feat(istio-operator): Updated image to v1.20.0 (#832)

Signed-off-by: Steve Hipwell <[email protected]>

.helmdocsignore

@@ -1,5 +1,4 @@
 confluence-server
-istio-operator
 jira-software
 k8s-resources
 nexus3

charts/istio-operator/.helmignore

@@ -26,3 +26,4 @@ artifacthub-repo.yml
 # Automation files
 /ci/kubeconform.yaml
 /ci/*-values.yaml
+README.md.gotmpl

charts/istio-operator/CHANGELOG.md

@@ -20,6 +20,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [UNRELEASED]
 
+## [v2.13.0] - 2023-11-22
+
+### Added
+
+- Added support for adding additional labels to the `ServiceAccount` via the new `serviceAccount.labels` value.
+- Added support for customising the termination grace period via the new `terminationGracePeriodSeconds` value.
+- Added support for setting the _Istio_ revision via the new `revision` value.
+
+### Changed
+
+- Updated the _Istio Operator_ OCI image version to [v1.20.0](https://github.com/istio/istio/releases/tag/1.20.0).
+- Updated the pod security context to be more secure and closer aligned to the operator container security context.
+
 ## [v2.12.3] - 2023-11-22
 
 ### Changed

charts/istio-operator/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
 name: istio-operator
-description: Helm chart for the Istio Operator.
+description: Helm chart to install the Istio Operator and optionally create the IstioOperator CR to install Istio into the cluster.
 type: application
-version: 2.12.3
-appVersion: 1.19.4
+version: 2.13.0
+appVersion: 1.20.0
 keywords:
   - kubernetes
   - istio
@@ -25,7 +25,15 @@ annotations:
       version: v1alpha1
       name: istiooperators.install.istio.io
       displayName: IstioOperator
-      description: Represents an installation of Istio to be manmaged by the Istio Operator.
+      description: Represents an installation of Istio to be managed by the Istio Operator.
   artifacthub.io/changes: |
+    - kind: added
+      description: "Added support for adding additional labels to the `ServiceAccount` via the new `serviceAccount.labels` value."
+    - kind: added
+      description: "Added support for customising the termination grace period via the new `terminationGracePeriodSeconds` value."
+    - kind: added
+      description: "Added support for setting the _Istio_ revision via the new `revision` value."
     - kind: changed
-      description: "Updated the _Istio Operator_ OCI image version to [v1.19.4](https://github.com/istio/istio/releases/tag/1.19.4)."
+      description: "Updated the _Istio Operator_ OCI image version to [v1.20.0](https://github.com/istio/istio/releases/tag/1.20.0)."
+    - kind: changed
+      description: "Updated the pod security context to be more secure and closer aligned to the operator container security context."

charts/istio-operator/README.md.gotmpl

@@ -0,0 +1,37 @@
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+The [Istio Operator](https://istio.io/latest/docs/setup/install/operator/) provides a declarative _Kubernetes_ native way to manage [Istio](https://istio.io/) via `IstioOperator` custom resources.
+
+[Istio](https://istio.io/) extends Kubernetes to establish a programmable, application-aware network using the powerful _Envoy_ service proxy. Working with both _Kubernetes_ and traditional workloads, _Istio_ brings standard, universal traffic management, telemetry, and security to complex deployments.
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+## Installing the Chart
+
+To install the chart using the recommended OCI method you can use the following command.
+
+```shell
+helm upgrade --install {{ template "chart.name" . }} oci://ghcr.io/stevehipwell/helm-charts/{{ template "chart.name" . }} --version {{ template "chart.version" . }}
+```
+
+Alternativly you can use the legacy non-OCI method via the following commands.
+
+```shell
+helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/
+helm upgrade --install {{ template "chart.name" . }} stevehipwell/{{ template "chart.name" . }} --version {{ template "chart.version" . }}
+```
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+----------------------------------------------
+
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/).

charts/istio-operator/templates/deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "istio-operator.fullname" . }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "istio-operator.labels" . | nindent 4 }}
 spec:
@@ -34,6 +34,9 @@ spec:
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
+      {{- with .Values.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ . }}
+      {{- end }}
       containers:
         - name: istio-operator
           {{- with .Values.securityContext }}
@@ -56,7 +59,7 @@ spec:
             - name: WAIT_FOR_RESOURCES_TIMEOUT
               value: {{ .Values.waitForResourcesTimeout | quote }}
             - name: REVISION
-              value: ""
+              value: {{ .Values.revision | quote }}
           command:
             - operator
             - server

charts/istio-operator/templates/service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "istio-operator.fullname" . }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "istio-operator.labels" . | nindent 4 }}
 spec:

charts/istio-operator/templates/serviceaccount.yaml

@@ -3,9 +3,12 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "istio-operator.serviceAccountName" . }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "istio-operator.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/istio-operator/templates/servicemonitor.yaml

@@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ include "istio-operator.fullname" . }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "istio-operator.labels" . | nindent 4 }}
     {{- with .Values.serviceMonitor.additionalLabels }}

charts/istio-operator/values.yaml

@@ -3,78 +3,118 @@
 # Declare variables to be passed into your templates.
 
 image:
+  # -- Image repository for the default container.
   repository: docker.io/istio/operator
-  # Overrides the image tag whose default is {{ .Chart.AppVersion }}
-  tag: ""
+  # -- (string) Image tag for the default container, this will default to `.Chart.AppVersion` if not set and will be omitted if set to `-`.
+  tag:
+  # -- Image pull policy for the default container.
   pullPolicy: IfNotPresent
+  # -- Image pull secrets (DEPRECATED).
   pullSecrets: []
 
+# -- Image pull secrets.
 imagePullSecrets: []
 
-nameOverride: ""
-fullnameOverride: ""
+# -- (string) Override the name of the chart.
+nameOverride:
 
+# -- (string) Override the full name of the chart.
+fullnameOverride:
+
+# -- Labels to add to all chart resources.
 commonLabels: {}
 
 serviceAccount:
-  # Specifies whether a service account should be created
+  # -- If `true`, create a new `ServiceAccount`.
   create: true
-  # Annotations to add to the service account
+  # -- Labels to add to the service account.
+  labels: {}
+  # -- Annotations to add to the service account.
   annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
+  # -- (string) If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use.
+  name:
 
 rbac:
-  # Specifies whether RBAC resources should be created
+  # -- If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API.
   create: true
 
+# -- Labels to add to the pod.
 podLabels: {}
+
+# -- Annotations to add to the pod.
 podAnnotations: {}
 
-podSecurityContext: {}
+# -- Security context for the pod.
+# @default -- See _values.yaml_
+podSecurityContext:
+  runAsNonRoot: true
+  fsGroup: 65534
+  seccompProfile:
+    type: RuntimeDefault
+
+# -- Priority class name for the pod.
+priorityClassName:
 
+# -- Termination grace period for the pod in seconds.
+terminationGracePeriodSeconds:
+
+# -- Security context for the default container.
+# @default -- See _values.yaml_
 securityContext:
+  privileged: false
   allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1337
+  runAsGroup: 1337
   capabilities:
     drop:
       - ALL
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 1337
-  runAsUser: 1337
-  runAsNonRoot: true
-  seccompProfile:
 
-priorityClassName: ""
+# -- Resources for the default container.
+resources: {}
+
+# -- Node labels to match for pod scheduling.
+nodeSelector: {}
+
+# -- Affinity settings for pod scheduling. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels.
+affinity: {}
+
+# -- Topology spread constraints for pod scheduling. If an explicit label selector is not provided one will be created from the pod selector labels.
+topologySpreadConstraints: []
+
+# -- Node taints which will be tolerated for pod scheduling.
+tolerations: []
 
 serviceMonitor:
+  # -- If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_.
   enabled: false
+  # -- Additional labels for the `ServiceMonitor`.
   additionalLabels: {}
+  # -- Additional endpoint configuration for the default `ServiceMonitor` endpoint.
   endpointConfig: {}
+  # -- _Prometheus_ scrape interval (DEPRECATED).
   interval:
 
 dashboards:
+  # -- If `true`, install the _Grafana_ dashboards provided by the chart.
   enabled: false
 
-resources: {}
-
-nodeSelector: {}
-
-affinity: {}
-
-topologySpreadConstraints: []
+# -- Namespace to install _Istio_ into.
+istioNamespace: istio-system
 
-tolerations: []
+# -- The control plane revision, if required.
+revision:
 
+# -- Period to wait for resources before timing out.
 waitForResourcesTimeout: 300s
 
-istioNamespace: istio-system
-
 controlPlane:
+  # -- If `true`, install the _Istio_ control plane.
   install: false
-  # Annotations to place in the IstioOperator CR metadata.
+  # -- Annotations to add to the `IstioOperator` CR.
   annotations: {}
+  # -- Spec for the `IstioOperator` CR.
   spec: {}
   #   hub: docker.io/istio
   #   profile: default