feat(istio): Add Istio image build infrastructure #11589
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marvin-tigera
added
release-note-required
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive build infrastructure for Istio components to support Calico's integration with Istio ambient mesh. It introduces build systems for four Istio components (ztunnel, pilot, install-cni, and proxyv2) along with CI/CD pipelines and necessary patches for transparent network policy support.
Key Changes
- Introduces Rust build infrastructure for ztunnel compilation with Calico-specific patches
- Adds build targets and Dockerfiles for four Istio components: ztunnel, pilot-discovery, install-cni, and proxyv2
- Implements Semaphore CI/CD pipelines for building, testing, and publishing Istio images across multiple architectures
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| metadata.mk | Adds Rust build version and UBI10 base image support |
| lib.Makefile | Introduces Rust Docker build environment and third-party image retagging infrastructure |
| third_party/istio-ztunnel/Makefile | Complete build system for ztunnel component with source download, patching, and image creation |
| third_party/istio-ztunnel/Dockerfile | Minimal container packaging for ztunnel binary with required runtime libraries |
| third_party/istio-ztunnel/patches/0001-transparent-policies.patch | Patch adding transparent network policy support to ztunnel |
| istio/Makefile | Build orchestration for Istio pilot, CNI, and proxy components with multi-arch support |
| istio/Dockerfile-* | Dockerfiles for pilot, install-cni, proxyv2, and ztunnel images |
| istio/patches/*.patch | Patches for DSCP magic mark support and dependency updates |
| istio/deps.txt | Dependency tracking for CI triggers |
| .semaphore/*.yml | CI/CD pipeline definitions for building and publishing Istio images |
|
|
||
| # istio-install-cni image | ||
| $(ISTIO_CNI_IMAGE): $(ISTIO_CNI_IMAGE_CREATED) | ||
| $(ISTIO_CNI_IMAGE_CREATED): register Dockerfile-install-cni bin/install-cni-$(ARCH) bin/istio-cni-$(ARCH) bin/LICENSE |
There was a problem hiding this comment.
The dependency register appears to be undefined. This is likely a typo or missing target definition. Verify whether this should be a defined phony target or if it should be removed from the dependency list.
electricjesus
force-pushed
the
pick-istio-images-builds-components-from-private
branch
from
e2f366e to
4a3a877
Compare
…-istio--ztunnel feat(third_party): ztunnel component with ci/cd:
Cherry-picked from tigera/calico-private PR projectcalico#10291 This adds: - istio/ directory with Dockerfile-cni, Dockerfile-pilot, Dockerfile-ztunnel - istio/Makefile for building Istio components - SemaphoreCI pipeline for building and pushing istio images - Patches for DSCP magic mark support
Cherry-picked from tigera/calico-private PR projectcalico#10321 This adds: - istio/Dockerfile-proxyv2 for building proxyv2 image - istio/Dockerfile-install-cni for CNI installation - Updated Makefile with proxyv2 targets - Updated semaphore blocks for proxyv2 builds
Cherry-picked from tigera/calico-private PR projectcalico#10334
Cherry-picked from tigera/calico-private PR projectcalico#10343 This updates: - Istio version to 1.28.1 - Patches for DSCP magic mark support - Dependencies updates
Cherry-picked from tigera/calico-private PR projectcalico#10361
Cherry-picked from tigera/calico-private PR projectcalico#10362
Cherry-picked from tigera/calico-private PR projectcalico#10365
Cherry-picked from tigera/calico-private PR projectcalico#10376
Cherry-picked from tigera/calico-private PR projectcalico#10378
Cherry-picked from tigera/calico-private PR projectcalico#10381
Cherry-picked from tigera/calico-private PR projectcalico#10402
The bin/LICENSE rule was failing in CI because the bin/ directory did not exist when building istio-ztunnel (which has no binary build dependency that would create the directory first).
electricjesus
force-pushed
the
pick-istio-images-builds-components-from-private
branch
2 times, most recently
from
9c9cb74 to
fc62620
Compare
electricjesus
force-pushed
the
pick-istio-images-builds-components-from-private
branch
from
fc62620 to
39bb4fb
Compare
- Add DOCKER_BUILD_THIRD_PARTY macro to lib.Makefile
- Add CALICO_BASE_UBI10 variable and build-arg support
- Update CALICO_BASE_UBI10_VER to use existing image tag
- Remove duplicate 50-istio-ztunnel.yml block
- Export BRANCH_NAME in semaphore blocks for image tagging
- Use docker.io/calico as DEV_REGISTRIES (rely on global docker-hub secret)
- Remove GCR login from Istio block (no longer needed)
- Update Dockerfile-ztunnel to pull from calico/istio-ztunnel:${BRANCH_NAME}
- Update Makefile to pass BRANCH_NAME build arg
- Skip istio-ztunnel image build on PRs (image not in registry yet)
- Remove private registry overrides from third_party/istio-ztunnel/Makefile
electricjesus
force-pushed
the
pick-istio-images-builds-components-from-private
branch
from
a4660bc to
effd524
Compare
hjiawei
reviewed
Dec 23, 2025
hjiawei
reviewed
Dec 23, 2025
hjiawei
reviewed
Dec 23, 2025
hjiawei
reviewed
Dec 23, 2025
hjiawei
reviewed
Dec 23, 2025
hjiawei
reviewed
Dec 23, 2025
hjiawei
reviewed
Dec 23, 2025
istio/patches/0001-dscp-magic-mark-for-transparent-policies.patch
Outdated
Show resolved
Hide resolved
- Remove unused istio/deps.txt file - Remove cd-third-party-common and retag-third-party-* Makefile targets - Change istio-ztunnel push registry from GCR/Quay to docker.io/calico - Rename ZTUNNEL_IMAGE to istio-ztunnel-base to avoid overwriting final image - Delete duplicate patch file (0001-dscp-magic-mark-for-transparent-policies.patch) - Fix regex patterns in promotion config (release- -> release-.*) - Regenerate semaphore.yml and semaphore-scheduled-builds.yml
electricjesus
force-pushed
the
pick-istio-images-builds-components-from-private
branch
from
448470f to
880feb8
Compare
Member
Author
|
thanks @hjiawei ! I addressed your comments. I tried disabling the |
electricjesus
force-pushed
the
pick-istio-images-builds-components-from-private
branch
from
880feb8 to
bc23e20
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Related issues/PRs
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.