Automator: merge upstream changes to openshift-service-mesh/istio@master

* upstream/master:
  Automator: update istio/client-go@master dependency in istio/istio@master (#58361)
  Automator: update proxy@master in istio/istio@master (#58358)
  tests: add integration tests for BackendTLSPolicy applied to ServiceEntry (#58242)
  Prevent route resource status conflict in multi-revision installs (#58292)
  add release-note for warmup aggression change (#58339)

Author: openshift-service-mesh-bot

go.mod

@@ -93,8 +93,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.18.6
-	istio.io/api v1.28.0-alpha.0.0.20251118133802-3d6b80ec2d1e
-	istio.io/client-go v1.28.0-alpha.0.0.20251118134000-fa71d5732509
+	istio.io/api v1.28.0-alpha.0.0.20251120193503-cb15a6cf0002
+	istio.io/client-go v1.28.0-alpha.0.0.20251120193902-c79fe2483377
 	k8s.io/api v0.34.1
 	k8s.io/apiextensions-apiserver v0.34.1
 	k8s.io/apimachinery v0.34.1

go.sum

@@ -574,10 +574,10 @@ gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 helm.sh/helm/v3 v3.18.6 h1:S/2CqcYnNfLckkHLI0VgQbxgcDaU3N4A/46E3n9wSNY=
 helm.sh/helm/v3 v3.18.6/go.mod h1:L/dXDR2r539oPlFP1PJqKAC1CUgqHJDLkxKpDGrWnyg=
-istio.io/api v1.28.0-alpha.0.0.20251118133802-3d6b80ec2d1e h1:qfJY+yQTjm0AWhPXITGSAGCLkujfBGh0Hu3RuXQeyq4=
-istio.io/api v1.28.0-alpha.0.0.20251118133802-3d6b80ec2d1e/go.mod h1:BD3qv/ekm16kvSgvSpuiDawgKhEwG97wx849CednJSg=
-istio.io/client-go v1.28.0-alpha.0.0.20251118134000-fa71d5732509 h1:U0SrRSda3au07r6b4ZbHa+NeKXkV4mVofPvTlQMF7oA=
-istio.io/client-go v1.28.0-alpha.0.0.20251118134000-fa71d5732509/go.mod h1:G0jE4yjFmzhXjlTAi6/TYvE8jjFaWM34EpR9OfIb4Ac=
+istio.io/api v1.28.0-alpha.0.0.20251120193503-cb15a6cf0002 h1:GmCiNi/TnMKpKIu0r5WSTir1W/Mc+2D9HI/dMp+7zPA=
+istio.io/api v1.28.0-alpha.0.0.20251120193503-cb15a6cf0002/go.mod h1:BD3qv/ekm16kvSgvSpuiDawgKhEwG97wx849CednJSg=
+istio.io/client-go v1.28.0-alpha.0.0.20251120193902-c79fe2483377 h1:ghagEGUxUsjpvbgR6Llr8xaN3kObAk2zJbnWquRhP+s=
+istio.io/client-go v1.28.0-alpha.0.0.20251120193902-c79fe2483377/go.mod h1:K9qmUWxQPP5Ltt7fbTmDqHaSUm9iMF5co3dvZsl++P0=
 k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
 k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
 k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI=

istio.deps

@@ -4,7 +4,7 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "c3cad09527225b6a98dbf46ce81d066c580e038f"
+    "lastStableSHA": "be818c1ad983cfe7b2a7316718076ccc7554d046"
   },
   {
     "_comment": "",

manifests/charts/base/files/crd-all.gen.yaml

@@ -133,14 +133,14 @@ func DestinationRuleCollection(
 	opts krt.OptionsBuilder,
 ) krt.Collection[*config.Config] {
 	trafficPolicyStatus, backendTrafficPolicies := BackendTrafficPolicyCollection(trafficPolicies, references, domainSuffix, opts)
-	status.RegisterStatus(c.status, trafficPolicyStatus, GetStatus)
+	status.RegisterStatus(c.status, trafficPolicyStatus, GetStatus, c.tagWatcher.AccessUnprotected())
 
 	// TODO: BackendTrafficPolicy should also probably use ancestorCollection. However, its still up for debate in the
 	// Gateway API community if having the Gateway as an ancestor ref is required or not; we would prefer it to not be if possible.
 	// Until conformance requires it, for now we skip it.
 	ancestorCollection := ancestors.AsCollection(append(opts.WithName("AncestorBackend"), TypedNamespacedNameIndexCollectionFunc)...)
 	tlsPolicyStatus, backendTLSPolicies := BackendTLSPolicyCollection(tlsPolicies, ancestorCollection, references, domainSuffix, opts)
-	status.RegisterStatus(c.status, tlsPolicyStatus, GetStatus)
+	status.RegisterStatus(c.status, tlsPolicyStatus, GetStatus, c.tagWatcher.AccessUnprotected())
 
 	// We need to merge these by hostname into a single DR
 	allPolicies := krt.JoinCollection([]krt.Collection[BackendPolicy]{backendTrafficPolicies, backendTLSPolicies})

pilot/pkg/config/kube/gateway/backend_policies.go

@@ -238,7 +238,7 @@ func NewController(
 	httpRoutesByInferencePool := krt.NewIndex(inputs.HTTPRoutes, "inferencepool-route", indexHTTPRouteByInferencePool)
 
 	GatewayClassStatus, GatewayClasses := GatewayClassesCollection(inputs.GatewayClasses, opts)
-	status.RegisterStatus(c.status, GatewayClassStatus, GetStatus)
+	status.RegisterStatus(c.status, GatewayClassStatus, GetStatus, c.tagWatcher.AccessUnprotected())
 
 	ReferenceGrants := BuildReferenceGrants(ReferenceGrantsCollection(inputs.ReferenceGrants, opts))
 	ListenerSetStatus, ListenerSets := ListenerSetCollection(
@@ -254,7 +254,7 @@ func NewController(
 		c.tagWatcher,
 		opts,
 	)
-	status.RegisterStatus(c.status, ListenerSetStatus, GetStatus)
+	status.RegisterStatus(c.status, ListenerSetStatus, GetStatus, c.tagWatcher.AccessUnprotected())
 
 	// GatewaysStatus is not fully complete until its join with route attachments to report attachedRoutes.
 	// Do not register yet.
@@ -289,7 +289,7 @@ func NewController(
 		controllers.WithMaxAttempts(5))
 
 	if features.EnableGatewayAPIInferenceExtension {
-		status.RegisterStatus(c.status, InferencePoolStatus, GetStatus)
+		status.RegisterStatus(c.status, InferencePoolStatus, GetStatus, c.tagWatcher.AccessUnprotected())
 	}
 
 	RouteParents := BuildRouteParents(Gateways)
@@ -309,25 +309,25 @@ func NewController(
 		routeInputs,
 		opts,
 	)
-	status.RegisterStatus(c.status, tcpRoutes.Status, GetStatus)
+	status.RegisterStatus(c.status, tcpRoutes.Status, GetStatus, c.tagWatcher.AccessUnprotected())
 	tlsRoutes := TLSRouteCollection(
 		inputs.TLSRoutes,
 		routeInputs,
 		opts,
 	)
-	status.RegisterStatus(c.status, tlsRoutes.Status, GetStatus)
+	status.RegisterStatus(c.status, tlsRoutes.Status, GetStatus, c.tagWatcher.AccessUnprotected())
 	httpRoutes := HTTPRouteCollection(
 		inputs.HTTPRoutes,
 		routeInputs,
 		opts,
 	)
-	status.RegisterStatus(c.status, httpRoutes.Status, GetStatus)
+	status.RegisterStatus(c.status, httpRoutes.Status, GetStatus, c.tagWatcher.AccessUnprotected())
 	grpcRoutes := GRPCRouteCollection(
 		inputs.GRPCRoutes,
 		routeInputs,
 		opts,
 	)
-	status.RegisterStatus(c.status, grpcRoutes.Status, GetStatus)
+	status.RegisterStatus(c.status, grpcRoutes.Status, GetStatus, c.tagWatcher.AccessUnprotected())
 
 	RouteAttachments := krt.JoinCollection([]krt.Collection[RouteAttachment]{
 		tcpRoutes.RouteAttachments,
@@ -360,7 +360,7 @@ func NewController(
 	)
 
 	GatewayFinalStatus := FinalGatewayStatusCollection(GatewaysStatus, RouteAttachments, RouteAttachmentsIndex, opts)
-	status.RegisterStatus(c.status, GatewayFinalStatus, GetStatus)
+	status.RegisterStatus(c.status, GatewayFinalStatus, GetStatus, c.tagWatcher.AccessUnprotected())
 
 	VirtualServices := krt.JoinCollection([]krt.Collection[*config.Config]{
 		tcpRoutes.VirtualServices,

pilot/pkg/config/kube/gateway/controller.go

@@ -48,7 +48,7 @@ func TestStatusCollections(t *testing.T) {
 	fakeCol := krt.NewStaticCollection[Status](nil, []Status{obj1}, krt.WithStop(stop))
 	status.RegisterStatus(c.status, fakeCol, func(i *v1.ConfigMap) string {
 		return ""
-	})
+	}, c.tagWatcher.AccessUnprotected())
 
 	sq1 := &TestStatusQueue{state: map[status.Resource]any{}}
 	setAndWait(t, c, sq1)

pilot/pkg/config/kube/gateway/status_test.go

@@ -37,6 +37,7 @@ import (
 	"istio.io/istio/pkg/kube/kclient"
 	"istio.io/istio/pkg/kube/krt"
 	"istio.io/istio/pkg/log"
+	"istio.io/istio/pkg/revisions"
 	"istio.io/istio/pkg/util/sets"
 )
 
@@ -93,7 +94,8 @@ type Controller struct {
 	// outputs contains all the output collections for this controller.
 	outputs Outputs
 
-	status *status.StatusCollections
+	status     *status.StatusCollections
+	tagWatcher krt.RecomputeProtected[revisions.TagWatcher]
 }
 
 type Inputs struct {
@@ -119,12 +121,17 @@ func NewController(
 	stop := make(chan struct{})
 	opts := krt.NewOptionsBuilder(stop, "ingress", options.KrtDebugger)
 
+	tw := revisions.NewTagWatcher(client, options.Revision, options.SystemNamespace)
 	c := &Controller{
 		client:     client,
 		stop:       stop,
 		status:     &status.StatusCollections{},
 		xdsUpdater: xdsUpdater,
+		tagWatcher: krt.NewRecomputeProtected(tw, false, opts.WithName("tagWatcher")...),
 	}
+	tw.AddHandler(func(s sets.String) {
+		c.tagWatcher.TriggerRecomputation()
+	})
 
 	c.inputs = Inputs{
 		IngressClasses: krt.NewInformer[*knetworking.IngressClass](client, opts.WithName("informer/IngressClasses")...),
@@ -167,7 +174,7 @@ func NewController(
 	)
 	status.RegisterStatus(c.status, Status, func(ingress *knetworking.Ingress) knetworking.IngressStatus {
 		return ingress.Status
-	})
+	}, c.tagWatcher.AccessUnprotected())
 
 	_, RuleHostIndex := RuleCollection(
 		SupportedIngresses,
@@ -225,6 +232,14 @@ func (c *Controller) SetStatusWrite(enabled bool, statusManager *status.Manager)
 
 func (c *Controller) Run(stop <-chan struct{}) {
 	log.Infof("Starting ingress controller")
+
+	tw := c.tagWatcher.AccessUnprotected()
+	go tw.Run(stop)
+	go func() {
+		kube.WaitForCacheSync("ingress tag watcher", stop, tw.HasSynced)
+		c.tagWatcher.MarkSynced()
+	}()
+
 	<-stop
 	close(c.stop)
 }

pilot/pkg/config/kube/ingress/controller.go

@@ -21,10 +21,13 @@ import (
 	"strconv"
 	"sync"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	schematypes "istio.io/istio/pkg/config/schema/kubetypes"
 	"istio.io/istio/pkg/kube/controllers"
 	"istio.io/istio/pkg/kube/krt"
 	"istio.io/istio/pkg/log"
+	"istio.io/istio/pkg/revisions"
 	"istio.io/istio/pkg/slices"
 )
 
@@ -72,7 +75,12 @@ func (s *StatusCollections) SetQueue(queue Queue) []krt.Syncer {
 // krt.ObjectWithStatus, in theory, can contain anything in the "object" field. This function requires it to contain
 // the current live *status*, and a passed in getStatus to extract it from the object.
 // It will then compare the live status to the desired status to determine whether to write or not.
-func RegisterStatus[I controllers.Object, IS any](s *StatusCollections, statusCol krt.StatusCollection[I, IS], getStatus func(I) IS) {
+func RegisterStatus[I controllers.Object, IS any](
+	s *StatusCollections,
+	statusCol krt.StatusCollection[I, IS],
+	getStatus func(I) IS,
+	tagWatcher revisions.TagWatcher,
+) {
 	reg := func(statusWriter Queue) krt.HandlerRegistration {
 		h := statusCol.Register(func(o krt.Event[krt.ObjectWithStatus[I, IS]]) {
 			l := o.Latest()
@@ -85,6 +93,10 @@ func RegisterStatus[I controllers.Object, IS any](s *StatusCollections, statusCo
 				log.Debugf("suppress change for %v %v", l.ResourceName(), l.Obj.GetResourceVersion())
 				return
 			}
+			if !tagWatcher.IsMine(metav1.ObjectMeta{Namespace: l.Obj.GetNamespace(), Name: l.Obj.GetName(), Labels: l.Obj.GetLabels()}) {
+				log.Debugf("suppress change for %v %v because it does not belong to my revision", l.ResourceName(), l.Obj.GetResourceVersion())
+				return
+			}
 			status := &l.Status
 			if o.Event == controllers.EventDelete {
 				// if the object is being deleted, we should not reset status

pilot/pkg/status/collections.go

@@ -0,0 +1,10 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+
+issue:
+ - https://github.com/istio/istio/issues/57734
+
+releaseNotes:
+- |
+  **Fixed** status conflicts on Route resources when multiple istio revisions are installed.