Upgrade Istio to v1.24.2

.github/workflows/kserve_cni_test.yaml

@@ -1,10 +1,10 @@
 name: Build & Apply KServe manifests in KinD, using istio CNI
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/kserve_cni_test.yaml
-    - common/istio-cni-1-23/**
+    - common/istio-cni-1-24/**
     - tests/gh-actions/install_cert_manager.sh
     - common/cert-manager/**
     - tests/gh-actions/install_knative-cni.sh

.github/workflows/notebook_controller_m2m_test.yaml

@@ -1,5 +1,5 @@
 name: Test Notebook Controller with m2m auth manifests in KinD
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -34,7 +34,7 @@
       run: ./tests/gh-actions/install_oauth2-proxy.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install KF Multi Tenancy
       run: ./tests/gh-actions/install_multi_tenancy.sh

.github/workflows/pipeline_run_from_notebook.yaml

@@ -1,5 +1,5 @@
 name: Create Pipeline Run from Kubeflow Notebook
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -37,7 +37,7 @@
       run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh

.github/workflows/pipeline_swfs_test.yaml

@@ -1,5 +1,5 @@
 name: Deploy and test Kubeflow Pipelines manifests with seaweedfs and m2m auth in KinD
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -45,7 +45,7 @@
       run: ./tests/gh-actions/install_multi_tenancy.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Create KF Profile
       run: kustomize build common/user-namespace/base | kubectl apply -f -

.github/workflows/pipeline_test.yaml

@@ -1,5 +1,5 @@
 name: Deploy and test Kubeflow Pipelines manifests with m2m auth in KinD
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -44,7 +44,7 @@
       run: ./tests/gh-actions/install_multi_tenancy.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Create KF Profile
       run: kustomize build common/user-namespace/base | kubectl apply -f -

.github/workflows/pss_test.yaml

@@ -1,5 +1,5 @@
 name: Apply PSS labels to namespaces
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -51,7 +51,7 @@
       run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install KF Multi Tenancy
       run: ./tests/gh-actions/install_multi_tenancy.sh

.github/workflows/training_operator_test.yaml

@@ -1,5 +1,5 @@
 name: Build & Apply Training Operator manifests in KinD
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -38,7 +38,7 @@
       run: ./tests/gh-actions/install_multi_tenancy.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Create KF Profile
       run: kustomize build common/user-namespace/base | kubectl apply -f -

README.md

@@ -64,7 +64,7 @@ used from the different projects of Kubeflow:
 
 | Component | Local Manifests Path | Upstream Revision |
 | - | - | - |
-| Istio | common/istio-1-23 | [1.23.2](https://github.com/istio/istio/releases/tag/1.23.2) |
+| Istio | common/istio-1-24 | [1.24.2](https://github.com/istio/istio/releases/tag/1.24.2) |
 | Knative | common/knative/knative-serving <br /> common/knative/knative-eventing | [v1.16.0](https://github.com/knative/serving/releases/tag/knative-v1.16.0) <br /> [v1.16.1](https://github.com/knative/eventing/releases/tag/knative-v1.16.1) |
 | Cert Manager | common/cert-manager | [1.16.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.16.1) |
 
@@ -211,9 +211,9 @@ Install Istio:
 
 ```sh
 echo "Installing Istio configured with external authorization..."
-kustomize build common/istio-1-23/istio-crds/base | kubectl apply -f -
-kustomize build common/istio-1-23/istio-namespace/base | kubectl apply -f -
-kustomize build common/istio-1-23/istio-install/overlays/oauth2-proxy | kubectl apply -f -
+kustomize build common/istio-1-24/istio-crds/base | kubectl apply -f -
+kustomize build common/istio-1-24/istio-namespace/base | kubectl apply -f -
+kustomize build common/istio-1-24/istio-install/overlays/oauth2-proxy | kubectl apply -f -
 
 echo "Waiting for all Istio Pods to become ready..."
 kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s
@@ -343,7 +343,7 @@ Install Knative Serving:
 
 ```sh
 kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f -
-kustomize build common/istio-1-23/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-24/cluster-local-gateway/base | kubectl apply -f -
 ```
 
 Optionally, you can install Knative Eventing which can be used for inference request logging:
@@ -390,7 +390,7 @@ Create the Kubeflow Gateway, `kubeflow-gateway` and ClusterRole,
 Install kubeflow istio resources:
 
 ```sh
-kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 ```
 
 #### Kubeflow Pipelines

common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml → common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml

@@ -3,6 +3,12 @@ kind: ServiceAccount
 metadata:
   labels:
     app: cluster-local-gateway
+    app.kubernetes.io/instance: istio
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: istio-ingressgateway
+    app.kubernetes.io/part-of: istio
+    app.kubernetes.io/version: 1.24.2
+    helm.sh/chart: istio-ingress-1.24.2
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -16,6 +22,12 @@ kind: Deployment
 metadata:
   labels:
     app: cluster-local-gateway
+    app.kubernetes.io/instance: istio
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: istio-ingressgateway
+    app.kubernetes.io/part-of: istio
+    app.kubernetes.io/version: 1.24.2
+    helm.sh/chart: istio-ingress-1.24.2
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -42,7 +54,13 @@ spec:
         sidecar.istio.io/inject: 'false'
       labels:
         app: cluster-local-gateway
+        app.kubernetes.io/instance: istio
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: istio-ingressgateway
+        app.kubernetes.io/part-of: istio
+        app.kubernetes.io/version: 1.24.2
         chart: gateways
+        helm.sh/chart: istio-ingress-1.24.2
         heritage: Tiller
         install.operator.istio.io/owning-resource: unknown
         istio: cluster-local-gateway
@@ -109,7 +127,8 @@ spec:
         - name: ISTIO_META_WORKLOAD_NAME
           value: cluster-local-gateway
         - name: ISTIO_META_OWNER
-          value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
+          value: 
+            kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
         - name: ISTIO_META_MESH_ID
           value: cluster.local
         - name: TRUST_DOMAIN
@@ -122,7 +141,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        image: docker.io/istio/proxyv2:1.23.2
+        image: docker.io/istio/proxyv2:1.24.2
         name: istio-proxy
         ports:
         - containerPort: 15020
@@ -235,6 +254,12 @@ kind: PodDisruptionBudget
 metadata:
   labels:
     app: cluster-local-gateway
+    app.kubernetes.io/instance: istio
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: istio-ingressgateway
+    app.kubernetes.io/part-of: istio
+    app.kubernetes.io/version: 1.24.2
+    helm.sh/chart: istio-ingress-1.24.2
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -253,6 +278,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
+    app.kubernetes.io/instance: istio
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: istio-ingressgateway
+    app.kubernetes.io/part-of: istio
+    app.kubernetes.io/version: 1.24.2
+    helm.sh/chart: istio-ingress-1.24.2
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: IngressGateways
@@ -273,6 +304,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
+    app.kubernetes.io/instance: istio
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: istio-ingressgateway
+    app.kubernetes.io/part-of: istio
+    app.kubernetes.io/version: 1.24.2
+    helm.sh/chart: istio-ingress-1.24.2
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: IngressGateways
@@ -292,6 +329,12 @@ kind: HorizontalPodAutoscaler
 metadata:
   labels:
     app: cluster-local-gateway
+    app.kubernetes.io/instance: istio
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: istio-ingressgateway
+    app.kubernetes.io/part-of: istio
+    app.kubernetes.io/version: 1.24.2
+    helm.sh/chart: istio-ingress-1.24.2
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -320,6 +363,12 @@ metadata:
   annotations:
   labels:
     app: cluster-local-gateway
+    app.kubernetes.io/instance: istio
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: istio-ingressgateway
+    app.kubernetes.io/part-of: istio
+    app.kubernetes.io/version: 1.24.2
+    helm.sh/chart: istio-ingress-1.24.2
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -331,11 +380,9 @@ spec:
   ports:
   - name: status-port
     port: 15020
-    protocol: TCP
     targetPort: 15020
   - name: http2
     port: 80
-    protocol: TCP
     targetPort: 8080
   selector:
     app: cluster-local-gateway