Automator: merge upstream changes to openshift-service-mesh/istio@master

* upstream/master:
  gatewayapi: make the cors origin stricter with wildcards (#59026)
  Automator: update istio/client-go@master dependency in istio/istio@master (#59036)
  Automator: update istio/client-go@master dependency in istio/istio@master (#59034)
  add tls-inspector for listener with only TLS ports (#59028)
  test: add support for customizing min TLS version and ECDH curves in echo client/server (#58918)
  Automator: update go-control-plane in istio/istio@master (#59025)
  improve bugreport output (#58977)
  update EOL information (#58991)
  Reduce flakiness of the TestServiceRestart test (#59022)

Author: openshift-service-mesh-bot

go.mod

@@ -19,8 +19,8 @@ require (
 	github.com/coreos/go-oidc/v3 v3.15.0
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/docker/cli v28.3.3+incompatible
-	github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260131204543-4ca8b9cded3e
-	github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260131204543-4ca8b9cded3e
+	github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260206183300-2c82eafd9a42
+	github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260206183300-2c82eafd9a42
 	github.com/evanphx/json-patch/v5 v5.9.11
 	github.com/fatih/color v1.18.0
 	github.com/felixge/fgprof v0.9.5
@@ -94,8 +94,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.18.6
-	istio.io/api v1.29.0-alpha.0.0.20260205010447-d2bc7d18a337
-	istio.io/client-go v1.29.0-alpha.0.0.20260205011149-b3a6b2e28b06
+	istio.io/api v1.29.0-alpha.0.0.20260210161025-1d9832db7b28
+	istio.io/client-go v1.29.0-alpha.0.0.20260210161328-2c12cf6497ed
 	k8s.io/api v0.35.0
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0

go.sum

@@ -137,10 +137,10 @@ github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bF
 github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
 github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
-github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260131204543-4ca8b9cded3e h1:AVgH0UMPEgGjTwNFuwmyYwz2RlmrmLh9UMKkskR23s0=
-github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260131204543-4ca8b9cded3e/go.mod h1:+fG/snSdlOxU+5RWuuKSYxF9zusT3Duy1MDbETA44Bo=
-github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260131204543-4ca8b9cded3e h1:vZh2y0YJNFaOSlHryFiTVNIf7NpoN2q8d6V9jaK3+Lo=
-github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260131204543-4ca8b9cded3e/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A=
+github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260206183300-2c82eafd9a42 h1:vVy7IYNRbHUtKLnxTkvRLWTizSxoVzKjisc50dnQgZ4=
+github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260206183300-2c82eafd9a42/go.mod h1:+fG/snSdlOxU+5RWuuKSYxF9zusT3Duy1MDbETA44Bo=
+github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260206183300-2c82eafd9a42 h1:blM0MLiLZ0MK8cqcTL7ZrnBWw60NZnBp1fItB5gCvhA=
+github.com/envoyproxy/go-control-plane/envoy v1.36.1-0.20260206183300-2c82eafd9a42/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
 github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
@@ -599,10 +599,10 @@ gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 helm.sh/helm/v3 v3.18.6 h1:S/2CqcYnNfLckkHLI0VgQbxgcDaU3N4A/46E3n9wSNY=
 helm.sh/helm/v3 v3.18.6/go.mod h1:L/dXDR2r539oPlFP1PJqKAC1CUgqHJDLkxKpDGrWnyg=
-istio.io/api v1.29.0-alpha.0.0.20260205010447-d2bc7d18a337 h1:fTa0j3yQhp5RohEaAaGB+DiXWX6EEq4CGcrcvU+9Sao=
-istio.io/api v1.29.0-alpha.0.0.20260205010447-d2bc7d18a337/go.mod h1:+brQWcBHoROuyA6fv8rbgg8Kfn0RCGuqoY0duCMuSLA=
-istio.io/client-go v1.29.0-alpha.0.0.20260205011149-b3a6b2e28b06 h1:S3ger4fZHVuV61d9HKwUksc2y1vQhtyu4zgVr0lD03M=
-istio.io/client-go v1.29.0-alpha.0.0.20260205011149-b3a6b2e28b06/go.mod h1:NHEtxuW56GL/RuXXE6NLdzrBURs++EyIp2WSsL9Fpe8=
+istio.io/api v1.29.0-alpha.0.0.20260210161025-1d9832db7b28 h1:XfD9JeoBiLBUAE/qUdXGHXGgp/QjD4oEMQ3wWblr2MU=
+istio.io/api v1.29.0-alpha.0.0.20260210161025-1d9832db7b28/go.mod h1:+brQWcBHoROuyA6fv8rbgg8Kfn0RCGuqoY0duCMuSLA=
+istio.io/client-go v1.29.0-alpha.0.0.20260210161328-2c12cf6497ed h1:3YEZuC1anwr0xbov1qDXttUbSsKVTYmqqiNp8l2TVYA=
+istio.io/client-go v1.29.0-alpha.0.0.20260210161328-2c12cf6497ed/go.mod h1:jMwrwPdbeFUycV1v3z7qzCIjgNDLCs9IIRUO+d7d5M0=
 k8s.io/api v0.35.0 h1:iBAU5LTyBI9vw3L5glmat1njFK34srdLmktWwLTprlY=
 k8s.io/api v0.35.0/go.mod h1:AQ0SNTzm4ZAczM03QH42c7l3bih1TbAXYo0DkF8ktnA=
 k8s.io/apiextensions-apiserver v0.35.0 h1:3xHk2rTOdWXXJM+RDQZJvdx0yEOgC0FgQ1PlJatA5T4=

manifests/charts/base/files/crd-all.gen.yaml

@@ -23,8 +23,8 @@ import (
 
 const (
 	// OperatorCodeBaseVersion is the version string from the code base.
-	OperatorCodeBaseVersion = "1.26.0"
-	OperatorEOLYear         = 2026
+	OperatorCodeBaseVersion = "1.30.0"
+	OperatorEOLYear         = 2027
 	OperatorEOLMonth        = time.February
 )
 

operator/version/version.go

@@ -1238,9 +1238,15 @@ func createCorsFilter(filter *k8s.HTTPCORSFilter) *istio.CorsPolicy {
 		// Code here is based on kgateway implementation
 		// Direct wildcard allows any origin
 		if rs == "*" {
+			// Use strict regex that only matches valid origin formats per RFC 6454
+			// Format: <scheme>://<host>(:<port>)?
+			// Allows: http://example.com, https://sub.example.com:8443, ws://localhost:3000
 			res.AllowOrigins = append(res.AllowOrigins, &istio.StringMatch{
 				MatchType: &istio.StringMatch_Regex{
-					Regex: "^.*$",
+					// Match valid origin: scheme://host(:port)?
+					// - scheme: starts with letter, followed by alphanumeric, +, -, or .
+					// - host(:port): any characters except /, whitespace, ?, #
+					Regex: `^[a-zA-Z][a-zA-Z0-9+.-]*://[^/\s?#]+$`,
 				},
 			})
 			continue

pilot/pkg/config/kube/gateway/conversion.go

@@ -373,7 +373,6 @@ spec:
           port: 80
       filters:
         - cors:
-            allowCredentials: true
             allowOrigins:
             - '*'
             allowMethods:

pilot/pkg/config/kube/gateway/testdata/http.yaml

@@ -147,7 +147,6 @@ spec:
   - cors-wildcard-origin.domain.example
   http:
   - corsPolicy:
-      allowCredentials: true
       allowHeaders:
       - Accept
       - Accept-Language
@@ -159,7 +158,7 @@ spec:
       - HEAD
       - POST
       allowOrigins:
-      - regex: ^.*$
+      - regex: ^[a-zA-Z][a-zA-Z0-9+.-]*://[^/\s?#]+$
       unmatchedPreflights: IGNORE
     name: default.http-route-cors-wildcard-1.0
     route:

pilot/pkg/config/kube/gateway/testdata/http.yaml.golden

@@ -566,13 +566,17 @@ func (lb *ListenerBuilder) buildWaypointInternal(wls []model.WorkloadInfo, svcs
 			}
 		}
 		nonInspectorPorts := nonTLSPorts.DeleteAll(tlsPorts.UnsortedList()...).UnsortedList()
-		if len(nonInspectorPorts) > 0 {
-			slices.Sort(nonInspectorPorts)
-			return &listener.ListenerFilter{
-				Name:           wellknown.TLSInspector,
-				ConfigType:     xdsfilters.TLSInspector.ConfigType,
-				FilterDisabled: listenerPredicateExcludePorts(nonInspectorPorts),
+		if len(tlsPorts) > 0 {
+			if len(nonInspectorPorts) > 0 {
+				slices.Sort(nonInspectorPorts)
+				return &listener.ListenerFilter{
+					Name:           wellknown.TLSInspector,
+					ConfigType:     xdsfilters.TLSInspector.ConfigType,
+					FilterDisabled: listenerPredicateExcludePorts(nonInspectorPorts),
+				}
 			}
+			// all ports are TLS, add the inspector with no disabled ports
+			return xdsfilters.TLSInspector
 		}
 		return nil
 	}()

pilot/pkg/networking/core/listener_waypoint.go

@@ -234,6 +234,41 @@ spec:
 	hasTLSInspector(443, true)
 }
 
+func TestWaypointTLSInspectorWithOnlyTLSPorts(t *testing.T) {
+	// Test that tls_inspector is added when only TLS ports exist.
+	// This reproduces a bug where tls_inspector was only added when there
+	// were non-TLS ports to exclude from inspection.
+
+	tlsServiceEntry := `apiVersion: networking.istio.io/v1
+kind: ServiceEntry
+metadata:
+  name: tls-only
+  namespace: default
+  labels:
+    istio.io/use-waypoint: waypoint
+spec:
+  hosts: ["secure.example.com"]
+  addresses: ["5.5.5.5"]
+  ports:
+  - number: 443
+    name: tls
+    protocol: TLS
+  resolution: STATIC`
+
+	d, proxy := setupWaypointTest(t,
+		waypointGateway,
+		waypointSvc,
+		waypointInstance,
+		tlsServiceEntry)
+
+	l := xdstest.ExtractListener("main_internal", d.Listeners(proxy))
+	filters := xdstest.ExtractListenerFilters(l)
+
+	// tls_inspector must be present even with only TLS ports
+	tlsInspector := filters[wellknown.TLSInspector]
+	assert.Equal(t, tlsInspector != nil, true)
+}
+
 func TestWaypointEndpoints(t *testing.T) {
 	d, proxy := setupWaypointTest(t,
 		waypointGateway,