From 90ebc30554a21c54a4d38b9b225e877a6e74270f Mon Sep 17 00:00:00 2001 From: Jimmy Chen <28548492+JimmyCYJ@users.noreply.github.com> Date: Fri, 23 Aug 2019 21:25:43 -0700 Subject: [PATCH] Fixing the helm templates to support Control Plane SDS (#16466) * support control plane SDS * test control plane SDS * revise * revise * revise * set env * revise * revise * revise * revise * revise * revise * template change for SDS control plane * revise * update * fix unit tests * fix tests * enable control plane SDS --- .../charts/gateways/templates/deployment.yaml | 2 + .../charts/mixer/templates/deployment.yaml | 4 + .../charts/pilot/templates/deployment.yaml | 2 + .../example-values/values-istio-googleca.yaml | 2 +- .../helm/istio/files/injection-template.yaml | 2 + .../test-values/values-istio-auth-sds.yaml | 2 +- .../helm/istio/values-istio-sds-auth.yaml | 2 +- pilot/docker/envoy_pilot.yaml.tmpl | 198 +++++++++- pilot/docker/envoy_policy.yaml.tmpl | 98 ++++- pilot/docker/envoy_telemetry.yaml.tmpl | 51 ++- pkg/bootstrap/bootstrap_config_test.go | 22 +- pkg/bootstrap/testdata/auth_golden.json | 4 +- pkg/bootstrap/testdata/authsds.proto | 11 + pkg/bootstrap/testdata/authsds_golden.json | 291 +++++++++++++++ pkg/bootstrap/testdata/running_golden.json | 2 - pkg/bootstrap/testdata/runningsds.proto | 14 + pkg/bootstrap/testdata/runningsds_golden.json | 353 ++++++++++++++++++ ...-with-flag-set-in-annotation.yaml.injected | 2 + ...ith-flag-unset-in-annotation.yaml.injected | 2 + .../app_probe/hello-probes.yaml.injected | 2 + .../app_probe/hello-readiness.yaml.injected | 2 + .../app_probe/https-probes.yaml.injected | 2 + .../inject/app_probe/named_port.yaml.injected | 2 + .../app_probe/one_container.yaml.injected | 2 + .../inject/app_probe/ready_only.yaml.injected | 2 + .../app_probe/two_container.yaml.injected | 2 + .../inject/auth.cert-dir.yaml.injected | 2 + ....non-default-service-account.yaml.injected | 2 + .../inject/testdata/inject/auth.yaml.injected | 2 + .../testdata/inject/cronjob.yaml.injected | 2 + .../testdata/inject/daemonset.yaml.injected | 2 + .../deploymentconfig-multi.yaml.injected | 2 + .../inject/deploymentconfig.yaml.injected | 2 + .../inject/enable-core-dump.yaml.injected | 2 + .../inject/format-duration.yaml.injected | 2 + .../testdata/inject/frontend.yaml.injected | 2 + .../inject/hello-always.yaml.injected | 2 + .../hello-config-map-name.yaml.injected | 2 + .../inject/hello-ignore.yaml.injected | 2 + .../testdata/inject/hello-multi.yaml.injected | 4 + .../inject/hello-namespace.yaml.injected | 2 + .../testdata/inject/hello-never.yaml.injected | 2 + .../inject/hello-proxy-override.yaml.injected | 2 + .../hello-template-in-values.yaml.injected | 2 + .../inject/hello-tproxy.yaml.injected | 2 + .../testdata/inject/hello.yaml.injected | 2 + .../inject/testdata/inject/job.yaml.injected | 2 + .../inject/kubevirtInterfaces.yaml.injected | 2 + .../kubevirtInterfaces_list.yaml.injected | 2 + .../inject/list-frontend.yaml.injected | 2 + .../inject/testdata/inject/list.yaml.injected | 4 + .../testdata/inject/multi-init.yaml.injected | 2 + .../inject/testdata/inject/pod.yaml.injected | 2 + .../testdata/inject/replicaset.yaml.injected | 2 + .../replicationcontroller.yaml.injected | 2 + .../testdata/inject/statefulset.yaml.injected | 2 + .../inject/status_annotations.yaml.injected | 2 + .../inject/status_params.yaml.injected | 2 + ...c-annotations-empty-includes.yaml.injected | 2 + ...raffic-annotations-wildcards.yaml.injected | 2 + .../inject/traffic-annotations.yaml.injected | 2 + ...raffic-params-empty-includes.yaml.injected | 2 + .../inject/traffic-params.yaml.injected | 2 + .../testdata/webhook/daemonset.yaml.injected | 2 + .../deploymentconfig-multi.yaml.injected | 2 + .../webhook/deploymentconfig.yaml.injected | 2 + .../testdata/webhook/frontend.yaml.injected | 2 + .../hello-config-map-name.yaml.injected | 2 + .../webhook/hello-multi.yaml.injected | 4 + .../webhook/hello-probes.yaml.injected | 2 + .../inject/testdata/webhook/job.yaml.injected | 2 + .../webhook/list-frontend.yaml.injected | 2 + .../testdata/webhook/list.yaml.injected | 4 + .../testdata/webhook/replicaset.yaml.injected | 2 + .../replicationcontroller.yaml.injected | 2 + .../resource_annotations.yaml.injected | 2 + .../webhook/statefulset.yaml.injected | 2 + .../webhook/status_annotations.yaml.injected | 2 + ...c-annotations-empty-includes.yaml.injected | 2 + ...raffic-annotations-wildcards.yaml.injected | 2 + .../webhook/traffic-annotations.yaml.injected | 2 + .../webhook/user-volume.yaml.injected | 2 + .../packaging/common/envoy_bootstrap_v2.json | 89 +++++ 83 files changed, 1274 insertions(+), 13 deletions(-) create mode 100644 pkg/bootstrap/testdata/authsds.proto create mode 100644 pkg/bootstrap/testdata/authsds_golden.json create mode 100644 pkg/bootstrap/testdata/runningsds.proto create mode 100644 pkg/bootstrap/testdata/runningsds_golden.json diff --git a/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml b/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml index 6675c1e03435..28456373b018 100644 --- a/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml +++ b/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml @@ -236,6 +236,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "{{ $.Values.global.sds.enabled }}" - name: ISTIO_META_WORKLOAD_NAME value: {{ $key }} - name: ISTIO_META_OWNER diff --git a/install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml b/install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml index c2129963847d..7ff3878d1394 100644 --- a/install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml +++ b/install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml @@ -152,6 +152,8 @@ fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: SDS_ENABLED + value: "{{ $.Values.global.sds.enabled }}" resources: {{- if $.Values.global.proxy.resources }} {{ toYaml $.Values.global.proxy.resources | indent 10 }} @@ -336,6 +338,8 @@ fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: SDS_ENABLED + value: "{{ $.Values.global.sds.enabled }}" resources: {{- if $.Values.global.proxy.resources }} {{ toYaml $.Values.global.proxy.resources | indent 10 }} diff --git a/install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml b/install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml index 53ec9fd81815..bdb9fd08c8f7 100644 --- a/install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml +++ b/install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml @@ -173,6 +173,8 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: SDS_ENABLED + value: "{{ $.Values.global.sds.enabled }}" resources: {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 12 }} diff --git a/install/kubernetes/helm/istio/example-values/values-istio-googleca.yaml b/install/kubernetes/helm/istio/example-values/values-istio-googleca.yaml index 51a4b1cb88a8..2c10b9143131 100644 --- a/install/kubernetes/helm/istio/example-values/values-istio-googleca.yaml +++ b/install/kubernetes/helm/istio/example-values/values-istio-googleca.yaml @@ -1,5 +1,5 @@ global: - controlPlaneSecurityEnabled: false + controlPlaneSecurityEnabled: true mtls: # Default setting for service-to-service mtls. Can be set explicitly using diff --git a/install/kubernetes/helm/istio/files/injection-template.yaml b/install/kubernetes/helm/istio/files/injection-template.yaml index 865e9fb6dde1..c4fd9952a3e6 100644 --- a/install/kubernetes/helm/istio/files/injection-template.yaml +++ b/install/kubernetes/helm/istio/files/injection-template.yaml @@ -186,6 +186,8 @@ containers: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: {{ $.Values.global.sds.enabled }} - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/install/kubernetes/helm/istio/test-values/values-istio-auth-sds.yaml b/install/kubernetes/helm/istio/test-values/values-istio-auth-sds.yaml index c39f0420ec93..6c0661e699de 100644 --- a/install/kubernetes/helm/istio/test-values/values-istio-auth-sds.yaml +++ b/install/kubernetes/helm/istio/test-values/values-istio-auth-sds.yaml @@ -1,5 +1,5 @@ global: - controlPlaneSecurityEnabled: false + controlPlaneSecurityEnabled: true mtls: # Default setting for service-to-service mtls. Can be set explicitly using diff --git a/install/kubernetes/helm/istio/values-istio-sds-auth.yaml b/install/kubernetes/helm/istio/values-istio-sds-auth.yaml index 47ead233c04b..93a718960f4e 100644 --- a/install/kubernetes/helm/istio/values-istio-sds-auth.yaml +++ b/install/kubernetes/helm/istio/values-istio-sds-auth.yaml @@ -1,5 +1,5 @@ global: - controlPlaneSecurityEnabled: false + controlPlaneSecurityEnabled: true mtls: # Default setting for service-to-service mtls. Can be set explicitly using diff --git a/pilot/docker/envoy_pilot.yaml.tmpl b/pilot/docker/envoy_pilot.yaml.tmpl index 511e6197c3fc..8277c42fb8b1 100644 --- a/pilot/docker/envoy_pilot.yaml.tmpl +++ b/pilot/docker/envoy_pilot.yaml.tmpl @@ -45,6 +45,52 @@ static_resources: http2_protocol_options: {} name: mixer_report_server {{- if .ControlPlaneAuth }} +{{- if .sds_uds_path }} + tls_context: + common_tls_context: + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: + - {{ .MixerSubjectAltName }} + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat +{{- else }} tls_context: common_tls_context: tls_certificates: @@ -57,12 +103,13 @@ static_resources: filename: /etc/certs/root-cert.pem verify_subject_alt_name: - {{ .MixerSubjectAltName }} +{{- end }} {{- end }} type: STRICT_DNS dns_lookup_family: "{{ .dns_lookup_family }}" listeners: - address: - socket_address: + socket_address: address: "{{ .wildcard }}" port_value: 15003 filter_chains: @@ -123,6 +170,54 @@ static_resources: stat_prefix: "15003" name: envoy.http_connection_manager {{- if .ControlPlaneAuth }} +{{- if .sds_uds_path }} + tls_context: + common_tls_context: + alpn_protocols: + - http/1.1 + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: [] + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + require_client_certificate: true +{{- else }} tls_context: common_tls_context: alpn_protocols: @@ -136,6 +231,7 @@ static_resources: trusted_ca: filename: /etc/certs/root-cert.pem require_client_certificate: true +{{- end }} {{- end }} name: "15003" - address: @@ -202,6 +298,54 @@ static_resources: timeout: 0.000s stat_prefix: "15011" name: envoy.http_connection_manager +{{- if .sds_uds_path }} + tls_context: + common_tls_context: + alpn_protocols: + - h2 + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: [] + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + require_client_certificate: true +{{- else }} tls_context: common_tls_context: alpn_protocols: @@ -215,6 +359,7 @@ static_resources: trusted_ca: filename: /etc/certs/root-cert.pem require_client_certificate: true +{{- end }} name: "15011" - address: socket_address: @@ -277,6 +422,54 @@ static_resources: timeout: 0.000s stat_prefix: "15005" name: envoy.http_connection_manager +{{- if .sds_uds_path }} + tls_context: + common_tls_context: + alpn_protocols: + - http/1.1 + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: [] + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + require_client_certificate: true +{{- else }} tls_context: common_tls_context: alpn_protocols: @@ -290,6 +483,7 @@ static_resources: trusted_ca: filename: /etc/certs/root-cert.pem require_client_certificate: true +{{- end }} name: "15005" - address: socket_address: @@ -352,4 +546,4 @@ static_resources: timeout: 0.000s stat_prefix: "15007" name: envoy.http_connection_manager - name: "15007" + name: "15007" \ No newline at end of file diff --git a/pilot/docker/envoy_policy.yaml.tmpl b/pilot/docker/envoy_policy.yaml.tmpl index 9b11c83ce2ee..5422942b7596 100644 --- a/pilot/docker/envoy_policy.yaml.tmpl +++ b/pilot/docker/envoy_policy.yaml.tmpl @@ -58,6 +58,52 @@ static_resources: http2_protocol_options: {} name: mixer_report_server {{- if .ControlPlaneAuth }} +{{- if .sds_uds_path }} + tls_context: + common_tls_context: + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: + - {{ .MixerSubjectAltName }} + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat +{{- else }} tls_context: common_tls_context: tls_certificates: @@ -70,6 +116,7 @@ static_resources: filename: /etc/certs/root-cert.pem verify_subject_alt_name: - {{ .MixerSubjectAltName }} +{{- end }} {{- end }} type: STRICT_DNS dns_lookup_family: "{{ .dns_lookup_family }}" @@ -165,6 +212,54 @@ static_resources: stat_prefix: "15004" name: envoy.http_connection_manager {{- if .ControlPlaneAuth }} +{{- if .sds_uds_path }} + tls_context: + common_tls_context: + alpn_protocols: + - h2 + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: [] + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + require_client_certificate: true +{{- else }} tls_context: common_tls_context: alpn_protocols: @@ -178,6 +273,7 @@ static_resources: trusted_ca: filename: /etc/certs/root-cert.pem require_client_certificate: true +{{- end }} {{- end }} name: "15004" - address: @@ -247,4 +343,4 @@ static_resources: timeout: 0.000s stat_prefix: "9091" name: envoy.http_connection_manager - name: "9091" + name: "9091" \ No newline at end of file diff --git a/pilot/docker/envoy_telemetry.yaml.tmpl b/pilot/docker/envoy_telemetry.yaml.tmpl index 64363c65ca2b..bd5f2d9b444c 100644 --- a/pilot/docker/envoy_telemetry.yaml.tmpl +++ b/pilot/docker/envoy_telemetry.yaml.tmpl @@ -132,6 +132,54 @@ static_resources: stat_prefix: "15004" name: envoy.http_connection_manager {{- if .ControlPlaneAuth }} +{{- if .sds_uds_path }} + tls_context: + common_tls_context: + alpn_protocols: + - h2 + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + combined_validation_context: + default_validation_context: + verify_subject_alt_name: [] + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - google_grpc: + target_uri: {{ .sds_uds_path }} + channel_credentials: + local_credentials: {} + call_credentials: + - from_plugin: + name: envoy.grpc_credentials.file_based_metadata + config: + header_key: istio_sds_credentials_header-bin + secret_data: + filename: {{ .sds_token_path }} + credentials_factory_name: envoy.grpc_credentials.file_based_metadata + stat_prefix: sdsstat + require_client_certificate: true +{{- else }} tls_context: common_tls_context: alpn_protocols: @@ -145,6 +193,7 @@ static_resources: trusted_ca: filename: /etc/certs/root-cert.pem require_client_certificate: true +{{- end }} {{- end }} name: "15004" - address: @@ -210,4 +259,4 @@ static_resources: timeout: 0.000s stat_prefix: "9091" name: envoy.http_connection_manager - name: "9091" + name: "9091" \ No newline at end of file diff --git a/pkg/bootstrap/bootstrap_config_test.go b/pkg/bootstrap/bootstrap_config_test.go index d7ca359cd673..445b2e99abb7 100644 --- a/pkg/bootstrap/bootstrap_config_test.go +++ b/pkg/bootstrap/bootstrap_config_test.go @@ -90,6 +90,9 @@ func TestGolden(t *testing.T) { }{ { base: "auth", + }, + { + base: "authsds", opts: map[string]interface{}{ "sds_uds_path": "udspath", "sds_token_path": "/var/run/secrets/tokens/istio-token", @@ -113,9 +116,26 @@ func TestGolden(t *testing.T) { annotations: map[string]string{ "istio.io/insecurepath": "{\"paths\":[\"/metrics\",\"/live\"]}", }, + checkLocality: true, + }, + { + base: "runningsds", + envVars: map[string]string{ + "ISTIO_META_ISTIO_PROXY_SHA": "istio-proxy:sha", + "ISTIO_META_INTERCEPTION_MODE": "REDIRECT", + "ISTIO_META_ISTIO_VERSION": "release-3.1", + "ISTIO_META_POD_NAME": "svc-0-0-0-6944fb884d-4pgx8", + "POD_NAME": "svc-0-0-0-6944fb884d-4pgx8", + "POD_NAMESPACE": "test", + "INSTANCE_IP": "10.10.10.1", + "ISTIO_METAJSON_LABELS": `{"version": "v1alpha1", "app": "test", "istio-locality":"regionA.zoneB.sub_zoneC"}`, + }, + annotations: map[string]string{ + "istio.io/insecurepath": "{\"paths\":[\"/metrics\",\"/live\"]}", + }, opts: map[string]interface{}{ "sds_uds_path": "udspath", - "sds_token_path": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "sds_token_path": "/var/run/secrets/tokens/istio-token", }, checkLocality: true, }, diff --git a/pkg/bootstrap/testdata/auth_golden.json b/pkg/bootstrap/testdata/auth_golden.json index cdea9bd1b8f6..9c72fa245c3f 100644 --- a/pkg/bootstrap/testdata/auth_golden.json +++ b/pkg/bootstrap/testdata/auth_golden.json @@ -3,9 +3,7 @@ "id": "sidecar~1.2.3.4~foo~bar", "cluster": "istio-proxy", "locality": {}, - "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6", "istio":"sidecar", - "ISTIO_META_SDS": "1", - "ISTIO_META_TRUSTJWT": "1", + "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar", "EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"} }, "stats_config": { diff --git a/pkg/bootstrap/testdata/authsds.proto b/pkg/bootstrap/testdata/authsds.proto new file mode 100644 index 000000000000..c2ad6a2d6f20 --- /dev/null +++ b/pkg/bootstrap/testdata/authsds.proto @@ -0,0 +1,11 @@ +config_path: "/etc/istio/proxy" +binary_path: "/usr/local/bin/envoy" +service_cluster: "istio-proxy" +drain_duration: {seconds: 2} +parent_shutdown_duration: {seconds: 3} +discovery_address: "istio-pilot:15011" +connect_timeout: {seconds: 1} +proxy_admin_port: 15000 +control_plane_auth_policy: MUTUAL_TLS + +# Same as default, but with MUTUAL_TLS enabled diff --git a/pkg/bootstrap/testdata/authsds_golden.json b/pkg/bootstrap/testdata/authsds_golden.json new file mode 100644 index 000000000000..903473520e3e --- /dev/null +++ b/pkg/bootstrap/testdata/authsds_golden.json @@ -0,0 +1,291 @@ +{ + "node": { + "id": "sidecar~1.2.3.4~foo~bar", + "cluster": "istio-proxy", + "locality": {}, + "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6", "istio":"sidecar", + "ISTIO_META_SDS": "1", + "ISTIO_META_TRUSTJWT": "1", + "EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"} + }, + "stats_config": { + "use_all_default_tags": false, + "stats_tags": [ + { + "tag_name": "cluster_name", + "regex": "^cluster\\.((.+?(\\..+?\\.svc\\.cluster\\.local)?)\\.)" + }, + { + "tag_name": "tcp_prefix", + "regex": "^tcp\\.((.*?)\\.)\\w+?$" + }, + { + "tag_name": "response_code", + "regex": "_rq(_(\\d{3}))$" + }, + { + "tag_name": "response_code_class", + "regex": "_rq(_(\\dxx))$" + }, + { + "tag_name": "http_conn_manager_listener_prefix", + "regex": "^listener(?=\\.).*?\\.http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "http_conn_manager_prefix", + "regex": "^http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "listener_address", + "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "mongo_prefix", + "regex": "^mongo\\.(.+?)\\.(collection|cmd|cx_|op_|delays_|decoding_)(.*?)$" + } + ], + "stats_matcher": { + "inclusion_list": { + "patterns": [{ + "prefix": "cluster_manager" + }, + { + "prefix": "listener_manager" + }, + { + "prefix": "http_mixer_filter" + }, + { + "prefix": "tcp_mixer_filter" + }, + { + "prefix": "server" + }, + { + "prefix": "cluster.xds-grpc" + }, + { + "suffix": "ssl_context_update_by_sds" + } + ] + } + } + }, + "admin": { + "access_log_path": "/dev/null", + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 15000 + } + } + }, + "dynamic_resources": { + "lds_config": { + "ads": {} + }, + "cds_config": { + "ads": {} + }, + "ads_config": { + "api_type": "GRPC", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "xds-grpc" + } + } + ] + } + }, + "static_resources": { + "clusters": [ + { + "name": "prometheus_stats", + "type": "STATIC", + "connect_timeout": "0.250s", + "lb_policy": "ROUND_ROBIN", + "hosts": [ + { + "socket_address": { + "protocol": "TCP", + "address": "127.0.0.1", + "port_value": 15000 + } + } + ] + }, + { + "name": "xds-grpc", + "type": "STRICT_DNS", + "dns_refresh_rate": "60s", + "dns_lookup_family": "V4_ONLY", + "connect_timeout": "1s", + "lb_policy": "ROUND_ROBIN", + + "tls_context": { + "common_tls_context": { + "alpn_protocols": [ + "h2" + ], + "tls_certificate_sds_secret_configs":[ + { + "name":"default", + "sds_config":{ + "api_config_source":{ + "api_type":"GRPC", + "grpc_services":[ + { + "google_grpc":{ + "target_uri": "udspath", + "channel_credentials":{ + "local_credentials":{ + } + }, + "call_credentials":[ + { + "from_plugin":{ + "name":"envoy.grpc_credentials.file_based_metadata", + "config":{ + "secret_data":{ + "filename": "/var/run/secrets/tokens/istio-token" + }, + "header_key":"istio_sds_credentials_header-bin" + } + } + } + ], + "credentials_factory_name":"envoy.grpc_credentials.file_based_metadata", + "stat_prefix":"sdsstat" + } + } + ] + } + } + } + ], + "combined_validation_context":{ + "default_validation_context":{ + "verify_subject_alt_name":[ + "spiffe://cluster.local/ns/istio-system/sa/istio-pilot-service-account" + ] + }, + "validation_context_sds_secret_config":{ + "name":"ROOTCA", + "sds_config":{ + "api_config_source":{ + "api_type":"GRPC", + "grpc_services":[ + { + "google_grpc":{ + "target_uri": "udspath", + "channel_credentials":{ + "local_credentials":{ + } + }, + "call_credentials":[ + { + "from_plugin":{ + "name":"envoy.grpc_credentials.file_based_metadata", + "config":{ + "secret_data":{ + "filename": "/var/run/secrets/tokens/istio-token" + }, + "header_key":"istio_sds_credentials_header-bin" + } + } + } + ], + "credentials_factory_name":"envoy.grpc_credentials.file_based_metadata", + "stat_prefix":"sdsstat" + } + } + ] + } + } + } + } + } + }, + + "hosts": [ + { + "socket_address": {"address": "istio-pilot", "port_value": 15011} + } + ], + "circuit_breakers": { + "thresholds": [ + { + "priority": "DEFAULT", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + }, + { + "priority": "HIGH", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + } + ] + }, + "upstream_connection_options": { + "tcp_keepalive": { + "keepalive_time": 300 + } + }, + "http2_protocol_options": { } + } + + ], + "listeners":[ + { + "address": { + "socket_address": { + "protocol": "TCP", + "address": "0.0.0.0", + "port_value": 15090 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.http_connection_manager", + "config": { + "codec_type": "AUTO", + "stat_prefix": "stats", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/stats/prometheus" + }, + "route": { + "cluster": "prometheus_stats" + } + } + ] + } + ] + }, + "http_filters": { + "name": "envoy.router" + } + } + } + ] + } + ] + } + ] + } + + +} diff --git a/pkg/bootstrap/testdata/running_golden.json b/pkg/bootstrap/testdata/running_golden.json index c9055be15c14..264530345fa5 100644 --- a/pkg/bootstrap/testdata/running_golden.json +++ b/pkg/bootstrap/testdata/running_golden.json @@ -15,8 +15,6 @@ "ISTIO_PROXY_SHA":"istio-proxy:sha", "ISTIO_VERSION":"release-3.1", "POD_NAME":"svc-0-0-0-6944fb884d-4pgx8", - "ISTIO_META_SDS": "1", - "ISTIO_META_TRUSTJWT": "1", "istio":"sidecar", "istio.io/insecurepath":"{\"paths\":[\"/metrics\",\"/live\"]}", "istio-locality": "regionA.zoneB.sub_zoneC", diff --git a/pkg/bootstrap/testdata/runningsds.proto b/pkg/bootstrap/testdata/runningsds.proto new file mode 100644 index 000000000000..aad750d1e8ae --- /dev/null +++ b/pkg/bootstrap/testdata/runningsds.proto @@ -0,0 +1,14 @@ +config_path: "/etc/istio/proxy" +binary_path: "/usr/local/bin/envoy" +service_cluster: "istio-proxy" +drain_duration: {seconds: 5} +parent_shutdown_duration: {seconds: 6} +discovery_address: "mypilot:1001" +connect_timeout: {seconds: 7} +statsd_udp_address: "10.1.1.1:9125" +proxy_admin_port: 15005 +control_plane_auth_policy: MUTUAL_TLS +stat_name_length: 200 +tracing: { zipkin: { address: "localhost:6000" } } + +# Sets all relevant options to values different than default diff --git a/pkg/bootstrap/testdata/runningsds_golden.json b/pkg/bootstrap/testdata/runningsds_golden.json new file mode 100644 index 000000000000..4b7f7ab777bd --- /dev/null +++ b/pkg/bootstrap/testdata/runningsds_golden.json @@ -0,0 +1,353 @@ +{ + "node": { + "id": "sidecar~1.2.3.4~foo~bar", + "cluster": "istio-proxy", + "locality": { + "region": "regionA", + "zone": "zoneB", + "sub_zone": "sub_zoneC" + }, + "metadata": { + "app": "test", + "version": "v1alpha1", + "INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6", + "INTERCEPTION_MODE":"REDIRECT", + "ISTIO_PROXY_SHA":"istio-proxy:sha", + "ISTIO_VERSION":"release-3.1", + "POD_NAME":"svc-0-0-0-6944fb884d-4pgx8", + "ISTIO_META_SDS": "1", + "ISTIO_META_TRUSTJWT": "1", + "istio":"sidecar", + "istio.io/insecurepath":"{\"paths\":[\"/metrics\",\"/live\"]}", + "istio-locality": "regionA.zoneB.sub_zoneC", + "EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT", + "NAME": "svc-0-0-0-6944fb884d-4pgx8", + "NAMESPACE": "test", + "LABELS": { + "version": "v1alpha1", + "app": "test", + "istio-locality": "regionA.zoneB.sub_zoneC" + } + } + }, + "stats_config": { + "use_all_default_tags": false, + "stats_tags": [ + { + "tag_name": "cluster_name", + "regex": "^cluster\\.((.+?(\\..+?\\.svc\\.cluster\\.local)?)\\.)" + }, + { + "tag_name": "tcp_prefix", + "regex": "^tcp\\.((.*?)\\.)\\w+?$" + }, + { + "tag_name": "response_code", + "regex": "_rq(_(\\d{3}))$" + }, + { + "tag_name": "response_code_class", + "regex": "_rq(_(\\dxx))$" + }, + { + "tag_name": "http_conn_manager_listener_prefix", + "regex": "^listener(?=\\.).*?\\.http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "http_conn_manager_prefix", + "regex": "^http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "listener_address", + "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "mongo_prefix", + "regex": "^mongo\\.(.+?)\\.(collection|cmd|cx_|op_|delays_|decoding_)(.*?)$" + } + ], + "stats_matcher": { + "inclusion_list": { + "patterns": [{ + "prefix": "cluster_manager" + }, + { + "prefix": "listener_manager" + }, + { + "prefix": "http_mixer_filter" + }, + { + "prefix": "tcp_mixer_filter" + }, + { + "prefix": "server" + }, + { + "prefix": "cluster.xds-grpc" + }, + { + "suffix": "ssl_context_update_by_sds" + } + ] + } + } + }, + "admin": { + "access_log_path": "/dev/null", + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 15005 + } + } + }, + "dynamic_resources": { + "lds_config": { + "ads": {} + }, + "cds_config": { + "ads": {} + }, + "ads_config": { + "api_type": "GRPC", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "xds-grpc" + } + } + ] + } + }, + "static_resources": { + "clusters": [ + { + "name": "prometheus_stats", + "type": "STATIC", + "connect_timeout": "0.250s", + "lb_policy": "ROUND_ROBIN", + "hosts": [ + { + "socket_address": { + "protocol": "TCP", + "address": "127.0.0.1", + "port_value": 15005 + } + } + ] + }, + { + "name": "xds-grpc", + "type": "STRICT_DNS", + "dns_refresh_rate": "60s", + "dns_lookup_family": "V4_ONLY", + "connect_timeout": "7s", + "lb_policy": "ROUND_ROBIN", + + "tls_context": { + "common_tls_context": { + "alpn_protocols": [ + "h2" + ], + "tls_certificate_sds_secret_configs":[ + { + "name":"default", + "sds_config":{ + "api_config_source":{ + "api_type":"GRPC", + "grpc_services":[ + { + "google_grpc":{ + "target_uri": "udspath", + "channel_credentials":{ + "local_credentials":{ + } + }, + "call_credentials":[ + { + "from_plugin":{ + "name":"envoy.grpc_credentials.file_based_metadata", + "config":{ + "secret_data":{ + "filename": "/var/run/secrets/tokens/istio-token" + }, + "header_key":"istio_sds_credentials_header-bin" + } + } + } + ], + "credentials_factory_name":"envoy.grpc_credentials.file_based_metadata", + "stat_prefix":"sdsstat" + } + } + ] + } + } + } + ], + "combined_validation_context":{ + "default_validation_context":{ + "verify_subject_alt_name":[ + "spiffe://cluster.local/ns/istio-system/sa/istio-pilot-service-account" + ] + }, + "validation_context_sds_secret_config":{ + "name":"ROOTCA", + "sds_config":{ + "api_config_source":{ + "api_type":"GRPC", + "grpc_services":[ + { + "google_grpc":{ + "target_uri": "udspath", + "channel_credentials":{ + "local_credentials":{ + } + }, + "call_credentials":[ + { + "from_plugin":{ + "name":"envoy.grpc_credentials.file_based_metadata", + "config":{ + "secret_data":{ + "filename": "/var/run/secrets/tokens/istio-token" + }, + "header_key":"istio_sds_credentials_header-bin" + } + } + } + ], + "credentials_factory_name":"envoy.grpc_credentials.file_based_metadata", + "stat_prefix":"sdsstat" + } + } + ] + } + } + } + } + } + }, + + "hosts": [ + { + "socket_address": {"address": "mypilot", "port_value": 1001} + } + ], + "circuit_breakers": { + "thresholds": [ + { + "priority": "DEFAULT", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + }, + { + "priority": "HIGH", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + } + ] + }, + "upstream_connection_options": { + "tcp_keepalive": { + "keepalive_time": 300 + } + }, + "http2_protocol_options": { } + } + + , + { + "name": "zipkin", + "type": "STRICT_DNS", + "dns_refresh_rate": "60s", + "dns_lookup_family": "V4_ONLY", + "connect_timeout": "1s", + "lb_policy": "ROUND_ROBIN", + "hosts": [ + { + "socket_address": {"address": "localhost", "port_value": 6000} + } + ] + } + + ], + "listeners":[ + { + "address": { + "socket_address": { + "protocol": "TCP", + "address": "0.0.0.0", + "port_value": 15090 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.http_connection_manager", + "config": { + "codec_type": "AUTO", + "stat_prefix": "stats", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/stats/prometheus" + }, + "route": { + "cluster": "prometheus_stats" + } + } + ] + } + ] + }, + "http_filters": { + "name": "envoy.router" + } + } + } + ] + } + ] + } + ] + } + + , + "tracing": { + "http": { + "name": "envoy.zipkin", + "config": { + "collector_cluster": "zipkin", + "collector_endpoint": "/api/v1/spans", + "trace_id_128bit":"true", + "shared_span_context":"false" + } + } + } + + + , + "stats_sinks": [ + { + "name": "envoy.statsd", + "config": { + "address": { + "socket_address": {"address": "10.1.1.1", "port_value": 9125} + } + } + } + ] + +} diff --git a/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-set-in-annotation.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-set-in-annotation.yaml.injected index 50dfbd0d4e99..82debfb808d1 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-set-in-annotation.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-set-in-annotation.yaml.injected @@ -111,6 +111,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-unset-in-annotation.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-unset-in-annotation.yaml.injected index 2601ff3a819b..a4c9f7861933 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-unset-in-annotation.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-unset-in-annotation.yaml.injected @@ -108,6 +108,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/app_probe/hello-probes.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/hello-probes.yaml.injected index d116eed3e985..3d801dcf25f9 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/hello-probes.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/hello-probes.yaml.injected @@ -110,6 +110,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/app_probe/hello-readiness.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/hello-readiness.yaml.injected index 57cfc02b665a..c32cf51e78c4 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/hello-readiness.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/hello-readiness.yaml.injected @@ -91,6 +91,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/app_probe/https-probes.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/https-probes.yaml.injected index 93486178bad1..8ae760b686bc 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/https-probes.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/https-probes.yaml.injected @@ -111,6 +111,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/app_probe/named_port.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/named_port.yaml.injected index 581299642122..de5ef4b42016 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/named_port.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/named_port.yaml.injected @@ -91,6 +91,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/app_probe/one_container.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/one_container.yaml.injected index ec44a319068e..0b5f38734fc1 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/one_container.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/one_container.yaml.injected @@ -95,6 +95,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/app_probe/ready_only.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/ready_only.yaml.injected index a88a1e9ce74c..c1bfc9acb068 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/ready_only.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/ready_only.yaml.injected @@ -91,6 +91,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/app_probe/two_container.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/two_container.yaml.injected index 868a764a6d0a..18f313b54cce 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/two_container.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/two_container.yaml.injected @@ -101,6 +101,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/auth.cert-dir.yaml.injected b/pkg/kube/inject/testdata/inject/auth.cert-dir.yaml.injected index d7388629aa1f..a6ced99e3bdc 100644 --- a/pkg/kube/inject/testdata/inject/auth.cert-dir.yaml.injected +++ b/pkg/kube/inject/testdata/inject/auth.cert-dir.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/auth.non-default-service-account.yaml.injected b/pkg/kube/inject/testdata/inject/auth.non-default-service-account.yaml.injected index b74522ca84f1..59be5ffa79d0 100644 --- a/pkg/kube/inject/testdata/inject/auth.non-default-service-account.yaml.injected +++ b/pkg/kube/inject/testdata/inject/auth.non-default-service-account.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/auth.yaml.injected b/pkg/kube/inject/testdata/inject/auth.yaml.injected index d7388629aa1f..a6ced99e3bdc 100644 --- a/pkg/kube/inject/testdata/inject/auth.yaml.injected +++ b/pkg/kube/inject/testdata/inject/auth.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/cronjob.yaml.injected b/pkg/kube/inject/testdata/inject/cronjob.yaml.injected index 86eaa22146ca..678c06899ba9 100644 --- a/pkg/kube/inject/testdata/inject/cronjob.yaml.injected +++ b/pkg/kube/inject/testdata/inject/cronjob.yaml.injected @@ -81,6 +81,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/daemonset.yaml.injected b/pkg/kube/inject/testdata/inject/daemonset.yaml.injected index f83ea32b57f0..ae615d962151 100644 --- a/pkg/kube/inject/testdata/inject/daemonset.yaml.injected +++ b/pkg/kube/inject/testdata/inject/daemonset.yaml.injected @@ -86,6 +86,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/deploymentconfig-multi.yaml.injected b/pkg/kube/inject/testdata/inject/deploymentconfig-multi.yaml.injected index 81f3cee644f3..290eafce3f55 100644 --- a/pkg/kube/inject/testdata/inject/deploymentconfig-multi.yaml.injected +++ b/pkg/kube/inject/testdata/inject/deploymentconfig-multi.yaml.injected @@ -101,6 +101,8 @@ items: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/deploymentconfig.yaml.injected b/pkg/kube/inject/testdata/inject/deploymentconfig.yaml.injected index ac3cf1faed0f..032797613cad 100644 --- a/pkg/kube/inject/testdata/inject/deploymentconfig.yaml.injected +++ b/pkg/kube/inject/testdata/inject/deploymentconfig.yaml.injected @@ -86,6 +86,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/enable-core-dump.yaml.injected b/pkg/kube/inject/testdata/inject/enable-core-dump.yaml.injected index 5de7a2df554d..9338c6931024 100644 --- a/pkg/kube/inject/testdata/inject/enable-core-dump.yaml.injected +++ b/pkg/kube/inject/testdata/inject/enable-core-dump.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/format-duration.yaml.injected b/pkg/kube/inject/testdata/inject/format-duration.yaml.injected index 706fdc782c30..21dbc164ae7b 100644 --- a/pkg/kube/inject/testdata/inject/format-duration.yaml.injected +++ b/pkg/kube/inject/testdata/inject/format-duration.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/frontend.yaml.injected b/pkg/kube/inject/testdata/inject/frontend.yaml.injected index ca3b0150b687..0b02a6b14c49 100644 --- a/pkg/kube/inject/testdata/inject/frontend.yaml.injected +++ b/pkg/kube/inject/testdata/inject/frontend.yaml.injected @@ -105,6 +105,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello-always.yaml.injected b/pkg/kube/inject/testdata/inject/hello-always.yaml.injected index 65a3021168cb..36f66ce8970c 100644 --- a/pkg/kube/inject/testdata/inject/hello-always.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-always.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello-config-map-name.yaml.injected b/pkg/kube/inject/testdata/inject/hello-config-map-name.yaml.injected index d7388629aa1f..a6ced99e3bdc 100644 --- a/pkg/kube/inject/testdata/inject/hello-config-map-name.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-config-map-name.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello-ignore.yaml.injected b/pkg/kube/inject/testdata/inject/hello-ignore.yaml.injected index 52ab59a072e8..22c78155ade4 100644 --- a/pkg/kube/inject/testdata/inject/hello-ignore.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-ignore.yaml.injected @@ -89,6 +89,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello-multi.yaml.injected b/pkg/kube/inject/testdata/inject/hello-multi.yaml.injected index 9965d8ef3bb5..04260a085741 100644 --- a/pkg/kube/inject/testdata/inject/hello-multi.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-multi.yaml.injected @@ -90,6 +90,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS @@ -267,6 +269,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello-namespace.yaml.injected b/pkg/kube/inject/testdata/inject/hello-namespace.yaml.injected index 4893552a7626..201890be3521 100644 --- a/pkg/kube/inject/testdata/inject/hello-namespace.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-namespace.yaml.injected @@ -89,6 +89,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello-never.yaml.injected b/pkg/kube/inject/testdata/inject/hello-never.yaml.injected index df1dbd89c234..179e0207966c 100644 --- a/pkg/kube/inject/testdata/inject/hello-never.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-never.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello-proxy-override.yaml.injected b/pkg/kube/inject/testdata/inject/hello-proxy-override.yaml.injected index 1d86490c1c42..90313ee0de97 100644 --- a/pkg/kube/inject/testdata/inject/hello-proxy-override.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-proxy-override.yaml.injected @@ -89,6 +89,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello-template-in-values.yaml.injected b/pkg/kube/inject/testdata/inject/hello-template-in-values.yaml.injected index 5cd00f6b3eb6..1ac0f2bc70b4 100644 --- a/pkg/kube/inject/testdata/inject/hello-template-in-values.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-template-in-values.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello-tproxy.yaml.injected b/pkg/kube/inject/testdata/inject/hello-tproxy.yaml.injected index c19902c92f40..5e024ea55327 100644 --- a/pkg/kube/inject/testdata/inject/hello-tproxy.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-tproxy.yaml.injected @@ -82,6 +82,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: TPROXY - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/hello.yaml.injected b/pkg/kube/inject/testdata/inject/hello.yaml.injected index d7388629aa1f..a6ced99e3bdc 100644 --- a/pkg/kube/inject/testdata/inject/hello.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/job.yaml.injected b/pkg/kube/inject/testdata/inject/job.yaml.injected index 50ac986a8c03..2e0971f20965 100644 --- a/pkg/kube/inject/testdata/inject/job.yaml.injected +++ b/pkg/kube/inject/testdata/inject/job.yaml.injected @@ -79,6 +79,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/kubevirtInterfaces.yaml.injected b/pkg/kube/inject/testdata/inject/kubevirtInterfaces.yaml.injected index 92638b0da109..2256a586ecab 100644 --- a/pkg/kube/inject/testdata/inject/kubevirtInterfaces.yaml.injected +++ b/pkg/kube/inject/testdata/inject/kubevirtInterfaces.yaml.injected @@ -89,6 +89,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/kubevirtInterfaces_list.yaml.injected b/pkg/kube/inject/testdata/inject/kubevirtInterfaces_list.yaml.injected index e03f34cf6e6b..57a0aa510f4a 100644 --- a/pkg/kube/inject/testdata/inject/kubevirtInterfaces_list.yaml.injected +++ b/pkg/kube/inject/testdata/inject/kubevirtInterfaces_list.yaml.injected @@ -89,6 +89,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/list-frontend.yaml.injected b/pkg/kube/inject/testdata/inject/list-frontend.yaml.injected index 8128ad131051..526c9200303d 100644 --- a/pkg/kube/inject/testdata/inject/list-frontend.yaml.injected +++ b/pkg/kube/inject/testdata/inject/list-frontend.yaml.injected @@ -106,6 +106,8 @@ items: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/list.yaml.injected b/pkg/kube/inject/testdata/inject/list.yaml.injected index 49094a7641c2..c712e9160709 100644 --- a/pkg/kube/inject/testdata/inject/list.yaml.injected +++ b/pkg/kube/inject/testdata/inject/list.yaml.injected @@ -92,6 +92,8 @@ items: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS @@ -268,6 +270,8 @@ items: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/multi-init.yaml.injected b/pkg/kube/inject/testdata/inject/multi-init.yaml.injected index 08ae5158a6dd..9d1d785fc106 100644 --- a/pkg/kube/inject/testdata/inject/multi-init.yaml.injected +++ b/pkg/kube/inject/testdata/inject/multi-init.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/pod.yaml.injected b/pkg/kube/inject/testdata/inject/pod.yaml.injected index 971a3642009d..66b6e5cdadc1 100644 --- a/pkg/kube/inject/testdata/inject/pod.yaml.injected +++ b/pkg/kube/inject/testdata/inject/pod.yaml.injected @@ -73,6 +73,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/replicaset.yaml.injected b/pkg/kube/inject/testdata/inject/replicaset.yaml.injected index 3e2f66a1cb47..b1700efe3c89 100644 --- a/pkg/kube/inject/testdata/inject/replicaset.yaml.injected +++ b/pkg/kube/inject/testdata/inject/replicaset.yaml.injected @@ -83,6 +83,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/replicationcontroller.yaml.injected b/pkg/kube/inject/testdata/inject/replicationcontroller.yaml.injected index 7512f305e844..32af57712fea 100644 --- a/pkg/kube/inject/testdata/inject/replicationcontroller.yaml.injected +++ b/pkg/kube/inject/testdata/inject/replicationcontroller.yaml.injected @@ -82,6 +82,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/statefulset.yaml.injected b/pkg/kube/inject/testdata/inject/statefulset.yaml.injected index b4e5c3a291fd..f715e4a5bb2f 100644 --- a/pkg/kube/inject/testdata/inject/statefulset.yaml.injected +++ b/pkg/kube/inject/testdata/inject/statefulset.yaml.injected @@ -91,6 +91,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/status_annotations.yaml.injected b/pkg/kube/inject/testdata/inject/status_annotations.yaml.injected index 5aed6c5ccb2b..5b30bb5ff4a8 100644 --- a/pkg/kube/inject/testdata/inject/status_annotations.yaml.injected +++ b/pkg/kube/inject/testdata/inject/status_annotations.yaml.injected @@ -89,6 +89,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/status_params.yaml.injected b/pkg/kube/inject/testdata/inject/status_params.yaml.injected index c934b8ddc9e7..1f98959de029 100644 --- a/pkg/kube/inject/testdata/inject/status_params.yaml.injected +++ b/pkg/kube/inject/testdata/inject/status_params.yaml.injected @@ -84,6 +84,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/traffic-annotations-empty-includes.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-annotations-empty-includes.yaml.injected index da349ace577e..d8744e9b09c5 100644 --- a/pkg/kube/inject/testdata/inject/traffic-annotations-empty-includes.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-annotations-empty-includes.yaml.injected @@ -85,6 +85,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/traffic-annotations-wildcards.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-annotations-wildcards.yaml.injected index 0d83a5f97ac4..805fc195c2f1 100644 --- a/pkg/kube/inject/testdata/inject/traffic-annotations-wildcards.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-annotations-wildcards.yaml.injected @@ -85,6 +85,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/traffic-annotations.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-annotations.yaml.injected index 1879a58a2240..1fd94527a255 100644 --- a/pkg/kube/inject/testdata/inject/traffic-annotations.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-annotations.yaml.injected @@ -86,6 +86,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/traffic-params-empty-includes.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-params-empty-includes.yaml.injected index 71789e963d31..e8a6ff0089dd 100644 --- a/pkg/kube/inject/testdata/inject/traffic-params-empty-includes.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-params-empty-includes.yaml.injected @@ -83,6 +83,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/inject/traffic-params.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-params.yaml.injected index 2c9bdf80dfbf..dc09ce38aac3 100644 --- a/pkg/kube/inject/testdata/inject/traffic-params.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-params.yaml.injected @@ -81,6 +81,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/daemonset.yaml.injected b/pkg/kube/inject/testdata/webhook/daemonset.yaml.injected index d98f3a691410..d0e7fd4e38ca 100644 --- a/pkg/kube/inject/testdata/webhook/daemonset.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/daemonset.yaml.injected @@ -85,6 +85,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/deploymentconfig-multi.yaml.injected b/pkg/kube/inject/testdata/webhook/deploymentconfig-multi.yaml.injected index 0aefdd4cb8f5..811b39963517 100644 --- a/pkg/kube/inject/testdata/webhook/deploymentconfig-multi.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/deploymentconfig-multi.yaml.injected @@ -84,6 +84,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/deploymentconfig.yaml.injected b/pkg/kube/inject/testdata/webhook/deploymentconfig.yaml.injected index d8e581fd6bf7..6d028f3ea1a6 100644 --- a/pkg/kube/inject/testdata/webhook/deploymentconfig.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/deploymentconfig.yaml.injected @@ -84,6 +84,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/frontend.yaml.injected b/pkg/kube/inject/testdata/webhook/frontend.yaml.injected index 3aec79b53b49..58b274ebc9ef 100644 --- a/pkg/kube/inject/testdata/webhook/frontend.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/frontend.yaml.injected @@ -90,6 +90,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/hello-config-map-name.yaml.injected b/pkg/kube/inject/testdata/webhook/hello-config-map-name.yaml.injected index e8431792d6ad..9681bb416341 100644 --- a/pkg/kube/inject/testdata/webhook/hello-config-map-name.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/hello-config-map-name.yaml.injected @@ -86,6 +86,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/hello-multi.yaml.injected b/pkg/kube/inject/testdata/webhook/hello-multi.yaml.injected index a3c6f261a7b4..024694d0c362 100644 --- a/pkg/kube/inject/testdata/webhook/hello-multi.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/hello-multi.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS @@ -257,6 +259,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/hello-probes.yaml.injected b/pkg/kube/inject/testdata/webhook/hello-probes.yaml.injected index 9b80210fe642..fd5649716f04 100644 --- a/pkg/kube/inject/testdata/webhook/hello-probes.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/hello-probes.yaml.injected @@ -106,6 +106,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/job.yaml.injected b/pkg/kube/inject/testdata/webhook/job.yaml.injected index c62262cbac52..e99503fa8a8e 100644 --- a/pkg/kube/inject/testdata/webhook/job.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/job.yaml.injected @@ -80,6 +80,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/list-frontend.yaml.injected b/pkg/kube/inject/testdata/webhook/list-frontend.yaml.injected index 3aec79b53b49..58b274ebc9ef 100644 --- a/pkg/kube/inject/testdata/webhook/list-frontend.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/list-frontend.yaml.injected @@ -90,6 +90,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/list.yaml.injected b/pkg/kube/inject/testdata/webhook/list.yaml.injected index a3c6f261a7b4..024694d0c362 100644 --- a/pkg/kube/inject/testdata/webhook/list.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/list.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS @@ -257,6 +259,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/replicaset.yaml.injected b/pkg/kube/inject/testdata/webhook/replicaset.yaml.injected index 80b4c8f60f86..16eb3b36c3dc 100644 --- a/pkg/kube/inject/testdata/webhook/replicaset.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/replicaset.yaml.injected @@ -82,6 +82,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/replicationcontroller.yaml.injected b/pkg/kube/inject/testdata/webhook/replicationcontroller.yaml.injected index 8e220708a173..e8b9638faf70 100644 --- a/pkg/kube/inject/testdata/webhook/replicationcontroller.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/replicationcontroller.yaml.injected @@ -80,6 +80,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/resource_annotations.yaml.injected b/pkg/kube/inject/testdata/webhook/resource_annotations.yaml.injected index 6471898a5bc9..8427803ce52e 100644 --- a/pkg/kube/inject/testdata/webhook/resource_annotations.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/resource_annotations.yaml.injected @@ -84,6 +84,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/statefulset.yaml.injected b/pkg/kube/inject/testdata/webhook/statefulset.yaml.injected index 23da5fc42654..44a7da78602c 100644 --- a/pkg/kube/inject/testdata/webhook/statefulset.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/statefulset.yaml.injected @@ -89,6 +89,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/status_annotations.yaml.injected b/pkg/kube/inject/testdata/webhook/status_annotations.yaml.injected index c3b865071ae6..9129b242b341 100644 --- a/pkg/kube/inject/testdata/webhook/status_annotations.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/status_annotations.yaml.injected @@ -87,6 +87,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/traffic-annotations-empty-includes.yaml.injected b/pkg/kube/inject/testdata/webhook/traffic-annotations-empty-includes.yaml.injected index 3faf9082f83f..7e743691d145 100644 --- a/pkg/kube/inject/testdata/webhook/traffic-annotations-empty-includes.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/traffic-annotations-empty-includes.yaml.injected @@ -86,6 +86,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/traffic-annotations-wildcards.yaml.injected b/pkg/kube/inject/testdata/webhook/traffic-annotations-wildcards.yaml.injected index 257be0d74b2a..f5af27f8d558 100644 --- a/pkg/kube/inject/testdata/webhook/traffic-annotations-wildcards.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/traffic-annotations-wildcards.yaml.injected @@ -86,6 +86,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/traffic-annotations.yaml.injected b/pkg/kube/inject/testdata/webhook/traffic-annotations.yaml.injected index 2f996d180c5c..345b4e3802ea 100644 --- a/pkg/kube/inject/testdata/webhook/traffic-annotations.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/traffic-annotations.yaml.injected @@ -87,6 +87,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/pkg/kube/inject/testdata/webhook/user-volume.yaml.injected b/pkg/kube/inject/testdata/webhook/user-volume.yaml.injected index 2995b779c1da..6bde1bffe4e8 100644 --- a/pkg/kube/inject/testdata/webhook/user-volume.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/user-volume.yaml.injected @@ -88,6 +88,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "false" - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_INCLUDE_INBOUND_PORTS diff --git a/tools/packaging/common/envoy_bootstrap_v2.json b/tools/packaging/common/envoy_bootstrap_v2.json index f656282201a8..793b6e06e173 100644 --- a/tools/packaging/common/envoy_bootstrap_v2.json +++ b/tools/packaging/common/envoy_bootstrap_v2.json @@ -125,6 +125,94 @@ "connect_timeout": "{{ .connect_timeout }}", "lb_policy": "ROUND_ROBIN", {{ if eq .config.ControlPlaneAuthPolicy 1 }} + {{ if .sds_uds_path }} + "tls_context": { + "common_tls_context": { + "alpn_protocols": [ + "h2" + ], + "tls_certificate_sds_secret_configs":[ + { + "name":"default", + "sds_config":{ + "api_config_source":{ + "api_type":"GRPC", + "grpc_services":[ + { + "google_grpc":{ + "target_uri": "{{ .sds_uds_path }}", + "channel_credentials":{ + "local_credentials":{ + } + }, + "call_credentials":[ + { + "from_plugin":{ + "name":"envoy.grpc_credentials.file_based_metadata", + "config":{ + "secret_data":{ + "filename": "{{ .sds_token_path }}" + }, + "header_key":"istio_sds_credentials_header-bin" + } + } + } + ], + "credentials_factory_name":"envoy.grpc_credentials.file_based_metadata", + "stat_prefix":"sdsstat" + } + } + ] + } + } + } + ], + "combined_validation_context":{ + "default_validation_context":{ + "verify_subject_alt_name":[ + {{- range $a, $s := .pilot_SAN }} + "{{$s}}" + {{- end}} + ] + }, + "validation_context_sds_secret_config":{ + "name":"ROOTCA", + "sds_config":{ + "api_config_source":{ + "api_type":"GRPC", + "grpc_services":[ + { + "google_grpc":{ + "target_uri": "{{ .sds_uds_path }}", + "channel_credentials":{ + "local_credentials":{ + } + }, + "call_credentials":[ + { + "from_plugin":{ + "name":"envoy.grpc_credentials.file_based_metadata", + "config":{ + "secret_data":{ + "filename": "{{ .sds_token_path }}" + }, + "header_key":"istio_sds_credentials_header-bin" + } + } + } + ], + "credentials_factory_name":"envoy.grpc_credentials.file_based_metadata", + "stat_prefix":"sdsstat" + } + } + ] + } + } + } + } + }, + }, + {{ else }} "tls_context": { "common_tls_context": { "alpn_protocols": [ @@ -153,6 +241,7 @@ } }, {{ end }} + {{ end }} "hosts": [ { "socket_address": {{ .pilot_grpc_address }}