From 114ba33ec7bdf472057e0ee41e25d496c13d82e0 Mon Sep 17 00:00:00 2001
From: tschneid <tschneid@redhat.com>
Date: Fri, 28 Feb 2025 10:14:02 -0600
Subject: [PATCH] istio shared cm per version and update svc cluster rollout
 order the istio shared config map must exist for the targeted version prior
 to upgrading the service

---
 .yamllint.yml                                 |  1 +
 dev-infrastructure/svc-pipeline.yaml          | 20 +++++++++----------
 istio/Makefile                                |  1 +
 .../templates/istio-shared-configmap.yml      |  7 +++++--
 istio/deploy/helm/istio/values.yaml           |  2 +-
 istio/pipeline.yaml                           |  3 +++
 6 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/.yamllint.yml b/.yamllint.yml
index 405aa0880..7ecc1da30 100644
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -8,6 +8,7 @@ ignore:
   - 'acrpull/deploy/helm/acrpull/templates/deployment.yaml'
   - 'frontend/deploy/helm/frontend/templates/ext-authz.authorizationpolicy.yaml'
   - 'frontend/deploy/helm/frontend/templates/allow-ingress.authorizationpolicy.yaml'
+  - 'istio/deploy/helm/istio/templates/istio-shared-configmap.yml'
 
 rules:
   brackets: enable
diff --git a/dev-infrastructure/svc-pipeline.yaml b/dev-infrastructure/svc-pipeline.yaml
index 4f6977d11..f8556faab 100644
--- a/dev-infrastructure/svc-pipeline.yaml
+++ b/dev-infrastructure/svc-pipeline.yaml
@@ -102,6 +102,16 @@ resourceGroups:
   subscription: {{ .svc.subscription }}
   aksCluster: {{ .svc.aks.name }}
   steps:
+  # configure istio
+  - name: istio-config
+    action: Shell
+    command: make -C ../istio deploy
+    dryRun:
+      variables:
+        - name: DRY_RUN
+          value: "true"
+    dependsOn:
+    - istio-upgrade
   # - updates workload to use istio on version svc.istio.targetVersion
   # - configures istio IP tag usage
   - name: istio-upgrade
@@ -120,16 +130,6 @@ resourceGroups:
       configRef: svc.rg
     dependsOn:
     - svc
-  # configure istio
-  - name: istio-config
-    action: Shell
-    command: make -C ../istio deploy
-    dryRun:
-      variables:
-        - name: DRY_RUN
-          value: "true"
-    dependsOn:
-    - istio-upgrade
   # Install ACRpull
   - name: acrpull
     action: Shell
diff --git a/istio/Makefile b/istio/Makefile
index ffbf0a525..bb11fe196 100644
--- a/istio/Makefile
+++ b/istio/Makefile
@@ -5,6 +5,7 @@ HELM_CMD ?= helm upgrade --install
 deploy:
 	${HELM_CMD} istio \
 		deploy/helm/istio/ \
+		--set "istioVersions={${ISTIO_VERSIONS}}" \
 		--namespace aks-istio-system
 .PHONY: deploy
 
diff --git a/istio/deploy/helm/istio/templates/istio-shared-configmap.yml b/istio/deploy/helm/istio/templates/istio-shared-configmap.yml
index cc472dd03..b49bceace 100644
--- a/istio/deploy/helm/istio/templates/istio-shared-configmap.yml
+++ b/istio/deploy/helm/istio/templates/istio-shared-configmap.yml
@@ -1,9 +1,11 @@
+{{ range $version := .Values.istioVersions }}
+---
 kind: ConfigMap
 apiVersion: v1
 metadata:
   labels:
-    istio.io/rev: asm-1-23
-  name: istio-shared-configmap-asm-1-23
+    istio.io/rev: {{ $version }}
+  name: istio-shared-configmap-{{ $version }}
   namespace: aks-istio-system
 data:
   mesh: |-
@@ -14,3 +16,4 @@ data:
         port: "8080"
         includeRequestHeadersInCheck: ["x-ext-authz"]
         pathPrefix: "/v1/EnvoyValidateRequest"
+{{ end }}
diff --git a/istio/deploy/helm/istio/values.yaml b/istio/deploy/helm/istio/values.yaml
index 08a1c1568..485ac7ccd 100644
--- a/istio/deploy/helm/istio/values.yaml
+++ b/istio/deploy/helm/istio/values.yaml
@@ -1 +1 @@
-# This file is intentionally left blank.
+istioVersions: []
diff --git a/istio/pipeline.yaml b/istio/pipeline.yaml
index 98aeee24c..917362bc3 100644
--- a/istio/pipeline.yaml
+++ b/istio/pipeline.yaml
@@ -13,3 +13,6 @@ resourceGroups:
       variables:
         - name: DRY_RUN
           value: "true"
+    variables:
+      - name: ISTIO_VERSIONS
+        configRef: svc.istio.versions