Automator: merge upstream changes to openshift-service-mesh/istio@master

* upstream/master: (48 commits)
  fix proxy version check for built-in formatters (#58469)
  Support safe migration from iptables to nftables in Ambient (#58354)
  krt: aggregate Join events for conflicting keys (#58324)
  Automator: update proxy@master in istio/istio@master (#58458)
  addons: Bump addons version (#58443)
  add indication for the requests count (#58454)
  `istioctl`: Display proxy cert serial numbers with trailing zeros (#58449)
  nds: fix missing IP addresses in headless nametable entries when pods have multiple IPs (#58398)
  Adapt TestInferencePoolMultipleTargetPorts test to Openshift (#58448)
  Add istiod_remote_cluster_sync_status metric (#58384)
  Automator: update proxy@master in istio/istio@master (#58446)
  Automator: update istio/client-go@master dependency in istio/istio@master (#58421)
  Automator: update proxy@master in istio/istio@master (#58439)
  Automator: update proxy@master in istio/istio@master (#58437)
  istioctl: support show all namespaces waypoint status (#58394)
  Propagate trust domain to e/w gateway (#58428)
  xlistenerset: fix namespace selector (#58360)
  istioctl waypoint status: support specify whether to wait for waypoint to be ready (#57076)
  timeout in zipkin is optional (#58406)
  rename NewInformerFiltered to NewFilteredInformer (#58385)
  ...

Author: openshift-service-mesh-bot

cni/pkg/install/cniconfig_test.go

@@ -227,8 +227,7 @@ func TestGetCNIConfigFilepath(t *testing.T) {
 
 			// Handle chained CNI plugin cases
 			// Call with goroutine to test fsnotify watcher
-			parent, cancel := context.WithCancel(context.Background())
-			defer cancel()
+			parent := t.Context()
 			resultChan, errChan := make(chan string, 1), make(chan error, 1)
 			go func(resultChan chan string, errChan chan error, ctx context.Context, cniConfName, mountedCNINetDir string, chained bool) {
 				result, err := getCNIConfigFilepath(ctx, cniConfName, mountedCNINetDir, chained)

cni/pkg/install/install_test.go

@@ -220,8 +220,7 @@ func TestSleepCheckInstall(t *testing.T) {
 			tempDir := t.TempDir()
 
 			// Initialize parameters
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
+			ctx := t.Context()
 
 			if c.istioOwnedCNIConfig && len(c.istioOwnedCNIConfigFilename) == 0 {
 				c.istioOwnedCNIConfigFilename = "02-istio-conf.conflist"

cni/pkg/nftables/kubeletuid_linux.go

@@ -22,7 +22,9 @@ import (
 	"github.com/prometheus/procfs"
 )
 
-// getKubeletUIDFromPath finds the kubelet process UID by inspecting the proc filesystem path.
+// getKubeletUIDFromPath finds the kubelet or kubelite process UID by inspecting the proc filesystem path.
+// In standard Kubernetes distributions, it looks for the "kubelet" process.
+// On some platforms like MicroK8s, where multiple k8s components are consolidated, it looks for the "kubelite" process.
 func getKubeletUIDFromPath(procPath string) (string, error) {
 	fs, err := procfs.NewFS(procPath)
 	if err != nil {
@@ -34,44 +36,53 @@ func getKubeletUIDFromPath(procPath string) (string, error) {
 		return "", fmt.Errorf("failed to read processes from %s: %v", procPath, err)
 	}
 
-	// Find kubelet process
+	// List of process names to search for, in order of preference
+	processNames := []string{"kubelet", "kubelite"}
+
 	for _, proc := range procs {
 		comm, err := proc.Comm()
 		if err != nil {
 			// Process might have exited, skip
 			continue
 		}
 
-		if comm == "kubelet" {
-			// Lets check the command line to ensure it's really kubelet
-			cmdline, err := proc.CmdLine()
-			if err != nil {
-				continue
-			}
+		for _, targetName := range processNames {
+			if comm == targetName {
+				// Lets check the command line to ensure it's really the target process
+				cmdline, err := proc.CmdLine()
+				if err != nil {
+					continue
+				}
 
-			kubeletFound := false
-			for _, arg := range cmdline {
-				if strings.Contains(strings.ToLower(arg), "kubelet") {
-					kubeletFound = true
-					break
+				// Verify that this process is actually related to kubelet by checking
+				// if "kubelet" appears in any of the command line arguments.
+				// This works for both:
+				//   - Standard kubelet: /usr/bin/kubelet [args...]
+				//   - MicroK8s kubelite: /snap/microk8s/.../kubelite --kubelet-args-file=...
+				processFound := false
+				for _, arg := range cmdline {
+					if strings.Contains(strings.ToLower(arg), "kubelet") {
+						processFound = true
+						break
+					}
+				}
+				if !processFound {
+					continue
 				}
-			}
-			if !kubeletFound {
-				continue
-			}
 
-			// Get process status with UIDs
-			status, err := proc.NewStatus()
-			if err != nil {
-				continue
-			}
+				// Get process status with UIDs
+				status, err := proc.NewStatus()
+				if err != nil {
+					continue
+				}
 
-			realUID := status.UIDs[0]
-			realUIDStr := strconv.FormatUint(realUID, 10)
+				realUID := status.UIDs[0]
+				realUIDStr := strconv.FormatUint(realUID, 10)
 
-			return realUIDStr, nil
+				return realUIDStr, nil
+			}
 		}
 	}
 
-	return "", fmt.Errorf("kubelet process not found in %s", procPath)
+	return "", fmt.Errorf("kubelet or kubelite process not found in %s", procPath)
 }

cni/pkg/nftables/nftables.go

@@ -443,7 +443,7 @@ func (cfg *NftablesConfigurator) CreateHostRulesForHealthChecks() error {
 	//
 	// Challenge: In nftables, there is no direct equivalent to "--socket-exists", so we explored multiple alternatives
 	// - Option-1 (UID-based matching): Since kubelet runs as a specific process with a known UID, we can use
-	//   meta skuid to identify traffic originating from kubelet.
+	//   meta skuid to identify traffic originating from kubelet (or kubelite in MicroK8s).
 	//
 	// - Option-2: Match on kubelet’s source IP (node IP). This works in theory but is a bit unsafe as
 	//   other host processes can also send traffic from the node IP, and nodes can have multiple IPs making the

cni/pkg/nodeagent/detect_artifacts_linux.go

@@ -0,0 +1,102 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nodeagent
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/vishvananda/netlink"
+
+	"istio.io/istio/cni/pkg/config"
+	"istio.io/istio/cni/pkg/ipset"
+	"istio.io/istio/cni/pkg/util"
+)
+
+// detectIptablesArtifacts checks for the presence of Istio iptables artifacts (specifically IPsets)
+// on the host network to determine if a previous iptables-based deployment exists.
+// Returns:
+//   - true if iptables artifacts (IPsets) are detected
+//   - false if no artifacts are detected or if detection fails
+//   - error if there was a failure during detection
+func detectIptablesArtifacts(enableIPv6 bool) (bool, error) {
+	var detected bool
+	var detectionErr error
+
+	// Run the detection in the host network namespace
+	err := util.RunAsHost(func() error {
+		// Check if the IPv4 IPset exists
+		v4Name := fmt.Sprintf(ipset.V4Name, config.ProbeIPSet)
+		v4Exists, err := ipsetExists(v4Name)
+		if err != nil {
+			log.Debugf("failed to check for v4 IPset %s: %v", v4Name, err)
+			detectionErr = fmt.Errorf("v4 IPset detection failed: %w", err)
+			// Lets continue checking for v6 (if enabled)
+		}
+
+		if v4Exists {
+			log.Infof("detected iptables artifact: IPset %s exists", v4Name)
+			detected = true
+			// Found v4 artifact, no need to check for v6
+			return nil
+		}
+
+		// Check if the IPv6 IPset exists
+		if enableIPv6 {
+			v6Name := fmt.Sprintf(ipset.V6Name, config.ProbeIPSet)
+			v6Exists, err := ipsetExists(v6Name)
+			if err != nil {
+				log.Debugf("failed to check for v6 IPset %s: %v", v6Name, err)
+				if detectionErr != nil {
+					detectionErr = fmt.Errorf("%w; v6 IPset detection failed: %w", detectionErr, err)
+				} else {
+					detectionErr = fmt.Errorf("v6 IPset detection failed: %w", err)
+				}
+			}
+
+			if v6Exists {
+				log.Infof("detected iptables artifact: IPset %s exists", v6Name)
+				detected = true
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return false, fmt.Errorf("failed to run detection in host namespace: %w", err)
+	}
+
+	return detected, detectionErr
+}
+
+// ipsetExists checks if an IPset with the given name exists on the host.
+// Returns:
+//   - true, nil if the IPset exists
+//   - false, nil if the IPset does not exist (expected for clean/fresh setup)
+//   - false, error for any errors
+func ipsetExists(name string) (bool, error) {
+	_, err := netlink.IpsetList(name)
+	if err == nil {
+		// IPset exists
+		return true, nil
+	}
+
+	if strings.Contains(err.Error(), "no such file") {
+		// IPSet does not exist
+		return false, nil
+	}
+
+	return false, err
+}

cni/pkg/nodeagent/detect_artifacts_linux_test.go

@@ -0,0 +1,154 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nodeagent
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+	"testing"
+
+	// Create a new network namespace. This will have the 'lo' interface ready but nothing else.
+	_ "github.com/howardjohn/unshare-go/netns"
+	// Create a new user namespace. This will map the current UID/GID to 0.
+	"github.com/howardjohn/unshare-go/userns"
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
+
+	"istio.io/istio/cni/pkg/config"
+	"istio.io/istio/cni/pkg/ipset"
+	"istio.io/istio/pkg/test/util/assert"
+)
+
+// TestDetectIptablesArtifacts is an e2e test that validates the iptable artifacts on the network.
+// It runs in an isolated network namespace created by unshare-go, which provides a clean environment
+// with root-like capabilities for netlink operations. It validates the upgrade path from iptables to
+// nftables backend by simulating various scenarios.
+func TestDetectIptablesArtifacts(t *testing.T) {
+	setup(t)
+
+	tests := []struct {
+		name             string
+		enableIPv6       bool
+		setupFunc        func(t *testing.T)
+		cleanupFunc      func(t *testing.T)
+		expectedDetected bool
+		description      string
+	}{
+		{
+			name:       "v4_ipset_exists",
+			enableIPv6: false,
+			setupFunc: func(t *testing.T) {
+				v4Name := fmt.Sprintf(ipset.V4Name, config.ProbeIPSet)
+				err := netlink.IpsetCreate(v4Name, "hash:ip", netlink.IpsetCreateOptions{Replace: true})
+				if err != nil && !strings.Contains(err.Error(), "exist") {
+					t.Fatalf("failed to create v4 ipset: %v", err)
+				}
+				t.Logf("Created v4 IPset: %s", v4Name)
+			},
+			cleanupFunc: func(t *testing.T) {
+				v4Name := fmt.Sprintf(ipset.V4Name, config.ProbeIPSet)
+				_ = netlink.IpsetDestroy(v4Name)
+			},
+			expectedDetected: true,
+			description:      "Should detect when v4 IPset exists (simulates an existing iptables deployment)",
+		},
+		{
+			name:       "v6_ipset_exists",
+			enableIPv6: true,
+			setupFunc: func(t *testing.T) {
+				v6Name := fmt.Sprintf(ipset.V6Name, config.ProbeIPSet)
+				err := netlink.IpsetCreate(v6Name, "hash:ip", netlink.IpsetCreateOptions{
+					Family:  unix.AF_INET6,
+					Replace: true,
+				})
+				if err != nil && !strings.Contains(err.Error(), "exist") {
+					t.Fatalf("failed to create v6 ipset: %v", err)
+				}
+				t.Logf("Created v6 IPset: %s", v6Name)
+			},
+			cleanupFunc: func(t *testing.T) {
+				v6Name := fmt.Sprintf(ipset.V6Name, config.ProbeIPSet)
+				_ = netlink.IpsetDestroy(v6Name)
+			},
+			expectedDetected: true,
+			description:      "Should detect when v6 IPset exists",
+		},
+		{
+			name:       "both_v4_and_v6_ipsets_exist",
+			enableIPv6: true,
+			setupFunc: func(t *testing.T) {
+				v4Name := fmt.Sprintf(ipset.V4Name, config.ProbeIPSet)
+				v6Name := fmt.Sprintf(ipset.V6Name, config.ProbeIPSet)
+
+				err := netlink.IpsetCreate(v4Name, "hash:ip", netlink.IpsetCreateOptions{Replace: true})
+				if err != nil && !strings.Contains(err.Error(), "exist") {
+					t.Fatalf("failed to create v4 ipset: %v", err)
+				}
+
+				err = netlink.IpsetCreate(v6Name, "hash:ip", netlink.IpsetCreateOptions{
+					Family:  unix.AF_INET6,
+					Replace: true,
+				})
+				if err != nil && !strings.Contains(err.Error(), "exist") {
+					t.Fatalf("failed to create v6 ipset: %v", err)
+				}
+				t.Logf("Created both v4 and v6 IPsets")
+			},
+			cleanupFunc: func(t *testing.T) {
+				v4Name := fmt.Sprintf(ipset.V4Name, config.ProbeIPSet)
+				v6Name := fmt.Sprintf(ipset.V6Name, config.ProbeIPSet)
+				_ = netlink.IpsetDestroy(v4Name)
+				_ = netlink.IpsetDestroy(v6Name)
+			},
+			expectedDetected: true,
+			description:      "Should detect when both v4 and v6 IPsets exist",
+		},
+		{
+			name:             "no_ipsets_exist",
+			enableIPv6:       true,
+			setupFunc:        func(t *testing.T) {},
+			cleanupFunc:      func(t *testing.T) {},
+			expectedDetected: false,
+			description:      "Should not detect artifacts in clean state (simulates a fresh setup)",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Log(tt.description)
+
+			tt.setupFunc(t)
+			defer tt.cleanupFunc(t)
+
+			detected, _ := detectIptablesArtifacts(tt.enableIPv6)
+			assert.Equal(t, detected, tt.expectedDetected)
+		})
+	}
+}
+
+var initialized = &sync.Once{}
+
+// setup initializes the test environment using unshare-go.
+// Importing "github.com/howardjohn/unshare-go/netns" causes the test to run in an isolated network
+// namespace and userns provides user namespace mapping.
+func setup(t *testing.T) {
+	initialized.Do(func() {
+		// Map current GID to root (0) in the user namespace
+		// This gives us the necessary privileges for netlink operations (CAP_NET_ADMIN)
+		assert.NoError(t, userns.WriteGroupMap(map[uint32]uint32{userns.OriginalGID(): 0}))
+		t.Log("Successfully initialized an isolated test network namespace with root capabilities")
+	})
+}