Feat: Migrated to Istio 1.26.1 and merged istio and istio cni

.github/workflows/dex_oauth2-proxy_test.yaml

@@ -35,7 +35,7 @@ jobs:
       run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install KF Multi Tenancy
       run: ./tests/multi_tenancy_install.sh

.github/workflows/full_kubeflow_integration_test.yaml

@@ -41,7 +41,7 @@
       run: ./tests/oauth2-proxy_install.sh
 
     - name: Install Kubeflow Istio Resources
-      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install Multi-Tenancy
       run: ./tests/multi_tenancy_install.sh
@@ -58,7 +58,7 @@
     - name: Install KServe
       run: ./tests/kserve_install.sh
 
     #- name: Install Pipelines
     #  run: ./tests/pipelines_install.sh
 
     - name: Install Pipelines with SeaweedFS

.github/workflows/istio_validation.yaml

@@ -0,0 +1,189 @@
+name: Test Istio CNI and Non-CNI Installation
+
+on:
+  pull_request:
+    paths:
+    - tests/install_KinD_create_KinD_cluster_install_kustomize.sh
+    - tests/istio*
+    - .github/workflows/istio_cni_test.yaml
+    - common/istio/**
+    - common/cert-manager/**
+
+env:
+  KF_PROFILE: kubeflow-user-example-com
+
+jobs:
+  test-istio:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        istio-mode: ['cni', 'insecure']
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Install KinD, Create KinD cluster and Install kustomize
+      run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh
+
+    - name: Install kubectl
+      run: ./tests/kubectl_install.sh
+
+    - name: Create Kubeflow Namespace
+      run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
+
+    - name: Install Certificate Manager
+      run: ./tests/cert_manager_install.sh
+
+    - name: Install Istio CNI
+      if: matrix.istio-mode == 'cni'
+      run: ./tests/istio-cni_install.sh
+
+    - name: Install Istio Insecure (Non-CNI)
+      if: matrix.istio-mode == 'insecure'
+      run: |
+        kustomize build common/istio/istio-crds/base | kubectl apply -f -
+        kustomize build common/istio/istio-namespace/base | kubectl apply -f -
+        kustomize build common/istio/istio-install/overlays/insecure | kubectl apply -f -
+        kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s
+
+        # Patch webhook certificates for insecure mode
+        CA_BUNDLE=$(kubectl get secret istio-ca-secret -n istio-system -o jsonpath='{.data.root-cert\.pem}')
+        kubectl patch mutatingwebhookconfiguration istio-sidecar-injector --type='json' \
+          -p="[{'op': 'add', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'$CA_BUNDLE'}, \
+               {'op': 'add', 'path': '/webhooks/1/clientConfig/caBundle', 'value':'$CA_BUNDLE'}, \
+               {'op': 'add', 'path': '/webhooks/2/clientConfig/caBundle', 'value':'$CA_BUNDLE'}, \
+               {'op': 'add', 'path': '/webhooks/3/clientConfig/caBundle', 'value':'$CA_BUNDLE'}]"
+        kubectl patch validatingwebhookconfiguration istio-validator-istio-system --type='json' \
+          -p="[{'op': 'add', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'$CA_BUNDLE'}]"
+
+    - name: Wait for Istio deployment
+      run: |
+        kubectl wait --for=condition=available --timeout=300s deployment/istiod -n istio-system
+        kubectl get pods -n istio-system
+
+    - name: Verify CNI Installation
+      if: matrix.istio-mode == 'cni'
+      run: |
+        kubectl get daemonset istio-cni-node -n kube-system
+        kubectl rollout status daemonset/istio-cni-node -n kube-system --timeout=120s
+        kubectl logs -n istio-system deployment/istiod | grep "cniNamespace.*istio-system"
+
+    - name: Verify Insecure Installation
+      if: matrix.istio-mode == 'insecure'
+      run: |
+        # Verify CNI daemonset is deleted
+        ! kubectl get daemonset istio-cni-node -n kube-system 2>/dev/null || \
+          (echo "ERROR: CNI daemonset should not exist in insecure mode" && exit 1)
+
+        # Verify istiod has ISTIO_CNI_ENABLED=false
+        ISTIO_CNI_ENABLED=$(kubectl get deployment istiod -n istio-system -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="ISTIO_CNI_ENABLED")].value}')
+        if [ "$ISTIO_CNI_ENABLED" != "false" ]; then
+          echo "ERROR: ISTIO_CNI_ENABLED should be false, got: $ISTIO_CNI_ENABLED"
+          exit 1
+        fi
+
+        # Verify configmap has pilot.cni.enabled=false
+        kubectl get configmap istio-sidecar-injector -n istio-system -o jsonpath='{.data.values}' | grep -q 'enabled: false' || \
+          (echo "ERROR: pilot.cni.enabled should be false in configmap values" && \
+           kubectl get configmap istio-sidecar-injector -n istio-system -o jsonpath='{.data.values}' && exit 1)
+
+    - name: Install OAuth2 Proxy
+      run: ./tests/oauth2-proxy_install.sh
+
+    - name: Install Kubeflow Istio Resources
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
+
+    - name: Install Multi-Tenancy
+      run: ./tests/multi_tenancy_install.sh
+
+    - name: Create KF Profile
+      run: ./tests/kubeflow_profile_install.sh
+
+    - name: Test sidecar injection
+      run: |
+        kubectl create deployment test-app --image=nginx -n $KF_PROFILE
+        kubectl wait --for=condition=available --timeout=120s deployment/test-app -n $KF_PROFILE
+
+        # With native sidecars, istio-proxy runs as a persistent init container
+        POD_NAME=$(kubectl get pods -n $KF_PROFILE -l app=test-app -o jsonpath='{.items[0].metadata.name}')
+        ISTIO_PROXY_RUNNING=$(kubectl get pod $POD_NAME -n $KF_PROFILE -o jsonpath='{.status.initContainerStatuses[?(@.name=="istio-proxy")].state.running}' | jq -r 'has("startedAt")')
+
+        if [ "$ISTIO_PROXY_RUNNING" != "true" ]; then
+          echo "ERROR: Sidecar injection failed - istio-proxy not running as native sidecar"
+          kubectl describe pod $POD_NAME -n $KF_PROFILE
+          exit 1
+        fi
+        echo "Sidecar injection successful"
+
+        # Verify Envoy proxy is responding
+        kubectl exec -n $KF_PROFILE deployment/test-app -c istio-proxy -- curl -s localhost:15000/ready | grep -q "LIVE" || \
+          (echo "ERROR: Envoy proxy not responding" && exit 1)
+        echo "Envoy proxy is healthy"
+
+    - name: Test CNI-specific functionality
+      if: matrix.istio-mode == 'cni'
+      run: |
+        INIT_CONTAINERS=$(kubectl get pods -n $KF_PROFILE -l app=test-app -o jsonpath='{.items[0].spec.initContainers[*].name}')
+        [[ "$INIT_CONTAINERS" == *"istio-validation"* ]]
+
+    - name: Test Non-CNI functionality
+      if: matrix.istio-mode == 'insecure'
+      run: |
+        # Verify istio-init container is present (not istio-validation)
+        INIT_CONTAINERS=$(kubectl get pods -n $KF_PROFILE -l app=test-app -o jsonpath='{.items[0].spec.initContainers[*].name}')
+        if [[ "$INIT_CONTAINERS" != *"istio-init"* ]]; then
+          echo "ERROR: istio-init container not found. Found: $INIT_CONTAINERS"
+          exit 1
+        fi
+
+        # Verify istio-validation container is NOT present
+        if [[ "$INIT_CONTAINERS" == *"istio-validation"* ]]; then
+          echo "ERROR: istio-validation container should not be present in non-CNI mode"
+          exit 1
+        fi
+
+        echo "Non-CNI verification successful: found istio-init, no istio-validation"
+
+    - name: Port-forward the istio-ingress gateway
+      run: ./tests/port_forward_gateway.sh
+
+    - name: Test basic connectivity
+      run: |
+        kubectl expose deployment test-app --port=80 --target-port=80 -n $KF_PROFILE
+        kubectl run test-client --image=busybox --rm -i --restart=Never -n $KF_PROFILE -- \
+          wget -qO- --timeout=10 test-app.$KF_PROFILE.svc.cluster.local
+
+    - name: Apply Pod Security Standards baseline levels
+      if: matrix.istio-mode == 'cni'
+      run: ./tests/PSS_baseline_enable.sh
+
+    - name: Collect debug information on failure
+      if: failure()
+      run: |
+        echo "=== Istio System Pods ==="
+        kubectl get pods -n istio-system -o wide
+
+        echo "=== Istiod Logs (last 50 lines) ==="
+        kubectl logs -n istio-system deployment/istiod --tail=50 || true
+
+        echo "=== Istiod Environment Variables ==="
+        kubectl get deployment istiod -n istio-system -o jsonpath='{.spec.template.spec.containers[0].env}' | jq . || true
+
+        echo "=== Istio ConfigMap Values ==="
+        kubectl get configmap istio-sidecar-injector -n istio-system -o jsonpath='{.data.values}' | jq . || true
+
+        echo "=== CNI Daemonset Status ==="
+        kubectl get daemonset istio-cni-node -n kube-system || echo "CNI daemonset not found (expected for insecure mode)"
+        kubectl logs -n kube-system daemonset/istio-cni-node --tail=20 || true
+
+        echo "=== Webhook Configurations ==="
+        kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml | grep -A5 -B5 caBundle || true
+
+        echo "=== Test Application Pods ==="
+        kubectl get pods -n $KF_PROFILE -o wide || true
+        kubectl describe pod -n $KF_PROFILE -l app=test-app || true
+
+        echo "=== ReplicaSet Events ==="
+        kubectl get replicaset -n $KF_PROFILE || true
+        kubectl describe replicaset -n $KF_PROFILE || true

.github/workflows/katib_test.yaml

@@ -40,7 +40,7 @@ jobs:
       run: ./tests/oauth2-proxy_install.sh
 
     - name: Install Kubeflow Istio Resources
-      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install Multi-Tenancy
       run: ./tests/multi_tenancy_install.sh

.github/workflows/kserve_test.yaml

@@ -51,7 +51,7 @@
       run: ./tests/multi_tenancy_install.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Create KF Profile
       run: ./tests/kubeflow_profile_install.sh
@@ -84,8 +84,8 @@
           -d '{"instances": [[6.8, 2.8, 4.8, 1.4], [6.0, 3.4, 4.5, 1.6]]}'
 
     # TODO FOR FOLLOW UP PR
     #- name: Run and fail kserve tests without kserve m2m token
       #run: |
       #  export KSERVE_INGRESS_HOST_PORT=localhost:8080
       #  cd ./tests/kserve
       #  if pytest . -vs --log-level info; then
@@ -96,7 +96,7 @@
       #  fi
 
     # TODO FOR FOLLOW UP PR
     #- name: Test that token from attacker namespace is rejected
     #  run: |
     #    export KSERVE_INGRESS_HOST_PORT=localhost:8080
     #    kubectl create ns kubeflow-user-example-com-attacker

.github/workflows/model_registry_test.yaml

@@ -20,7 +20,7 @@
     - name: Install KinD, Create KinD cluster and Install kustomize
       run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh
 
     - name: Remove AppArmor profile for mysql in KinD on GHA # https://github.com/kubeflow/manifests/issues/2507
       run: |
         set -x
         sudo apt-get install apparmor-profiles
@@ -45,7 +45,7 @@
       run: ./tests/multi_tenancy_install.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Create KF Profile
       run: kustomize build common/user-namespace/base | kubectl apply -f -

.github/workflows/notebook_controller_test.yaml

@@ -34,7 +34,7 @@ jobs:
       run: ./tests/oauth2-proxy_install.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install KF Multi Tenancy
       run: ./tests/multi_tenancy_install.sh

.github/workflows/pipeline_run_from_notebook.yaml

@@ -36,7 +36,7 @@ jobs:
       run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install KF Pipelines
       run: ./tests/pipelines_install.sh

.github/workflows/pipeline_swfs_test.yaml

@@ -60,7 +60,7 @@ jobs:
       run: ./tests/multi_tenancy_install.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Create KF Profile
       run: ./tests/kubeflow_profile_install.sh

.github/workflows/pipeline_test.yaml

@@ -50,7 +50,7 @@ jobs:
       run: ./tests/multi_tenancy_install.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Create KF Profile
       run: ./tests/kubeflow_profile_install.sh

.github/workflows/training_operator_test.yaml

@@ -42,7 +42,7 @@ jobs:
       run: ./tests/oauth2-proxy_install.sh
 
     - name: Install Kubeflow Istio Resources
-      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install Multi-Tenancy
       run: ./tests/multi_tenancy_install.sh

.github/workflows/volumes_web_application_test.yaml

@@ -43,7 +43,7 @@ jobs:
       run: ./tests/oauth2-proxy_install.sh
 
     - name: Install Kubeflow Istio Resources
-      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install Multi-Tenancy
       run: ./tests/multi_tenancy_install.sh

README.md

@@ -72,7 +72,7 @@ The following matrix shows the versions of common components used across differe
 
 | Component | Local Manifests Path | Upstream Revision |
 | - | - | - |
-| Istio | common/istio-cni-1-24 | [1.24.3](https://github.com/istio/istio/releases/tag/1.24.3) |
+| Istio | common/istio | [1.26.1](https://github.com/istio/istio/releases/tag/1.26.1) |
 | Knative | common/knative/knative-serving <br /> common/knative/knative-eventing | [v1.16.2](https://github.com/knative/serving/releases/tag/knative-v1.16.2) <br /> [v1.16.4](https://github.com/knative/eventing/releases/tag/knative-v1.16.4) |
 | Cert Manager | common/cert-manager | [1.16.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.16.1) |
 
@@ -217,14 +217,14 @@ Install Istio:
 
 ```sh
 echo "Installing Istio CNI configured with external authorization..."
-kustomize build common/istio-cni-1-24/istio-crds/base | kubectl apply -f -
-kustomize build common/istio-cni-1-24/istio-namespace/base | kubectl apply -f -
+kustomize build common/istio/istio-crds/base | kubectl apply -f -
+kustomize build common/istio/istio-namespace/base | kubectl apply -f -
 
 # For most platforms (Kind, Minikube, AKS, EKS, etc.)
-kustomize build common/istio-cni-1-24/istio-install/overlays/oauth2-proxy | kubectl apply -f -
+kustomize build common/istio/istio-install/overlays/oauth2-proxy | kubectl apply -f -
 
 # For Google Kubernetes Engine (GKE), use:
-# kustomize build common/istio-cni-1-24/istio-install/overlays/gke | kubectl apply -f -
+# kustomize build common/istio/istio-install/overlays/gke | kubectl apply -f -
 
 echo "Waiting for all Istio Pods to become ready..."
 kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s
@@ -352,7 +352,7 @@ Install Knative Serving:
 
 ```sh
 kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f -
-kustomize build common/istio-cni-1-24/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio/cluster-local-gateway/base | kubectl apply -f -
 ```
 
 Optionally, you can install Knative Eventing, which can be used for inference request logging:
@@ -395,7 +395,7 @@ Create the Kubeflow Gateway `kubeflow-gateway` and ClusterRole `kubeflow-istio-a
 Install Kubeflow Istio resources:
 
 ```sh
-kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
 ```
 
 #### Kubeflow Pipelines
@@ -715,4 +715,4 @@ pre-commit run
 - **Q:** Why does Kubeflow use Istio CNI instead of standard Istio?
   **A:** Istio CNI provides better security by eliminating the need for privileged init containers, making it more compatible with Pod Security Standards (PSS). It also enables native sidecars support introduced in Kubernetes 1.28, which helps address issues with init containers and application lifecycle management.
 - **Q:** Why does Istio CNI fail on Google Kubernetes Engine (GKE) with "read-only file system" errors?
-  **A:** GKE mounts `/opt/cni/bin` as read-only for security reasons, preventing the Istio CNI installer from writing the CNI binary. Use the GKE-specific overlay: `kubectl apply -k common/istio-cni-1-24/istio-install/overlays/gke`. This overlay uses GKE's writable CNI directory at `/home/kubernetes/bin`. For more details, see [Istio CNI Prerequisites](https://istio.io/latest/docs/setup/additional-setup/cni/#prerequisites) and [Platform Prerequisites](https://istio.io/latest/docs/ambient/install/platform-prerequisites/).-`
+  **A:** GKE mounts `/opt/cni/bin` as read-only for security reasons, preventing the Istio CNI installer from writing the CNI binary. Use the GKE-specific overlay: `kubectl apply -k common/istio/istio-install/overlays/gke`. This overlay uses GKE's writable CNI directory at `/home/kubernetes/bin`. For more details, see [Istio CNI Prerequisites](https://istio.io/latest/docs/setup/additional-setup/cni/#prerequisites) and [Platform Prerequisites](https://istio.io/latest/docs/ambient/install/platform-prerequisites/).-`