Automator: merge upstream changes to openshift-service-mesh/istio@master

* upstream/master: (47 commits)
  addons: Bump addons version (#57887)
  Gateway: bump to v1.4.0 (#57873)
  Automator: update proxy@master in istio/istio@master (#57882)
  move stat prefix to constants (#57879)
  Handle istio-cni cleanup on node restart (#57456)
  add stat prefix for WASM default RBAC filters (#57824)
  Automator: update proxy@master in istio/istio@master (#57875)
  Update the comments to match the iptables selection logic (#57876)
  Automator: update proxy@master in istio/istio@master (#57872)
  Automator: update proxy@master in istio/istio@master (#57870)
  Automator: update ztunnel@master in istio/istio@master (#57857)
  Security/check sa for gw secrets (#57716)
  Automator: update proxy@master in istio/istio@master (#57865)
  Automator: update proxy@master in istio/istio@master (#57856)
  Automator: update ztunnel@master in istio/istio@master (#57845)
  Automator: update proxy@master in istio/istio@master (#57850)
  Automator: update istio/client-go@master dependency in istio/istio@master (#57848)
  Remove use of comment module when testing kernel support for iptables version (#57679)
  Update BASE_VERSION to master-2025-10-01T19-01-35 (#57841)
  Automator: update istio/client-go@master dependency in istio/istio@master (#57828)
  ...

Author: openshift-service-mesh-bot

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:master-2683149c033b2b71ab460170c3045ae85727306e",
+  "image": "gcr.io/istio-testing/build-tools:master-6ac9cdb3d1ad09092398ab15574ce88cf2ac31ff",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= master-2025-09-23T19-02-05
+BASE_VERSION ?= master-2025-10-01T19-01-35
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

cni/pkg/cmd/root.go

@@ -133,25 +133,27 @@ var rootCmd = &cobra.Command{
 			// if it is, we do NOT remove the plugin, and do
 			// NOT do ambient watch server cleanup
 			defer func() {
-				var isUpgrade bool
+				var shouldStopCleanup bool
 				if cfg.InstallConfig.AmbientDisableSafeUpgrade {
 					log.Info("Ambient node agent safe upgrade explicitly disabled via env")
-					isUpgrade = false
+					shouldStopCleanup = false
 				} else {
-					isUpgrade = ambientAgent.ShouldStopForUpgrade("istio-cni", nodeagent.PodNamespace)
+					shouldStopCleanup = ambientAgent.ShouldStopCleanup("istio-cni", nodeagent.PodNamespace, cfg.InstallConfig.IstioOwnedCNIConfig)
 				}
-				log.Infof("Ambient node agent shutting down - is upgrade shutdown? %t", isUpgrade)
+				log.Infof("Ambient node agent shutting down - should stop cleanup? %t", shouldStopCleanup)
+
+				// TODO(jaellio) - do we want to add support for a partial cleanup
 				// if we are doing an "upgrade shutdown", then
 				// we do NOT want to remove/cleanup the CNI plugin.
 				//
 				// This is important - we want it to remain in place to "stall"
 				// new ambient-enabled pods while our replacement spins up.
-				if !isUpgrade {
+				if !shouldStopCleanup {
 					if cleanErr := installer.Cleanup(); cleanErr != nil {
 						log.Error(cleanErr.Error())
 					}
 				}
-				ambientAgent.Stop(isUpgrade)
+				ambientAgent.Stop(shouldStopCleanup)
 			}()
 
 			ambientAgent.Start()

cni/pkg/install/testdata/kubeconfig-newhost

@@ -11,7 +11,6 @@ contexts:
   name: istio-cni-context
 current-context: istio-cni-context
 kind: Config
-preferences: {}
 users:
 - name: istio-cni
   user:

cni/pkg/install/testdata/kubeconfig-skip-tls

@@ -11,7 +11,6 @@ contexts:
   name: istio-cni-context
 current-context: istio-cni-context
 kind: Config
-preferences: {}
 users:
 - name: istio-cni
   user:

cni/pkg/install/testdata/kubeconfig-tls

@@ -11,7 +11,6 @@ contexts:
   name: istio-cni-context
 current-context: istio-cni-context
 kind: Config
-preferences: {}
 users:
 - name: istio-cni
   user:

cni/pkg/nodeagent/informers_test.go

@@ -176,7 +176,7 @@ func TestInformerExistingPodAddErrorAnnotatesWithPartialStatusOnRetry(t *testing
 	client := kube.NewFakeClient(ns, pod)
 	fs := &fakeServer{}
 
-	fs.On("AddPodToMesh",
+	call := fs.On("AddPodToMesh",
 		ctx,
 		mock.IsType(pod),
 		util.GetPodIPsIfPresent(pod),
@@ -201,6 +201,11 @@ func TestInformerExistingPodAddErrorAnnotatesWithPartialStatusOnRetry(t *testing
 
 	assertPodAnnotatedPending(t, client, pod)
 
+	// allow the call to succeed, this will stop further retry events from occurring
+	call.Return(nil)
+	// assert that the pod has been annotated before we proceed
+	assertPodAnnotated(t, client, pod)
+
 	// Assert expected calls actually made
 	fs.AssertExpectations(t)
 }

cni/pkg/nodeagent/server.go

@@ -21,7 +21,9 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/cenkalti/backoff/v4"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/rest"
 
@@ -31,7 +33,10 @@ import (
 
 const defaultZTunnelKeepAliveCheckInterval = 5 * time.Second
 
-var log = scopes.CNIAgent
+var (
+	log              = scopes.CNIAgent
+	tokenWaitBackoff = time.Second
+)
 
 type MeshDataplane interface {
 	// MUST be called first, (even before Start()).
@@ -119,18 +124,47 @@ func (s *Server) Stop(skipCleanup bool) {
 	s.dataplane.Stop(skipCleanup)
 }
 
-func (s *Server) ShouldStopForUpgrade(selfName, selfNamespace string) bool {
+// ShouldStopCleanup of istio-cni config and binary when upgrading or on node reboot
+func (s *Server) ShouldStopCleanup(selfName, selfNamespace string, istioOwnedCNIConfig bool) bool {
 	dsName := fmt.Sprintf("%s-node", selfName)
-	cniDS, err := s.kubeClient.Kube().AppsV1().DaemonSets(selfNamespace).Get(context.Background(), dsName, metav1.GetOptions{})
-	log.Debugf("Daemonset %s has deletion timestamp?: %+v", dsName, cniDS.DeletionTimestamp)
-	if err == nil && cniDS != nil && cniDS.DeletionTimestamp == nil {
-		log.Infof("terminating, but parent DS %s is still present, this is an upgrade, leaving plugin in place", dsName)
-		return true
+	shouldStopCleanup := false
+	var numRetries uint64
+	// use different defaults when using an istio owned CNI config file
+	if istioOwnedCNIConfig {
+		shouldStopCleanup = true
+		numRetries = 2
 	}
-
-	// If the DS is gone, it's definitely not an upgrade, so carry on like normal.
-	log.Infof("parent DS %s is gone or marked for deletion, this is not an upgrade, shutting down normally %s", dsName, err)
-	return false
+	err := backoff.Retry(
+		func() error {
+			cniDS, err := s.kubeClient.Kube().AppsV1().DaemonSets(selfNamespace).Get(context.Background(), dsName, metav1.GetOptions{})
+
+			if err == nil && cniDS != nil && cniDS.DeletionTimestamp == nil {
+				log.Infof("terminating, but parent DaemonSet %s is still present, this is an upgrade or a node reboot, leaving plugin in place", dsName)
+				shouldStopCleanup = true
+				return nil
+			}
+			if errors.IsNotFound(err) || (cniDS != nil && cniDS.DeletionTimestamp != nil) {
+				// If the DS is gone, or marked for deletion, this is not an upgrade.
+				// We can safely shut down the plugin.
+				log.Infof("parent DaemonSet %s is not found or marked for deletion, this is not an upgrade, shutting down normally", dsName)
+				shouldStopCleanup = false
+				return nil
+			}
+			if errors.IsUnauthorized(err) {
+				log.Infof("permission to get parent DaemonSet %s has been revoked manually or due to uninstall, this is not an upgrade, "+
+					"shutting down normally", dsName)
+				shouldStopCleanup = false
+				return nil
+			}
+			log.Infof("failed to get parent DS %s, retrying: %v", dsName, err)
+			return err
+		},
+		// Limiting retries to 3 so other shutdown tasks can complete before the graceful shutdown period ends
+		backoff.WithMaxRetries(backoff.NewConstantBackOff(tokenWaitBackoff), numRetries))
+	if err != nil {
+		log.Infof("failed to get parent DaemonSet %s, returning %t: %v", dsName, shouldStopCleanup, err)
+	}
+	return shouldStopCleanup
 }
 
 // buildKubeClient creates the kube client

cni/pkg/plugin/plugin.go

@@ -164,23 +164,26 @@ func CmdAdd(args *skel.CmdArgs) (err error) {
 		return err
 	}
 
+	// Preemptively check if the pod is a CNI pod.
+	// It is possible that the kubeconfig is not available if it hasn't been written yet
+	// by the CNI pod or it is invalid which cause the CNI pod to be unable to start if
+	// on the creation of a new K8s client. We preemptively check if the pod is a CNI pod
+	// to avoid a deadlock on the kubeconfig when the k8s client is unnecessary to process
+	// the CNI add event for the CNI pod itself.
+	if conf.AmbientEnabled {
+		k8sArgs := K8sArgs{}
+		if err := types.LoadArgs(args.Args, &k8sArgs); err != nil {
+			return fmt.Errorf("failed to load args: %v", err)
+		}
+		if isCNIPod(conf, &k8sArgs) {
+			// If we are in a degraded state and this is our own agent pod, skip
+			return pluginResponse(conf)
+		}
+	}
+
 	// Create a kube client
 	client, err := newK8sClient(*conf)
-	// If creation of a kube client fails, check if the pod is a CNI pod.
-	// It is possible that the kubeconfig is not available if it hasn't been written yet
-	// by the CNI pod which could be unable to start if we failed here. We skip this
-	// failure for the CNI pod to avoid a deadlock.
 	if err != nil {
-		if conf.AmbientEnabled {
-			k8sArgs := K8sArgs{}
-			if err := types.LoadArgs(args.Args, &k8sArgs); err != nil {
-				return fmt.Errorf("failed to load args after failed attempt to get client: %v", err)
-			}
-			if isCNIPod(conf, &k8sArgs) {
-				// If we are in a degraded state and this is our own agent pod, skip
-				return pluginResponse(conf)
-			}
-		}
 		return fmt.Errorf("failed to createNewK8sClient: %v", err)
 	}
 
@@ -404,6 +407,6 @@ func isCNIPod(conf *Config, k8sArgs *K8sArgs) bool {
 		log.Infof("in a degraded state and %v looks like our own agent pod, skipping", k8sArgs.K8S_POD_NAME)
 		return true
 	}
-	log.Warnf("not a CNI pod, podName: %s, podNamespace: %s", k8sArgs.K8S_POD_NAME, k8sArgs.K8S_POD_NAMESPACE)
+	log.Warnf("not a CNI pod, podName: %s, podNamespace: %s, conf pod namespace: %s", k8sArgs.K8S_POD_NAME, k8sArgs.K8S_POD_NAMESPACE, conf.PodNamespace)
 	return false
 }

common/.commonfiles.sha

@@ -1 +1 @@
-c858f8951846005d3976c045fa3eae390d29a251
+be6513cc1433076ebdb636af99c9b171d9a36f27