPF bytecode cncf/toc#1000 (comment) Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>
|
And now this has become a brilliant case study in CNCF process standing in the way of innovation! Here's the laughable situation where a project is being pretty much forced to temporarily remove a file from a repo, in order to pass an artificial graduation criterium. What's worse, licensing compliance isn't even documented as part of the graduation criteria - and nor should it be, in my opinion, precisely because graduation criteria only get assessed the one time. What does the TOC expect to happen when Istio implement eBPF code in the future? Will they forbid it until the eBPF licensing issue is resolved? I hope not, as that would be entirely anti-innovation and anti-project. So long as the TOC believe that a project's open source intentions are sound, in my opinion the operational management of license compliance should be left to CNCF staff (as it always used to be) |
bleggett
added a commit
to bleggett/istio
that referenced
this pull request
May 26, 2023
eBPF support is temporarily disabled pending CNCF establishing guidance around dual-licensed eBPF bytecode cncf/toc#1000 (comment) Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>
|
A quick update from Istio side - we discussed it our dev channel and everyone was onboard with removing the code temporarily and we have removed the code via istio/istio#45162 while waiting for CNCF to sort out the license issue which we understand working with lawyer isn't always simple and fast. The impact to Istio is minimal as this was an experimental new feature that was disabled by default and never shipped in any of our Istio releases. |
@lizrice I don't see any comments from either the TOC or CNCF staff asking project to "remove a file from a repo" ... did i miss it? |
|
There was an eBPF program file that required a GPL-compatible license so it can run in the kernel - this is true for pretty much any eBPF program. And while I am fully supportive of Istio graduating, it didn't seem right that Istio should be able to graduate with GPL-licensed code if that is blocking Cilium (which also needs GPL-licensed code for eBPF). Istio are able to work around this by temporarily removing the file during the graduation process. My understanding is they intend to use eBPF later (and thus will need GPL-licensed code), but removing it for now allows them to pass the (artificial) licensing criteria for graduation. No-one "told them" to remove the file, they figured it out as a workaround. |
istio-testing
pushed a commit
to istio/istio
that referenced
this pull request
May 26, 2023
eBPF support is temporarily disabled pending CNCF establishing guidance around dual-licensed eBPF bytecode cncf/toc#1000 (comment) Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>
|
I'm very excited for this. Congrats to all involved! |
|
Congrats! |
|
Congrats! |
|
Woohoo! This is fantastic! |
|
I think it's O.K for some of cloud native project to never graduate if the problem is license. it's just impossible to make sure your license comply with GPL. cloud native is the enabler of big companies to "use" 'open source' and with GPL you cannot make sure of it.
|
|
From istio side, we would not allow the GPL licensed code in core not limited eBPF code. Unless CNCF have resolved the GPL license issue |
|
Er ... shouldn't licensing problems be resolved before a project joins the CNCF? Not at graduation? |
|
The licensing problem in question was in a single file - a prototype eBPF accelerator for an experimental feature (Ambient Mesh). It was added in December 2022, while the project was in Incubation. The file was dual licensed BSD/GPL, as is standard practice for eBPF code. Please check Liz's links for more details on how there is a catch-22 between "CNCF projects may not contain GPL licensed code" and "useful eBPF code is required to be cross-licensed under GPL". In order to remove any question about the licensing state of the project the file has been removed, and will not be reinstated in a CNCF repository until such time as the CNCF has sorted out their opinion on this matter. I would respectfully ask that people who wish to follow up on the issue if this should be allowed in the CNCF to follow up on one of the different threads, or contact their appropriate Governing Board representative. |
|
Well deserved! |
|
Congrats! |
2 similar comments
|
Congrats! |
|
Congrats! |
|
Woohoo, this is fantastic! celebratory EnvoyFilteronly use in non-prod environments apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-gradulated-woohoo
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
request_handle:respond({[":status"] = "200"}, "Istio graduated! Woohoo!")
end |
16 tasks
psbrar99
added a commit
to tetratelabs/istio
that referenced
this pull request
Aug 7, 2023
* Retry when east-west gateway hostname resolution fails (istio#44192) * retry when gateway hostnames resolution failed * add a ut * add a release note * test * test retry period * test * test * update retry period * distinguish server failure * fix * fix ttl * remove named return values * address comments * Automator: update proxy@master in istio/istio@master (istio#44295) * gateway: skip un-managed types in deploymentcontroller (istio#43541) * Automator: update proxy@master in istio/istio@master (istio#44298) * Add nil-check for WASM validation (istio#44296) * kube-probe: avoid duplicate probe headers (istio#44297) This is a regression of istio#28466 from istio#31866 The 31866 fixed the k8s spec having duplicates, but we end up duplicating all headers twice - the kubelet adds the header from HTTPHeaders and we also add from HTTPHeaders, resulting in 2x every header. Instead, we simply copy the incoming request headers and host, making us a fairly transparent proxy. * Refactor multi network manage (istio#44190) * Refactor multi network * Change reloadXX to networkManager's private method * Automator: update go-control-plane in istio/istio@master (istio#44301) * Automator: update proxy@master in istio/istio@master (istio#44302) * Automator: update common-files@master in istio/istio@master (istio#44305) * skip gateway.istio.io/controller-version anno message that is not created by users (istio#44306) * Automator: update istio/client-go@master dependency in istio/istio@master (istio#44312) * Fix the metric and log reports for the dryrun gateway config (istio#44303) * fix reporting metric for dryrun gateway config * add releasnotes * improve log * Automator: update common-files@master in istio/istio@master (istio#44314) * Early update_deps.sh before branching (istio#44317) * e2e: refactor grpc stats test (istio#44307) * e2e: refactor grpc stats test * fix gen * fix build * fix analyze * fix buildGRPCQuery Signed-off-by: hejianpeng <hejianpeng2@huawei.com> --------- Signed-off-by: hejianpeng <hejianpeng2@huawei.com> * Automator: update proxy@master in istio/istio@master (istio#44320) * Fix system namespace filtering (istio#44325) * update istio.io/api (istio#44330) * validation: add another nil check (istio#44332) * Fix type at shared.go (istio#44326) Signed-off-by: jongwooo <jongwooo.han@gmail.com> * Update istio.io modules (istio#44331) * Update istio.io modules * Run `mske gen` * Add update_ztunnel script (istio#44334) * remove sync all (istio#44111) * remove syncall * update * update * Fix namespace equal check * Fix ClusterExternalAddresses race * Fix * Add bookinfo demo for PSA (istio#44214) Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> * Integration tests for ENABLE_ENHANCED_RESOURCE_SCOPING feature (istio#44246) * Integration tests for ENABLE_ENHANCED_RESOURCE_SCOPING feature Signed-off-by: Faseela K <faseela.k@est.tech> * fix lint Signed-off-by: Faseela K <faseela.k@est.tech> * add build tag Signed-off-by: Faseela K <faseela.k@est.tech> * fix lint Signed-off-by: Faseela K <faseela.k@est.tech> * skip VMs Signed-off-by: Faseela K <faseela.k@est.tech> * Require singlecluster Signed-off-by: Faseela K <faseela.k@est.tech> * SkipExternalControlPlaneTopology Signed-off-by: Faseela K <faseela.k@est.tech> * Require Multi Primary Signed-off-by: Faseela K <faseela.k@est.tech> * add build tag Signed-off-by: Faseela K <faseela.k@est.tech> * replace httpbin.org with echo external service Signed-off-by: Faseela K <faseela.k@est.tech> --------- Signed-off-by: Faseela K <faseela.k@est.tech> * Update deps 2023 04 10 (istio#44319) * ./bin/update_deps.sh * update go deps * Remove default.yaml * Make gen * Revert change to distroless * Fix controller runtime * Update istio.io/api and istio.io/pkg * Run go mod tidy * Update release prow * Update istio.io/api * Automator: update istio/client-go@master dependency in istio/istio@master (istio#44339) * Use official 0.27.0 release (istio#44340) * reduced tokenWaitBackoff from 1 second to 10 millis (istio#44338) * Fix the ztunnel iop specification for resources leads to a patch error. (istio#44322) * fix ztunnel iop resource * add test * Automator: update proxy@master in istio/istio@master (istio#44343) * Fix ServiceEntry WorkloadInstanceHandler for label change in Pods (istio#42922) * Fix ServiceEntry WorkloadInstanceHandler for label change in Pods For a label change in WorkloadInstance, which results in a mismatch with a previously matching ServiceEntry, the whole update event is skipped. Which results in the WorkloadInstance not getting removed from the ServiceEntry. This fix changes the behaviour for such cases to handle those updates similar to a delete event and clean up the WorkloadInstance from the list. Fixes [istio#42921] * use DeepEquals to avoid SubsetOf iteration * gocritic linting fix * go back to the first approach * fix workloadInstanceDiff * fix linting errors * change test cases to table format * fix testcase for new Event type * fix Event Type * go fmt * remove wi diff * Update BASE_VERSION to master-2023-04-12T19-02-00 (istio#44357) * Add docs for Calico, set the annotation by default. (istio#44259) * Add docs for Calico, set the annotation by default. * Finish the comment. * Remove debug, kubectl debug works * indent * Update manifests/charts/istio-cni/README.md --------- Co-authored-by: John Howard <howardjohn@google.com> * update_deps.sh change (istio#44373) * fix gateway service name (istio#44365) * Automator: update proxy@master in istio/istio@master (istio#44380) * validation: add small nil check (istio#44360) * Remove kustomize and precompute manifests (istio#44376) See istio#44237 for more info * Add a better check for ztunnel pod guess (istio#44292) * add a better check for ztunnel guess * rebise based on comments * cni: drop experimental taint controller (istio#44377) This controller was added many years ago as an experiment and hasn't progressed. Unless there are users who have remained hidden during this time, I think its effectively dead code we should cleanup. * kube: use protobuf in client (istio#44379) * kube: use protobuf in client This was attempted in istio#38658 but the `config` set is never used there. Also add an opt-out and AcceptContentTypes to allow json fallback as recommended by k8s * fix writes * Remove release note approval by release-managers (istio#44395) * gateway: prevent duplicate `istio_authn` network filter in the filter chain (istio#44388) * gateway: prevent duplicate `istio_authn` network filter in the filter chain Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * add release notes Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * fix lint Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * fixup Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * ensure stability of the unit test Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> --------- Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * Add response headers for grpc (istio#44394) * Add response headers for grpc * Update the output * Automator: update istio/client-go@master dependency in istio/istio@master (istio#44396) * Automator: update common-files@master in istio/istio@master (istio#44398) * Use k8s 1.27.0 as the default node image for integration testing (istio#44400) * Automator: update proxy@master in istio/istio@master (istio#44403) * remove deadcode from operator proto (istio#44397) Was missed in previous PR * fix:productpage build fail (istio#44405) Signed-off-by: xin.li <xin.li@daocloud.io> * Run update_deps.sh (istio#44404) * chore: Fix function name of comment (istio#44406) Correct name is runAllTypes but comment has pruneAllTypes * Automator: update go-control-plane in istio/istio@master (istio#44407) * Automator: update proxy@master in istio/istio@master (istio#44408) * Automator: update ztunnel@master in istio/istio@master (istio#44409) * Remove hard coded Istio namespace (istio#44410) * Automator: update proxy@master in istio/istio@master (istio#44411) * Analyze: add cert check for gateway credential (istio#43921) * add cert check for gateway credential * add releasenotes and lint * reuse some logics and add more checks * make gen * remove unnecessary releasenotes * Automator: update proxy@master in istio/istio@master (istio#44419) * Fix webhook issues in installation process (istio#44345) * fix webhook creation in install process * add releasenotes * Only set the WorkloadSelector of ServiceEntry if the label is not empty (istio#44420) Signed-off-by: Yanqiang Miao <miaoyq_2010@163.com> * Setting the control plane lazily (istio#44417) Change-Id: I31adfcb808d04aef51c42ddaed5b3473db2397a5 * Automator: update proxy@master in istio/istio@master (istio#44431) * "istioctl pc route" output add "VHOST NAME" (istio#44414) * "istioctl pc route" output add "VHOST NAME" * add releasenote * fix * Update releasenotes/notes/44414.yaml Co-authored-by: Yossi Mesika <ymesika@gmail.com> --------- Co-authored-by: Yossi Mesika <ymesika@gmail.com> * Temper severity of extraneous errors (istio#44416) When the CNI initially runs on a node that is clean of the ztunnel chains errors and warnings are logged that are extraneous. This change reduces the severity and adds comments in the code. * cleanup message.yaml (istio#44421) * update_deps for 1.18 branch cut (istio#44436) * Automator: update proxy@master in istio/istio@master (istio#44442) * fix wrong example for admin log (istio#44438) Signed-off-by: xin.li <xin.li@daocloud.io> * add validation for empty prefix header match (istio#44428) * add validation for empty prefix header match * fix linter issues * update error message + add a release note * add "prefix" to the error message * >fix `istioctl analyze` to panic when the server port in gateway is nil. (istio#44321) * >fix `istioctl analyze` to panic when the server port in gateway is nil. * Update releasenotes/notes/fix-44318.yaml Co-authored-by: Xiaopeng Han <hanxiaop8@outlook.com> --------- Co-authored-by: Xiaopeng Han <hanxiaop8@outlook.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44527) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44550) * [release-1.18] Automated branching step 4 (istio#44553) * Automator: update istio/pkg@release-1.18 dependency in istio/istio@release-1.18 (istio#44559) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44560) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44564) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44563) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44567) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44569) * Update BASE_VERSION to release-1.18-2023-04-26T19-01-40 (istio#44576) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44607) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44610) * Update master to 1.18 (istio#44615) * gateway-api: start reading ReferenceGrant beta (istio#44619) Co-authored-by: John Howard <howardjohn@google.com> * update to kiali 1.67.0 (istio#44504) Co-authored-by: John Mazzitelli <mazz@redhat.com> * revise waypoint examples (istio#44511) Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Use safer dedupe for config (istio#44521) This is just appending them, there is no guarantee of conflicts being avoided Co-authored-by: John Howard <howardjohn@google.com> * disable automount SA token only on tests with min istio revisions >= 1.16 (istio#44533) Testing multiple istio versions involves older istio versions which doesn't support sidecars with disable automount SA token. This was enabled form 1.16 onwards. Co-authored-by: akshayjnambiar <akshayjnambiar@google.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44625) * [release-1.18] Fix pilot using wrong readinessprobe check, should check if /validate and /inject endpoints are ready. (istio#44632) * fix validationcontroller not having readinessprobe * add releasenotes * revise based on comments * revise based on comments * Delete 44526.yaml --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * typo fix for failover validation (istio#44638) Co-authored-by: Greg Hanson <gregory.hanson@solo.io> * telemetry: deflake access log tests (istio#44645) Example failure: https://prow.istio.io/view/gs/istio-prow/pr-logs/directory/integ-telemetry_istio/1652008195079540736 It looks like the XDS push is just causing too much load and it takes more than 10s to process. We see during XDS push /stats/prometheus also times out. Co-authored-by: John Howard <howardjohn@google.com> * [release-1.18] Support p384 curves (istio#44628) * support p384 curves * code review and make gen * cleanup test * fix linter * only support 256 and 384 * cleanup tests --------- Co-authored-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info> * Automator: update go-control-plane in istio/istio@release-1.18 (istio#44651) * [release-1.18] Skip runtime resources when analyzing files (istio#44663) * Skip runtime resources when analyzing files * add test data and fmt * add support for tests to analyze pods * update analyze test to respect file exclusions * show failed json in message * fix json formatting * differentiate json analyzer tests * add release note --------- Co-authored-by: Mitch Connors <mitchconnors@gmail.com> * [release-1.18] gateway: fix and test unmanaged skipping (istio#44508) * gateway: fix and test unmanaged skipping istio#43541 didn't work quite right due to a rebasing issue. Fix it and add better tests * fix test * fix log * use unique name (istio#44528) (cherry picked from commit 7033e9537a68f23a77f804f35413c7d00b6e00be) (cherry picked from commit c8f7331) --------- Co-authored-by: John Howard <howardjohn@google.com> * vwh: speedup reconcilation and fix test flake (istio#44658) Fixes https://prow.istio.io/view/gs/istio-prow/logs/integ-pilot-cpp_istio_postsubmit/1651656748131422208 failure This is a 1.18 regression since we changed the queue backoff. This fixes it in 2 ways: * Make sure we don't ahve to wait 1min every time * Make sure once one webhook succeeds, all of them do This also makes the test more robust to wait for all webhooks instead of just one. Co-authored-by: John Howard <howardjohn@google.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44672) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44669) * Use go-control-plane from the last commmit before 1.26 was cut (istio#44674) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44682) * Fix new test which was broken on distroless (istio#44685) There is no distroless app container Co-authored-by: John Howard <howardjohn@google.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44694) * update_deps output priot to beta0 build (istio#44699) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44707) * Actually change the rate limiter type (istio#44726) Co-authored-by: John Howard <howardjohn@google.com> * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44727) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44724) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44728) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44738) * Fix multi-cluster issue by increasing the timeout of listing CRDs (istio#44715) (istio#44740) When a new secret is added, a watcher will be created based on the remote secret. The process can fail if the API server doesn't respond in 10 seconds which can be the case if the cluster contains a lot of CRDs. This PR bumps the timeout to 60 seconds which is the default timeout value (specified in --request-timeout) for requests to API server. * [release-1.18] Fix persistent sessions scale down with envoy (istio#44653) * Missing change for persistent session support. Without it envoy will drop the draining endpoints and scale down will break. * Update the cluster status to be more future proof, add grpc, c++ implementation requires this * Remove unhealthy --------- Co-authored-by: Costin Manolache <costin@gmail.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44760) * [release-1.18] Fix gateway hostname resolution TTL (istio#44768) * fix gateway hostname resolution ttl * add tests --------- Co-authored-by: dddddai <dddwq@foxmail.com> * [release-1.18] Fix verify-install to work with multi iops (istio#44752) * fix verify-install with multi iops * Update releasenotes/notes/verify-install-multi-iops.yaml Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * deployment controller: add leaderelection back (istio#44746) (istio#44771) * Add per-revision leader election * Add leader election for deployment controller (cherry picked from commit acd30f9) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44774) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44780) * fix missing gateway services (istio#44461) Co-authored-by: dddddai <dddwq@foxmail.com> * add support for security.istio.io/v1beta1 api in authz tests when testing multiple istio versions (istio#44806) Testing multiple istio versions involves older istio versions which uses the v1beta1 api. This change will start using v1 for 1.17+ and v1beta1 for 1.16-. Co-authored-by: Akshay J Nambiar <akshayjnambiar@users.noreply.github.com> * set delay between retry attempts (istio#44809) Co-authored-by: dddddai <dddwq@foxmail.com> * [release-1.18] istiod: drop Alpha Gateway API types by default (istio#44812) * istiod: drop Alpha Gateway API types by default This is problematic because most providers will not install Alpha CRDs. So once these promote to Beta, clusters will have *only* beta version in the CRD. We would detect the CRD and attempt to watch, but fail as alpha does not exist. This makes the alpha enablement an explicit opt-in to avoid this. An alternative could be to read the actual CRD to check it has the version we want. However, this is not safe -- a user may silently stop reading critical configurations. This is not needed for Istio CRDs as we don't remove old versions. * Fix test * fix build * fix note --------- Co-authored-by: John Howard <howardjohn@google.com> * [release-1.18] Fix precheck and analysis messages (istio#44832) * fix precheck and analysis messages * fix lint --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * update_deps prior to beta1 build (istio#44846) * inject: remove unknown fields from template (istio#44860) We have a number of cases where we insert unknown fields into the template. This eventually gets marshalled into a `v1.Pod`, so the unknown fields are dropped. So it has no impact, but it is "wrong". However, one of the fields we have (restartPolicy) is actually going to be a valid field in future k8s, so would start breaking at that point. So this *will* be a critical bug for future k8s versions. Test with: Replace applyOverlayYAML with ``` decoder := json.NewDecoder(bytes.NewReader(patched)) decoder.DisallowUnknownFields() if err := decoder.Decode(&pod); err != nil { return nil, fmt.Errorf("unmarshal patched pod: %v", err) } ``` Its probably a nice idea to keep it as non-strict to be resilient to unexpected issues? Co-authored-by: John Howard <howardjohn@google.com> * [release-1.18] vm: support health checks for VMs that are not using auto-registration (istio#44866) * vm: support health checks for VMs that are not using auto-registration Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * add release notes Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> --------- Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> Co-authored-by: Yaroslav Skopets <yaroslav@tetrate.io> * remove file from file certs before triggering call backs (istio#44907) Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> * spiffe: fix handling of trust bundles with multiple keys (istio#44947) In the existing implementation, we were overriding the `cert` while iterating over doc.Keys. This commit fixes that. Further, there was an unnecessary check for the existence of `ret[trustDomain]`. We are iterating over a map with `trustDomain` as keys, maps don't have duplicate keys, and so `ret[trustDomain]` would never have had a key before we set it in this iteration. This is a cherry-pick for istio#44831 (with modifications in the tests to avoid conflicts). This was cherry-picked in 1.17 as istio#44909. Change-Id: Ibf68f75cc667a72cce68bd42e4f600bd37946222 * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44992) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45001) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44994) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45008) * [release-1.18] deploymentcontroller: add support for ProxyConfig CRD (istio#44987) * deploymentcontroller: add support for ProxyConfig CRD (istio#44916) * deploymentcontroller: add support for ProxyConfig CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Handle default gateway labels Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove a comment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Handle pod annotations Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Encapsulate EffectiveProxyConfig into GetProxyConfigOrDefault Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove default pod label service.istio.io/canonical-name Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Respect only istio.io/gateway-name label when matching ProxyConfig with Gateway Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add release note Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Change area in the relase note Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove support for proxy.istio.io/config annotation applied to k8s Gateway pods Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix unit tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45024) * [release-1.18] Fix bug report missing all logs for json logs (istio#45026) * Add json log parsing * Remove bug report file * Omit filter and add tests * Extract to parseLog * Fix test failures * Fix format --------- Co-authored-by: Siyi Wang <siyiwang@google.com> * telemetry: enable experimental mertic expiry (istio#44605) (istio#45037) * mertic-expiry * fix test * fix lint * add release-notes * fix gen * use ProxyMetadata * fix rebase * add test * update release-notes * fix not working * reduce xds size * use pilot ENV * update with john's comment * add UT * fix lint --------- Signed-off-by: hejianpeng <hejianpeng2@huawei.com> * [release-1.18] fix backoff and read ca file interval (istio#45038) * fix read ca file interval * fix backoff never stop * address comment * remove permanent error * Address comment --------- Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com> * fix waypoint list summary and add revision (istio#45052) Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45072) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45074) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45076) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45094) * Update BASE_VERSION to release-1.18-2023-05-24T19-03-47 (istio#45109) * RetryWithContext should use the new NextBackOff() (istio#45123) Signed-off-by: Faseela K <faseela.k@est.tech> Co-authored-by: Faseela K <faseela.k@est.tech> * rc.0 step 1 - update deps (istio#45134) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45139) * Temporarily remove eBPF impl pending CNCF guidance (istio#45167) eBPF support is temporarily disabled pending CNCF establishing guidance around dual-licensed eBPF bytecode cncf/toc#1000 (comment) Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> * 1.17: bump docker dep (istio#45199) This has a "CVE". It doesn't impact Istio but makes scanners unhappy. The dep is only used in WASM code and is a small bump so pretty low risk * Update BASE_VERSION to release-1.18-2023-05-31T19-02-09 (istio#45225) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45281) * Update BASE_VERSION to release-1.18-2023-06-05T19-04-11 (istio#45289) * Update deps prior to 1.18.0 GA (istio#45310) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45325) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45326) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45333) * precise-errorcode-debuggen (istio#45164) Change-Id: Ia2654e18006b7cc2d54bb86ff9c9a2abe9e28bf5 Co-authored-by: Ingwon Song <igsong@google.com> * [release-1.18]Manual cherry-pick of 44481 and 44775 (istio#45081) * add PDB to gateway chart * add releasenotes * revise based on comments * revise values to have better control * disable PDB by default * [release-1.18] Certificate Revocation List support (istio#45130) * refactor KeyCertAndStaple (istio#44764) Doing this refactoring in preparation for CRL support Signed-off-by: Faseela K <faseela.k@est.tech> * Certificate Revocation List support (istio#45104) Signed-off-by: Faseela K <faseela.k@est.tech> * populate crl only when the key is present in secret (istio#45112) Signed-off-by: Faseela K <faseela.k@est.tech> * skip empty ocsp staple configuration (istio#45159) Signed-off-by: Faseela K <faseela.k@est.tech> --------- Signed-off-by: Faseela K <faseela.k@est.tech> * Adding LRS support (istio#45165) Change-Id: Ifd075d62a5f0dda3b4b57eb807677f1637bed04f Co-authored-by: Ingwon Song <igsong@google.com> * Fix invalid XDS configuration for wildcard Ingress HTTP path (istio#44898) (istio#45168) * Fix invalid XDS configuration for wildcard Ingress path Updates Ingress to VirtualService translation to not create a HTTPRequestMatch when the URI is nil. The URI is nil when the path is a wildcard or is empty and the pathType is nil or implementationSpecific. This change prevents an Envoy failure. Envoy regex fails when the path seperated prefix is empty or has a trailing "/". * Fix failing unit tests - handle sorting HTTPRoutes with no HTTPRequestMatches * Update golden converion tests for ingress. Remove empty match. --------- Signed-off-by: jaellio <jaellio@microsoft.com> * Fix Telemetry disablement matching (istio#45303) Co-authored-by: John Howard <howardjohn@google.com> * Add rolling update max unavailable to CNI chart to speed up deploys (cherry pick to release-1.18) (istio#44934) * Add rolling update max unavailable to CNI chart to speed up deploys * Update generated code * Update chart updating instructions * Add release note * Skip config from istio#44642 * [release-1.18] Fix istioctl pc secret cert validity not accurate (istio#45343) * fix istioctl pc secret cert valid * lint and add releasenotes --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Change to use Node instead of RawMeta (istio#45359) Change-Id: I21117025bb99b62c18484d2f1598a001751faaa4 Co-authored-by: Ingwon Song <igsong@google.com> * [release-1.18] Check the disabled status when adding a log provider (istio#45373) * Check the disabled status when adding a log provider By checking the disabled status when adding a log provider, this PR fixes an issue where disabling a log provider through Istio telemetry API would not work. Otherwise, a disabled log provider may still be added to the log configuration and cause the disabling to not work as expected. The test case in this PR verifies that with the fix this PR, a disabled log provider will not be added to the log configuration. * Update the variable name --------- Co-authored-by: Lei Tang <32078630+lei-tang@users.noreply.github.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45381) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45450) * [release-1.18] Update min supported k8s version to 1.24 (istio#45444) * update min supported k9s version to 1.24 * add releasenotes --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * [release-1.18] cherry-pick: add debug info when generating certs for workloads (istio#45194) * cherry-pick: add debug info when generating certs for workloads istio#45183 Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * remove signer and make ttl human readable Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * Update BASE_VERSION to 1.18-2023-06-15T19-02-54 (istio#45495) * [release-1.18] improve accesslog mode e2e tests (istio#45519) * improve accesslog mode e2e tests * retry Signed-off-by: hejianpeng <hejianpeng2@huawei.com> * fix --------- Signed-off-by: hejianpeng <hejianpeng2@huawei.com> Co-authored-by: hejianpeng <hejianpeng2@huawei.com> * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45569) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45570) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45579) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45587) * prow: move to use WI for auth_header in private (istio#45609) This replaces authentikos Co-authored-by: John Howard <howardjohn@google.com> * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45667) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45660) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45690) * Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 (istio#45684) Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45702) * Fix auth header syntax (istio#45711) Co-authored-by: John Howard <howardjohn@google.com> * gcp metadata: compute GCPClusterURL from metadata (istio#45741) This allows computing GCPClusterURL from GCP_METADATA env var, if it is set. This allows usage with zero dependency on the metadata server. * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45747) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45769) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45771) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45834) * [release-1.18] Fix a potential nil panic of endpointindex (istio#45808) * fix a potential nil panic of endpointindex * add releasenotes * revise releasenotes --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45857) * [release-1.18] Fix bug report include option not working as expected (istio#45860) * fix bug report include option * add releasenotes --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45876) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45875) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45892) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45936) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45938) * [release-1.18] Fix health probe port overwrite (istio#45873) * Remove app req host override with req host on health-check Signed-off-by: jaellio <jaellio@microsoft.com> * set appReq host to prober host value Signed-off-by: jaellio <jaellio@microsoft.com> * add conditional check before setting appReq host to probe host Signed-off-by: jaellio <jaellio@microsoft.com> * Remove host override from app probe unit tests. The explicit override does not reflect the actual request host value on health probe requests. Prior to being processed in the istio-proxy the host of the request should not be set to the app port. Signed-off-by: jaellio <jaellio@microsoft.com> --------- Signed-off-by: jaellio <jaellio@microsoft.com> Co-authored-by: jaellio <jaellio@microsoft.com> * Add release note for istio#45632 (istio#45927) Signed-off-by: jaellio <jaellio@microsoft.com> Co-authored-by: jaellio <jaellio@microsoft.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45948) * [release-1.18] Set inject true for compatibility tests (istio#45928) * Set inject true for compatibility tests * adding the fix to TestProxyProtocolTCPGateway and TestCustomGateway --------- Co-authored-by: Riya Sinha <riyasinha@google.com> * [release-1.18] prevent port conflict with sidecar static listener like 15021 15090 (istio#45966) * prevent port conflict with sidecar static listener 15021 15090 * remove duplicate conflict detection * address comment --------- Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com> * Update image from (istio#45958) Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45995) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45996) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#46000) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#46007) * Exit if sds socket not found (istio#45941) (istio#46014) * Exit if sds socket not found (istio#45941) * adding - exit if sds socket not found * fix release note for # 45941 * renaming flag to USE_EXTERNAL_WORKLOAD_SDS * rewording release note for istio#45941, describe usage of USE_EXTERNAL_SDS_SOCKET * fix cherry-pick * fix conflict (istio#46017) Signed-off-by: Kuat Yessenov <kuat@google.com> Co-authored-by: Kuat Yessenov <kuat@google.com> * fix concurrent map access in endpoint metadata (istio#44473) (istio#46021) * fix concurrent map access in endpoint metadata * only clone as needed * only clone as needed * remove unnecessary code * review comments * fix ut * add test case * add lock --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> * Fix nil map for cluster builder (istio#46024) Co-authored-by: Sergii Shapar <sshapar@google.com> * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#46025) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#46039) * Bump proxy version (#122) * Add validation of workload entry identity (#117) (cherry picked from commit b6eefaf3045227431b60384002e5b0c57740288d) * 1.18.2 tetrate build Signed-off-by: psbrar99 <brargg1989@gmail.com> * eks patch Signed-off-by: psbrar99 <brargg1989@gmail.com> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <brargg1989@gmail.com> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <brargg1989@gmail.com> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <brargg1989@gmail.com> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <brargg1989@gmail.com> * bump proxy SHA Signed-off-by: psbrar99 <brargg1989@gmail.com> * envoy cves Signed-off-by: psbrar99 <brargg1989@gmail.com> * envoy cves Signed-off-by: psbrar99 <brargg1989@gmail.com> * bump proxy SHA Signed-off-by: psbrar99 <brargg1989@gmail.com> * running e2e tests for pilot Signed-off-by: psbrar99 <brargg1989@gmail.com> * running e2e tests for pilot Signed-off-by: psbrar99 <brargg1989@gmail.com> * running e2e tests for pilot Signed-off-by: psbrar99 <brargg1989@gmail.com> * bump runners Signed-off-by: psbrar99 <brargg1989@gmail.com> * bump runners Signed-off-by: psbrar99 <brargg1989@gmail.com> * publish release Signed-off-by: psbrar99 <brargg1989@gmail.com> * update tetrate-workflow branch Signed-off-by: psbrar99 <brargg1989@gmail.com> * update tetrate-workflow branch Signed-off-by: psbrar99 <brargg1989@gmail.com> * update tetrate-workflow branch Signed-off-by: psbrar99 <brargg1989@gmail.com> * update tetrate-workflow branch Signed-off-by: psbrar99 <brargg1989@gmail.com> * Removing unnecessary code Signed-off-by: psbrar99 <brargg1989@gmail.com> * addressed comment Signed-off-by: psbrar99 <brargg1989@gmail.com> * address reveiw comments Signed-off-by: psbrar99 <brargg1989@gmail.com> * cleanup and updated new patch for eks Signed-off-by: psbrar99 <brargg1989@gmail.com> * Update tetrateci/version_check.py Co-authored-by: zirain <zirain2009@gmail.com> * fix WF for make release job Signed-off-by: psbrar99 <brargg1989@gmail.com> * fips.md update Signed-off-by: psbrar99 <brargg1989@gmail.com> * Update fips.md * Update .github/workflows/make_release.yml Co-authored-by: zirain <zirain2009@gmail.com> * Update .github/workflows/make_release.yml Co-authored-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: hejianpeng <hejianpeng2@huawei.com> Signed-off-by: jongwooo <jongwooo.han@gmail.com> Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> Signed-off-by: Faseela K <faseela.k@est.tech> Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> Signed-off-by: xin.li <xin.li@daocloud.io> Signed-off-by: Yanqiang Miao <miaoyq_2010@163.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> Signed-off-by: jaellio <jaellio@microsoft.com> Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Signed-off-by: Kuat Yessenov <kuat@google.com> Signed-off-by: psbrar99 <brargg1989@gmail.com> Co-authored-by: dwq <dddwq@foxmail.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com> Co-authored-by: Xiaopeng Han <hanxiaop8@outlook.com> Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> Co-authored-by: zirain <hejianpeng2@huawei.com> Co-authored-by: Jongwoo Han <jongwooo.han@gmail.com> Co-authored-by: Kalya Subramanian <42158129+ksubrmnn@users.noreply.github.com> Co-authored-by: Faseela K <faseela.k@est.tech> Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info> Co-authored-by: cebernardi <cbernardi@expediagroup.com> Co-authored-by: Rajat Sharma <rajat.shrma94@gmail.com> Co-authored-by: Costin Manolache <costin@gmail.com> Co-authored-by: pmerrison <pmerrison@me.com> Co-authored-by: Yaroslav Skopets <yaroslav@tetrate.io> Co-authored-by: my-git9 <xin.li@daocloud.io> Co-authored-by: Ikumi Nakamura <28798279+johnmanjiro13@users.noreply.github.com> Co-authored-by: Yossi Mesika <yossi.mesika@solo.io> Co-authored-by: Yanqiang Miao <miaoyq_2010@163.com> Co-authored-by: Ingwon Song <102102227+ingwonsong@users.noreply.github.com> Co-authored-by: zengyuxing <newday.jesse@gmail.com> Co-authored-by: Yossi Mesika <ymesika@gmail.com> Co-authored-by: john-a-joyce <joycej@cisco.com> Co-authored-by: pmerrison <paul@tetrate.io> Co-authored-by: Peter Jausovec <peterj@users.noreply.github.com> Co-authored-by: Nicole LiHui <nicolelihui@outlook.com> Co-authored-by: John Mazzitelli <mazz@redhat.com> Co-authored-by: akshayjnambiar <akshayjnambiar@google.com> Co-authored-by: Greg Hanson <gregory.hanson@solo.io> Co-authored-by: Mitch Connors <mitchconnors@gmail.com> Co-authored-by: Rui Gu <ruigu@google.com> Co-authored-by: Akshay J Nambiar <akshayjnambiar@users.noreply.github.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rohit Agarwal <mindprince@gmail.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Siyi Wang <siyiwang@google.com> Co-authored-by: Ben Leggett <854255+bleggett@users.noreply.github.com> Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Ingwon Song <igsong@google.com> Co-authored-by: Jackie Elliott <64559656+jaellio@users.noreply.github.com> Co-authored-by: Dwayne Schultz <myshkin5@users.noreply.github.com> Co-authored-by: Lei Tang <32078630+lei-tang@users.noreply.github.com> Co-authored-by: zhaohuabing <zhaohuabing@gmail.com> Co-authored-by: jaellio <jaellio@microsoft.com> Co-authored-by: Riya Sinha <riyasinha@google.com> Co-authored-by: Adam Sayah <adam.sayah@solo.io> Co-authored-by: Kuat Yessenov <kuat@google.com> Co-authored-by: Hemendra Teli <8605932+hemendrateli@users.noreply.github.com> Co-authored-by: Sergii Shapar <sshapar@google.com> Co-authored-by: zirain <zirain2009@gmail.com>
53 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On behalf of the Istio Steering Committee, please find attached a proposal for Istio to become a graduated project.
What is Istio?
Istio is an open source service mesh that provides a uniform, efficient and transparent way to secure, connect, and monitor services in cloud native applications. It supports zero-trust networking, policy enforcement, traffic management, load balancing, and monitoring; all without requiring applications to be rewritten.
Istio applied to join the CNCF in April 2022 and was accepted in September 2022. The proposal and due diligence from that application are linked for reference. As the due diligence was completed within the last few months, we believe the information contained within remains relevant.
We believe that Istio's maturity is commensurate with the "Graduated" maturity level and recommendation for adoption to a majority of enterprise users.
Why are we ready to graduate?
Istio is a top 10 CNCF project by 2022 velocity, and is in the top 3 CNCF projects by measures such as 7DA average PRs merged.
The project has had 9,500 GitHub contributors with 1950 contributors in the last 12 months. In that time we have had over 330 different contributors with merged PRs representing over 85 companies.
Our latest security assessment concluded "Istio is a very well-maintained and secure project with a sound code base, well-established security practices and a responsive product security team."
We have almost 10,000 members on our community Slack and 32,000 GitHub stars.
Among our many public adopters are End User Community members including Airbnb, Curve, eBay, iHerb, Intuit, Lowes, Thought Machine, Salesforce, SAP, Spotify, Walmart, Wayfair, WP Engine, Yahoo and Zendesk.
How you can help today