Update istio/istio manifests to 1.30.0

[Raakshass]

Description

Upgrades Istio manifests from 1.29.2 to 1.30.0 using the scripts/synchronize-istio-manifests.sh synchronization script.

This is required for proper hostUsers: false support with Istio sidecars, as the upstream fix istio/istio#60005 (cherry-pick of #59448) was merged into the release-1.30 branch on April 27.

Initially opened against 1.30.0-rc.0. Updated to 1.30.0 stable per reviewer feedback.

Resolves #3463
Unblocks #3444

Changes

Generated via synchronize-istio-manifests.sh with COMMIT=1.30.0 and PREVIOUS_COMMIT=1.29.2:

File	Change
scripts/synchronize-istio-manifests.sh	COMMIT variable updated to 1.30.0
common/istio/profile.yaml	Tag updated to 1.30.0
common/istio/istio-crds/base/crd.yaml	Regenerated CRDs via istioctl manifest generate
common/istio/istio-install/base/install.yaml	Regenerated install manifest
common/istio/cluster-local-gateway/base/cluster-local-gateway.yaml	Regenerated cluster-local-gateway
common/istio/istio-install/components/ambient-mode/ztunnel.yaml	Regenerated ztunnel manifest
common/istio/istio-install/base/patches/istio-sidecar-injector-patch.yaml	Tag updated in sidecar injector config
README.md	Istio version link updated to 1.30.0

Commits

1. 985fa2c9 — Initial generation from 1.30.0-rc.0
2. ac702edd — Regenerated from 1.30.0 stable release

Testing

• CI pipeline validation
• Kind cluster deployment with hostUsers: false on pods with Istio sidecar injection

[github-actions]

Welcome to the Kubeflow Manifests Repository

Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community.

Before making more PRs:
Please ensure your PR follows our Contributing Guide.
Please also be aware that many components are synchronizes from upstream via the scripts in /scripts.
So in some cases you have to fix the problem in the upstream repositories first, but you can use a PR against kubeflow/manifests to test the platform integration.

Community Resources:

• CNCF Slack channels: https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels
• Community meetings: https://www.kubeflow.org/docs/about/community/

Thanks again for helping to improve Kubeflow.

[Copilot]

Pull request overview

This PR bumps the bundled Istio manifests from 1.29.2 to 1.30.0-rc.0 by re-running scripts/synchronize-istio-manifests.sh with the new commit pin. The upgrade is needed to pick up upstream Istio fix istio/istio#60005, which enables proper hostUsers: false support for pods with Istio sidecars, in turn unblocking PSS restricted enforcement in CI (PR #3444, issue #3463).

Changes:

• Update the synchronization script's COMMIT/PREVIOUS_COMMIT pins to 1.30.0-rc.0/1.29.2 and refresh the README Istio row.
• Regenerate all common/istio/** manifests (CRDs, install, cluster-local-gateway, ztunnel, sidecar injector patch, insecure overlay, profile) for the new tag; this also brings in upstream content changes such as the new TrafficExtension CRD, new notTrustDomains/trustDomains fields on AuthorizationPolicy, new disableContextPropagation on Telemetry, the listenersets/status RBAC move, the fix of the EnvoyFilter port validation rule (<= 6553 → <= 65535), and an injector template refactor that splits the projected xds-token/istio-token volumes and adds OTEL_RESOURCE_ATTRIBUTES/CA_ADDRESS env vars.
• No changes to non-generated files outside the script and README.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
scripts/synchronize-istio-manifests.sh	Bump COMMIT to 1.30.0-rc.0, PREVIOUS_COMMIT to 1.29.2.
README.md	Update Istio component row link/version to 1.30.0-rc.0.
common/istio/profile.yaml	Update IstioOperator tag to 1.30.0-rc.0.
common/istio/istio-install/overlays/insecure/configmap-patch.yaml	Update embedded tag value to 1.30.0-rc.0.
common/istio/istio-install/base/patches/istio-sidecar-injector-patch.yaml	Update injected sidecar tag to 1.30.0-rc.0.
common/istio/istio-install/base/install.yaml	Regenerated istiod/cni/ingress install manifests; new sidecar template (xds/istio token split, OTEL_RESOURCE_ATTRIBUTES, CA_ADDRESS), RBAC reorg for listenersets/status, image/chart/version label bumps.
common/istio/istio-install/components/ambient-mode/ztunnel.yaml	Bump ztunnel image and chart/version labels to 1.30.0-rc.0.
common/istio/cluster-local-gateway/base/cluster-local-gateway.yaml	Bump cluster-local-gateway image and chart/version labels to 1.30.0-rc.0.
common/istio/istio-crds/base/crd.yaml	Regenerated CRDs: add TrafficExtension, new (not)TrustDomains fields on AuthorizationPolicy, disableContextPropagation on Telemetry, fixed EnvoyFilter port-range validation rule.

[Raakshass]

/assign

[juliusvonkohout]

Please use https://github.com/istio/istio/releases/tag/1.30.0

[juliusvonkohout]

Please check all files in the repository there should be no 1.29 or 1.30 rc

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

[juliusvonkohout]

Thank you
/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment