EDS Unit test is broken #12994
Assignees
Labels
Comments
Merged
mbanikazemi
pushed a commit
to mbanikazemi/istio
that referenced
this issue
Apr 2, 2019
The current EDS test is incorrect and passes because the check calls time out rather than sucessfully completing. This PR fixes the problem and add one more test. fixes issue istio#12994
|
Although I believe this is an |
linsun
pushed a commit
that referenced
this issue
Apr 12, 2019
The current EDS test is incorrect and passes because the check calls time out rather than sucessfully completing. This PR fixes the problem and add one more test. fixes issue #12994
lei-tang
added a commit
that referenced
this issue
Apr 16, 2019
* add istio-init.yaml to .gitignore (#12542)
* authz: add authorization policy CRD to helm-init (#12541)
* Fix bug in locality LB normalization (#12532) (#12579)
The priority needs to be normalized (so it is always has no gaps), so
priorities [0,2] should be changed to [0,1]. However, we were changing
the wrong endpoint's priorities.
* Apply locality weighted lb config correctly (#12588)
Previously, this value was not set if the load balancer config was nil.
However, it should actually set anytime outlier detection is enabled, so
that locality lb can behave correctly.
* Fix bug causing empty endpoints per locality (#12615)
* Fix bug causing empty endpoints per locality
Before, we were allocating the array then appending to it, creating
empty endpoints at the start of the array.
* Predefine slice size
* Fix the MCP Client ConfigZ page (#12626)
* Fix the MCP Client ConfigZ page.
* Fix the tests
* Update test name to clear confusion.
* Add threshold for rds.go codecov (#12499)
Test is flakey, saying it has droppped coverage when it has not due to
it being nondeterministic.
* Drop log level for missing service account for spiffe uri (#12239)
* Don't require service account for spiffe
Some kubernetes pods don't have a service account. This causes a log
flood that the spiffe url is invalid, but this doesn't actually have any
negative impact. We can just make it not an error to have no service
account.
* Revert "Don't require service account for spiffe"
This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f.
* Just drop error -> warn
* Fix tests
* Drop log level
* [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460)
* Adding additional fields for bindings and validation. (#11800)
* Implement namespaces for ServiceRoleBindings
* Implement not_namespaces and refactor
* Implement not_ips
* Implement ips (no unit tests)
* Add a unit tests for ips for ServiceRoleBinding
* Implement groups and not_groups for ServiceRoleBinding
* Implement names and not_names
* Check for duplicated definition in constraints/properties and first-class fields
* Disallow using * in names or not_names to prevent ambiguity
* Disallow using * in names or not_names to prevent ambiguity
* Refactor additional fields for bindings
* Update validation.go
* Update validation.go
* enhance verify install command (#12174)
* enhance verify install command
* fix lint
* fix lint
* configure prometheus to monitor citadel. (#12175)
* Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556)
* Add namespace scoping to the Gateway 'port' names (#12500) (#12500)
Currently in order to configure ingressgateway to do TLS termination
using multiple secure virtual hosts with different certificates Istio
requires Gateway 'port' names to be globally unique (i.e. distinct).
I.e. two gateways cannot have secure port named 'https' even if they
reside in different namespaces. Behavior in such case is undefined.
This breaks namespace isolation as a user creating a Gateway in one
namespace might not have access to other namespaces hence can't
if the port name is already 'taken'. Behavior in such case is undefined
and likely to render other virtual hosts unavailable.
This change adds namespace scoping to Gateway port names by appending
namespace suffix to the HTTPS RDS routes. Port names still have to be
unique within the namespace boundaries, but this change makes adding
more specific scoping rather trivial.
* Increase Gateway 'port' names scoping granularity
* Minimal changes to make locality lb not sigsegv (#12649)
* Locality label istio-locality in k8s should not contain `/`, use `.` (#12592)
* Locality label istio-locality in k8s should not contain `/`, use `.` instead
* fix comments
* Only use gateways for servers being processed (#12663)
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* Propagate Envoy Metrics Service Config (#12569)
The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer.
* mixer: add directive demo adapter (#12505)
* finish demo
Signed-off-by: Kuat Yessenov <kuat@google.com>
* printf
Signed-off-by: Kuat Yessenov <kuat@google.com>
* publish keyval
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Adding sidecars to validating webhook configuration (#12233) (#12643)
Addresses issue #12193
* Cleaning up Unit tests for RDS (#12581)
Added a new case and cleaned up the existing test cases.
* switching deployment to v1 api (#10578)
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* Cleanup Galley OWNERS file. (#12676)
* fix uds socket (#12688)
* uds fix
* readonly
* Add unit test to cover multiple different locality case (#12388)
This PR only increases test coverage. Does not impact functionality.
Signed-off-by: Liam White <liam@tetrate.io>
* Build 1.1.1 (#12690)
* Fix LB weight setting for split horizon eds (#12560)
* lb weight for split-horizon-eds shoulb be set correctly
* fix ut
* rename
* fix ut
* fix lint
* fix lint
* fix typo in default envoy JSON log format (#12473)
* Make release-1.1 changes compatible with master
* Remove extra ingress template
* cherry pick 10578
* reformat
* Update rbac.go to use httpfilter when needed
* Integration framework ensure apiVersion is top level
* Update yaml make target
* Disable setup on sidecar_api_test
* clarified mesh connect timeout fields based on code impl (#12089)
* Testing: configurable ports for Echo (#12681)
The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance.
* add image pull secrets for zipkin. (#12327)
* Refresh oop handler with connection config update (#12575)
* refresh handler with connection update
* sanitize test error message
* Fixing coping of the data to the bucket during release (#12585)
* Fixing coping of the data to the bucket.
* Small fix
* RM folder in any case
* 'istioctl proxy-config clusters' cluster type column rendering (#12458)
* Make error message explicit (#12675)
* E2E test for health check under mtls using app prober rewrite. (#11531)
* injector changes for health check, pilot agent take over app readiness check. (#9266)
* WIP injector change to modify istio-proxy.
* move out to app_probe.go
* Iterating sidecartmpl to find the statusPort.
* use the same name for ready path.
* Get rewrite work, almost.
* Some clean up on test and check one container criteria.
* fix the injected test file.
* Add inject test for readiness probe itself.
* Add missing added test file.
* fix helm test.
* fix lint.
* update header based finding the port.
* return to previous injected file status.
* fixing TestIntoResource test.
* sed fixing all remaining injecting files.
* handling named port.
* fixing merginge failure.
* remove the debug print.
* lint fixing.
* Apply the suggestions for finding statusPort arg.
* Address comments, regex support more port value format.
* add app_probe_test.go
* add more test.
* merge fix the test.
* webhook autoinject is ready for review.
* Squashed commit of the following:
commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 18:13:30 2019 -0800
renaming env var.
commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 17:59:25 2019 -0800
finish migrating test to yaml file based.
commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 13:55:00 2019 -0800
get test working.
commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 13:49:58 2019 -0800
WIP add some test files.
commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 13:13:06 2019 -0800
WIP changing to using the environment var.
commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 10:52:47 2019 -0800
add todo for the tests.
commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277d7 4b7b13aef
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 10:47:17 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip
commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861
Merge: 98fd48f59 744b07ad2
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 23:15:34 2019 -0800
Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip
commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 23:15:00 2019 -0800
findsidecar.
commit 744b07ad2406d1eb94bcf5492125f91486ad6b10
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 22:29:28 2019 -0800
add FindSidecar.
commit 40ed002ff6f5dd4afe22afa984384addc1be1104
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 21:55:51 2019 -0800
refactor some code.
commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 18:19:32 2019 -0800
Integration test works and fixing a bug.
commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 16:09:13 2019 -0800
all inject tests pass.
commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5
Merge: a2a774498 010d5c266
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 15:22:18 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip
commit a2a774498e1021c1ca01c021c071e225fa330407
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 15:16:04 2019 -0800
update the TestWebhookInject.
commit 36fd45c074bcc787702a5a9257d23103521f525c
Author: Jianfei Hu <jianfeih@google.com>
Date: Fri Jan 25 12:13:21 2019 -0800
some document
commit 88dc922719e2c4723a334d1d8d959cac361b1ecb
Author: Jianfei Hu <jianfeih@google.com>
Date: Fri Jan 25 11:43:44 2019 -0800
new version works for kubeinject, webhook unit test.
commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 18:17:38 2019 -0800
WIP working on modifying sidecar.Args first, then modify app container patch.
commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 15:20:36 2019 -0800
WIP add what's missing to get e2e test working.
commit 1595e871c640cdabead372eada2b17d717fa707f
Merge: 256d9635f ac78a552a
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 13:26:05 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 256d9635f4d590936c473bf3be0299064cb9c716
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 12:14:04 2019 -0800
add some debugging log.
commit f70096334464fd1d59a0e81997e8f0fd6623a564
Merge: bdce72119 c7eb603ee
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 10:57:43 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit bdce72119ef78dab40b750861768c332811b9ee2
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 18:04:37 2019 -0800
refactor to host something up to caller.
commit b51763c21000ba2b7fe9e2bc728783ce530cfe87
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 16:31:32 2019 -0800
get everything works.
commit 0815695a2fea828f06a31f14ed7795a3b3716111
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 15:48:27 2019 -0800
kubeinject test is working.
commit 14c99b58f0212972d42e298fa4185275642d672c
Merge: d626bb85d 5ea79622c
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 15:38:30 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit d626bb85dee628771f8f41fc90335ac608dea923
Merge: 3561ae0a6 66153da4d
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 15:38:23 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 3561ae0a69350730834e625c0710394968f9fcde
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 16:49:44 2019 -0800
WIP, policy is not taking effect, test passing without rewrite.
commit a9bef0f01964a14f6ace0da6217d7a36f364b661
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 16:31:08 2019 -0800
fix the json path in the patch.
commit f1aee91189e16beb0dadee6c612464b1aa9bad21
Merge: 3a7eb48e6 abc53e120
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 14:03:49 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 13:57:55 2019 -0800
fix it, removing namespace since metadata not matching will fail for kubeapply
commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 11:58:39 2019 -0800
WIP, debuggin why mtls policy is not showed up.
commit 72e9c4e488f875ffea0c3a279403277010160ee1
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 15 17:24:16 2019 -0800
working on integration2 test framework.
commit 90c1cce9ddc55ce339aa65eac06602591d3113c9
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 15 17:04:38 2019 -0800
add small comments.
commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676
Merge: 7f5c8cbd8 e45242c0d
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 15 16:43:47 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 18 09:37:53 2018 -0800
check rewriteAppProbe separately.
commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479
Merge: 20f02c045 1ae6b4fde
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 18 09:01:37 2018 -0800
Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject
commit 20f02c04563fab9b81b418c00a5455994fda5148
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 18 08:59:57 2018 -0800
duplicate the rewrite logic.
commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64
Merge: 3b3bcbff8 d8c4579fa
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 18 08:53:44 2018 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Dec 17 21:56:51 2018 -0800
address comments.
commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 15:24:33 2018 -0800
massage comments.
commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 15:15:50 2018 -0800
helm flag is off, so change the expected outoupt.
commit 43522c15d06054e4bb173ab2c37333a4de647c2d
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 15:09:46 2018 -0800
make webhook support rewriteAppHTTPProbe flag.
commit f60f18f4144482874c1219c7da90e97f19f1172f
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 12:03:04 2018 -0800
fixing the merge typo.
commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 11:56:38 2018 -0800
remove unnecessary changes in test for debugging.
commit a81eacb6892509d8938be8d64f1435cf64e22317
Merge: af1a67989 f6b0ddc30
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 11:53:07 2018 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit af1a6798988f9fe70e40add2a6d4971efa9b50ed
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 18:07:19 2018 -0800
fixing all the test.
commit 58d0bef3520037a81db8baa34d6e13849d20af10
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 17:51:34 2018 -0800
Get TestInject happy.
commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 17:49:42 2018 -0800
make TestHelmInject happy.
commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0
Merge: fcca1f89a bd1631be3
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 16:53:01 2018 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 16:18:20 2018 -0800
get webhook_test.TestInject working.
commit 06f517cfc4214994be1be848d40b12f09ba8a4b8
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 16:10:55 2018 -0800
restructure app_probe_test working for both.
commit 7142e96ed8a3200fc91bc73aee86d471117232fc
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 13:19:41 2018 -0800
starting to work on serious test
commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 11:50:19 2018 -0800
prototyping get familar with the test.
commit 51659dacbc569f4532dc6a37b2091f39c7cf115b
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 11:05:51 2018 -0800
wip for adding test.
* resolve appprobetest.
* update the golden due to another injector change.
* remove unnecessary files in this pr.
* remove the test framework change.
* remove unnecessary testdata file.
* wip for adding health check test app.
* wip very hack working solution app deployed
* finally test starts working
* make sure the test works if and only if the helm flag is turned on.
* refactoring
* small adjustment.
* DeepCopy used.
* working test only healthcheck test.
* remove inline policy
* change RegisterHelmValueOverrides.
* unnecessary change.
* Finish HelmValueMap refactor.
* some cleanup.
* clean up.
* flags helm values takes higher priority.
* fix the lint.
* address comments.
* revert chagnes on HelmValuesMap.
* wip getting helm customizable with new configuration api.
TODO: testing by rebuild image.
* fix the helm value passing overrides.
* wip the app is deployed but not ready and still finishes...
* wip apps configuration not take effect.
* working version of apps configuration.
* clean up some debugging log.
* test documentation.
* WIP changing deploymentFactory to KubeApp.
* verify test works.
* clarify kubeappsconfig doc.
* get the test pass, no apps configuration yet.
* get test working.
* clean up on apps/kube.go
* few clean and update readme doc.
* change the overrides by func callback.
* fix the typo.
* fix the comments.
* Hide ServiceAccounts from PushContext log (#12702)
* Configure localityLbSetting in values.yaml (#12683)
* Configure localityLbSetting in values.yaml
* Update docs
* Fix concurrent map access (#12706)
* Remove when: always from CircleCI configuration for integration tests. (#12679)
This causes the integration tests to run, even if the previous steps fail.
* Removed unused code from EDS (#12221)
* Should not add a worker in GoroutinePool construction func (#12619)
* GoroutinePool does not add a worker in construction func
* fix ut
* remove redundant code (#12656)
* remove redundant k8s discovery code
* remove redundant
* Configure logging level in proxy and control plane (#12639)
* configure proxy log level via helm values for sidecar and gateways
* configure istio control plane log level via helm
* Put back a couple settings for Kiali that were accidentally deleted. (#12472)
Some Kiali settings were accidently deleted when the new installation options for
release-1.1 was published. This is because these settings were commented out in
the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali.
Bug:#3660
* remove to be deprecated critical pod annotation. (#12657)
* remove to be deprecated critical pod annotation.
* fix ci.
* Adding timeouts in Galley processor tests (#12701)
* Adding timeouts in Galley processor tests
This is to help in debugging #12628.
* making await method private
* add pod antiaffinity. (#12691)
* add pod antiaffinity.
* fix gateways issue.
* add pod antiaffnity to helm test pod.
* remove local test file.
* apply comments.
* Adding galley test for sidecar config validation (#12247)
* Adding galley test for sidecar config validation
Test cases related to PR #12233
* Using istio-system as namespace for resource
* Collect details/artifacts for failed tests in Prow. (#12753)
* Add infrastructure to document env var usage. (#12727)
- Introduce the pkg/env package containing a few functions to query environment
variable values. It keeps track of the variables requested so they can be documented.
- Extend pkg/collateral to recognize and output the environment variables used in the
process. This is what is needed to make this stuff show up on istio.io.
- Update all relevant call sites to use the new infrsstructure. It's still missing
descriptions for all the variables, that'll be up to component authors. I'll file
issues to get that work done.
- Fixed bugs in the node_agent_k8s code that was using env vars as the default for
Cobra command-line arguments, resulting in potentially variable default values
produced in the generated docs. Default values need to be static.
* Enable more linters. (#12751)
- Flip on a couple more linters
- Fix a bazzilion warnings produced by these linters,
along with many warnings produced by other not-yet-enabled
linters.
- Fix pkg/version so the tests compile on Mac. This broke a while
back, preventing the linter from running to completion on the Mac.
* Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617)
* Convert galley to reload files via SIGUSR1 or a ctrlz handler
* Fix ctrlz shutdown not to block
* Disable the mtls_healthcheck test until it can be fixed. (#12775)
* Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502)
Change IP addresses to show up as strings in http req in accesslog
Fix lint errors
Fix lint errors
Use stringify function
Updated based on feedback
* upgrade prometheus version. (#12781)
* Wait for endpoints of policy backend, before trying to use it. (#12763)
* Wait for endpoints of policy backend, before trying to use it.
* Minor fix to the structure.
* Add wait logic for waiting Galley to come online.
* Fix minor bug.
* Rename the method so that it is clear what it is doing.
* Add additional constraint check.
* Remove redundant write header (#12731)
Write already writes 200 status code, so this wasn't needed. This caused
unneeded logging every time it was called.
* Tell Kubernetes that Istio validation has no side effects (#12670)
* Tell Kubernetes that Istio validation has no side effects
* Add integration tests for --server-dry-run
* Report version of kubectl and server
* Version check error
* Undo --server-dry-run tests which require K8s 1.12 or higher
* fix uds socket (#12688) (#12802)
* uds fix
* readonly
* mixer: switch to simplified config model (#12689)
* take 2 compiled instances
Signed-off-by: Kuat Yessenov <kuat@google.com>
* try with apa
Signed-off-by: Kuat Yessenov <kuat@google.com>
* quota failure
Signed-off-by: Kuat Yessenov <kuat@google.com>
* false signal?
Signed-off-by: Kuat Yessenov <kuat@google.com>
* more crds
Signed-off-by: Kuat Yessenov <kuat@google.com>
* nil params
Signed-off-by: Kuat Yessenov <kuat@google.com>
* patching config
Signed-off-by: Kuat Yessenov <kuat@google.com>
* remove stale command
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Fix destination host validataion (#12804)
* Implement AuthorizationPolicy with workload selector. (#12050) (#12667)
* WIP AuthorizationPolicy with selector
* WIP AuthorizationPolicy with selector
* Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode
* Support TCP
* Move new functions for RBAC v2 to rbac_v2.go
* Change the structure and refactor tests
* Put services field check back
* Remove services field validation
* Remove optimization
* Add selector no match test
* [Galley] Adding ServiceEntry synthesis (#12409)
Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot.
Partially addresses #10497 and #10589
* Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778)
- Add more unit tests to pkg/env to bring coverage to 100%
- Move existing linter sources from test/util/checker to tools/checker
* Specify istio-init user explicitly (#5453) (#12708)
Istio-init is supposed to be run as a superuser so it can configure
iptables and this is the current default. However many popular Helm
charts typically define a single container pod and specify
`securityContext.runAsUser` on a pod level (rather than the container
level) and that is what istio-init inherits. As the result many Helm
charts aren't working with Istio auto-injection out of the box.
A simple fix would be explicitly setting `securityContext.runAsUser`
for istio-init on the container-level so it takes precedence.
* Removing depencency on the order of returned IP addresses (#12812)
* Removing depencency on the order of returned IP addresses
Allows returned addresses by the default resolver to be in any
order. The first IPv4 address returned by the resolver is used. If
there are no IPv4 address is found, an IPv6 address is used.
Added more unit tests.
* Making logic for local IP the same as the rest
* Disabling flaky parts of Galley integ test (#12837)
This should deflake the test in #12820. Real fix is coming soon.
* Set SAN as critical for workload certs. (#12838)
* inject sds related param in pilot/mixer deployment (#12809)
* inject sds related param in pilot/mixer deployment
* remove args
* Disabling Mixer tests using the new TF in K8s. (#12848)
* Disabling Mixer tests using the new TF in K8s.
* Make linter happy.
* accommodate PR review comments.
* galley: support optional crds (#12822)
* optional galley crds
Signed-off-by: Kuat Yessenov <kuat@google.com>
* review
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Removing a "TODO" that is not necessary any more (#12841)
Cleaning up the comments.
* mixer: add template CRD flag and set it to false (#12851)
* template CRD flag
Signed-off-by: Kuat Yessenov <kuat@google.com>
* missed a flag
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Zombie cleanup. (#12878)
- Delete a bunch of dead code, dead variables, unused parameters, and
superfluous type declarations.
* Refactor Istio deployment code for clarity and add wait for webhook. (#12888)
* Refactor Istio deployment code for clarity and add wait for webhook
to come online.
* Make linter happy.
* Fix stupid bug.
* Remove accidental file add (#12895)
* Re-enable sidecar_api_test (#12887)
* Re-enable sidecar_api_test
* Remove kube setup
* Fix race condition
* Make Mixer readiness timeout configurable. (#12640)
- Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes.
- The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on.
* Minor improvements to the test framework. (#12858)
* Add dump support to policy backend.
* Add a suitecontext dir.
* test: add dump pod events function (#12821)
* Fix flush behavior in Stackdriver adapter. (#12853)
* Fix prometheus and citadel connection tests (#12747)
* Fix test-prometheus-connection.yaml: test never failed
Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>
* Fix test-citadel-connection.yaml: test never failed
Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>
* Fix a bunch more linter items. (#12897)
* delete stale file (#12898)
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Run dep ensure
* Implement EnvoyXdsServer graceful shutdown (#12826)
* update api sha (#12862)
* update api sha
* api files
* Add two sample deployments for user guide of Istio Vault integration (#12917)
* Rename types.go to types.gen.go. (#12921)
* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850)
* Change Ip Address to readable format in accesslog from stdio adapter
* Add a check to validate it's an IP Address before calling ip.string function
* Fix formatting error
* Fix test
* Correct stringify function in instanceUtil.go too for IP address
* Fix based on review
* Fix based on review
* Fix based on review
* Update to latest doc gen tool. (#12932)
* Fix the regular expression that splits the deployment scripts. (#12931)
The script was fixed with a start-line anchor during the merge of 1.1.
However the regular expressions in Go is not multi-line.
* Add labels to the test framework. (#12819)
* Add basic label support to the test framework.
* Refactor test framework surface area to use fluent-style.
* Apply labels to CircleCI tests & stable integration tests.
* Add early exit support to avoid running setup functions when the label
set can never match.
* Add Citadel tests as presubmit tests.
* Remove environments from label usage.
* Fixup some of the label usages, and convert some of the test entry points.
* Fixup label usage.
* Redisable sidecar tests.
* Accommodate PR feedback.
* Accommodate CR feedback.
* Add more CR fixup.
* Introduce pkg/annotations (#12909)
- pkg/annotations lets us track the annotations used by the calling process.
- pkg/collateral now outputs annotations if there are any. This will make annotations
show up on istio.io
- Adjusted how pkg/collateral handles deprecated environment variabes to match how we
handle deprecated fields in protos (by coloring them differently on istio.io)
- Added another test to pkg/env to cover a case I missed originally.
- Updated the sidecar injector and pilot to use pkg/annotations.
- Fixed some invalid HTML generated by pkg/collateral.
I'll file an issue to get descriptions added for the annotations.
* remove unused pdb in remote values. (#12943)
* prevent duplicate inbound listeners (#12937)
* [Galley] Fix race in runtime strategy (#12927)
This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value.
This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race.
Fixes #12628
* Adding unit tests for sidecar scope (#12184)
* Adding unit tests for sidecar scope
* Removing unused variable
* linters: enable errcheck (#12933)
* enable errcheck
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add maligned to exceptions
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905)
* Istio does not use Cluster_LOGICAL_DNS, so remove it
* clean up LOGICAL_DNS in comments
* Clean up Helm README (#12914)
The README has outdated information on the values, we should just defer
to istio.io which is up to date. Additionally, we should point users to
istio.io which has up to date install instructions.
* 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627)
* 'istioctl experimental dashboard' command to show add-ons and sidecars
* Test cases, output of URL, use of Cobra output stream
* Refactor code into istioctl/pkg/kubernetes
* Refactor to expose PortForward stop channel
* Validate new mixer CRDs (#12918)
* Validate new mixer CRDs
* Add templates and adapters
* Test cases for new mixer CRDs
* Add environment variables to allow configuring bookinfo hostnames (#12646)
* Allow bookinfo hostnames to be configurable
- add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment
variables to configure hostnames. Defaults to details, ratings, reviews
respectively
* Bump bookinfo sample to 1.11.0
* Update expected outputs for bookinfo tests
- this is not related to our PR, but the tests were failing
- the apps were changed, but images were not rebuilt
* Add edsClusters should be atomic (#12942)
* Add edsClusters should be atomic
* fix lint
* properly report errors on failure (#12945)
The CI Infrastructure times out after 10 minutes of no activity. In
one of the test case runners, 10 miniutes is specified causing the CI
timeout to flush any debuggable output from the checks. This results
in an in-exact error result to be returned.
Instead a vague reponse about the test case timing out is reported,
resulting in confusion for the PR authors.
The typical max I was able to achieve was ~230 seconds, but I trimmed
to 3 minutes so the test case fails in all conditions and properly
reports the errors.
* Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902)
* [mixer-e2e-test] add retry to prometheus query in check cache test (#12680)
* check cache test sleep longer
* use retry instead of longer waiting
* reword error message
* Fixing typos in unit tests (#12661)
Redoing PR #12035
* respect locality weight set from ServiceEntry (#12714)
* respect the lb weight setting from users
* add ut
* fix golint
* add locality lb setting test
* fix lint
* update test case
* update test case
* lint
* sidecars with workload selector takes precedence over namespace wide one (#12831)
* Auto bind to services for Sidecar listeners with specific ports (#12724)
* auto bind to TCP services for egress ports in Sidecar
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* fix test
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* minor patch (#12963)
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Cleanup gateway vhost config gen (#12847)
* check match direction
* Cleanup http route generation
* undo pickMatching change
* golangbot comments
* address review comments
* fix validation bug
* gofmt
* check for intersection duplicates
* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)
* Add wildcard route fallthrough
Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.
Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.
* add unit tests
* Remove node-level flag
* Fix tests
* Support PKCS#8 private keys. (#12972)
* Support PKCS#8 private keys.
* Small fix.
* Fix LB weight setting for split horizon eds (#12560) (#12827)
* lb weight for split-horizon-eds shoulb be set correctly
* fix ut
* rename
* fix ut
* fix lint
* fix lint
* Restore dump_kubernetes.sh function on OSX (#12159)
* Fixes for Bash 3.x and detecting non-running pods
* Address shellcheck warnings
* Remove Robert Li from tests OWNERS file (#12946)
Robert has had a change in employment and can no longer contribute to
Istio.
* remove unnecessary namespace for webhook configuration (#12981)
* remove deprecated mcpServerAddrs flag (#12954)
* remove deprecated mcpServerAddrs
* fix ut
* support ip:port format configSource
* fix ut
* fix ut
* supprt proxy https app probe (#12872)
* supprt proxy https app probe
* add ut
* fix ut
* add webhook inject test
* fix test
* fix comments by incfly
* Allow some time for the configuration propagation (#12865)
* Allow some time for the listeners config propogation
* change to use watchDiscovery
* samples/bookinfo: easier access to logs (#12584)
* Use shorter namespace prefixes. (#13001)
* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936)
* Change Ip Address to readable format in accesslog from stdio adapter
* Add a check to validate it's an IP Address before calling ip.string function
* Fix formatting error
* Fix test
* Correct stringify function in instanceUtil.go too for IP address
* Fix based on review
* Fix based on review
* Fix based on review
* Update integration test env flag (#12977)
The flag should be "kube" not "kubernetes" but it was not updated in
some places before.
* Support inline role definition in AuthorizationPolicy (#12849)
* Don't fill test logs with "no provious log" (#12857)
This isn't a real error, but it is misleading in the test output. We
have no reason to output all of these errors that there is no previous
container to get logs from.
* mixer: delete old style CRDs from installation (#12710)
* delete old style CRD from installation
Signed-off-by: Kuat Yessenov <kuat@google.com>
* disable galley from listening to old style CRDs
Signed-off-by: Kuat Yessenov <kuat@google.com>
* more hardcoded yamls
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debuggin default install
Signed-off-by: Kuat Yessenov <kuat@google.com>
* fix fmt
Signed-off-by: Kuat Yessenov <kuat@google.com>
* keep galley pipeline
Signed-off-by: Kuat Yessenov <kuat@google.com>
* disable resource ready
Signed-off-by: Kuat Yessenov <kuat@google.com>
* delete debugging line
Signed-off-by: Kuat Yessenov <kuat@google.com>
* fixing testdata
Signed-off-by: Kuat Yessenov <kuat@google.com>
* delete deprecated configs
Signed-off-by: Kuat Yessenov <kuat@google.com>
* remove declarations
Signed-off-by: Kuat Yessenov <kuat@google.com>
* delete more yaml
Signed-off-by: Kuat Yessenov <kuat@google.com>
* merge fix
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Add tests for the effect of mTLS setting to reachability (#11624)
* Reachability test in new ingegration test framework
* Add test for port specific policy
* Expose KubeApp interface and move EndpointForPort to that instead
* Use the retry.UntilSuccess from framework
* Change to UntilSuccessOrFail instead of UntilSucces
* remove deprecated code (#13005)
* remove deprecated code
* remove dep
* Add examples/documentation for the test framework. (#13000)
* Add examples/documentation for the test framework.
* Add more prose about test lifecycle.
* Fix typo.
* Fix typos.
* fix retry loop in mixer crd watch (#13003)
* first change to apps/v1 for Install (#13015)
* first change for install
* appsv1
* indention
* use only ipv4 for pilot and zipkin (#12997)
* do ipv4 lookups for pilot and zipkin
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* update goldens
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* small fix for imports (#13013)
* remove old mcp stack (#12092)
* remove old mcp stack
* remove legacy mcp server from galley
* fix server build
* fix linter
* remove unused code in journal.go
* fix build
* s/server/source
* fix linter errors
* Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251)
* [Galley] Fix race in strategy shutdown. (#13004)
* [Galley] Fix race in strategy shutdown.
The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close.
* cleaning up reset logic to avoid holding on the stateLock
* Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641)
* Adding check/install go in both macOS and Linux.
* Install go if not installed.
* Adding support to run e2e test on KinD locally.
* Adding the ability to run e2e tests locally on KinD.
* Update install_prereqs_debian.sh
* Update setup_test.sh
* Adding the ability to run e2e test on KinD
for presubmit test.
* Presubmit e2e test on KinD.
* Adding the ability to run e2e_simple presubmit on KinD
* Adding README file for testing on KinD locally.
* Revert the changes on adding install_go function.
* Revert install_go in common_macos.sh
* Revert the file changes of deleting newline.
* Reverting the changes.
* Addressing reviews.
* Fixing shellcheck
* respect locality weight set from ServiceEntry (#12714) (#13012)
* respect the lb weight setting from users
* add ut
* fix golint
* add locality lb setting test
* fix lint
* update test case
* update test case
* lint
* Add documentation about -p 1 for integration test framework. (#13032)
* Reduce logs in security/pkg/nodeagent/sds/ (#13035)
* Reduce logs in security/pkg/nodeagent/sds/
https://github.com/istio/istio/issues/13033
* Count the log output times
* Revise the PR based on review comments
* move pkg/mcp/configz to pkg/mcp/configz/client (#12982)
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* Restore TestMtlsHealthCheck in postsubmit, prow. (#12969)
* restore test to debug.
* add presubmit label to the test for triggering.
* change to only run in postsubmit.
* remove postsubmit label just comment.
* Enable more linters and fix warnings/errors (#12993)
* Cherry pick cert file config from master to release-1.1 (#12707)
* Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189)
* Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths.
* Address demands of golangcibot overlord
* Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert
* Address code style violation
* Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners
* Use envoy node metadata cert paths (if available) when constructing clusters
* Rename constants to make golint happy
* Fix imports
* Ignore ordering in test
* Pass around proxy instead of proxy.Metadata
(cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da)
* goimports file
* Allow limiting Citadel to marked namespaces only (#12289)
* Allow limiting Citadel to marked namespaces only
- add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create)
- extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled')
- modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access
* removed left-over debug print, check enable only when explicit opt-in is required
* reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false
* unit tests for checking labels and behavior
* Namespace specified in command line is explicitly enabled
- save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1)
- check SA namespace against explicit namespaces
* use dedicated label name to avoid overloading the injection label
* use istio-managed label in tests
* clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount
* refactor istio managed object test to a function so it can be called from secret deletion handler as well
* fix left over istio-injection label in tests
* manual merge fix
* appsv1 galley (#13047)
* Add support for datadog tracing (on release-1.1 branch) (#12687)
* Add support for datadog tracing.
Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>
* Use $(HOST_IP) instead of special-casing empty address value
Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>
* add param to sidecar to ignore iptables changes (#12829)
* add param to sidecar to ignore iptables changes
* rephrase description
* samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030)
* fix validation logic so that port.name is no longer a valid PortSelector (#13054)
* [Test Framework]: Galley support for deleting config (#13037)
In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well. Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace.
This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource. Once identified, the code now properly updates resources by writing back to the file where the resource was found. Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed).
* Support controlz for mcp server (#12980)
* Support controlz for mcp server
Signed-off-by: clyang82 <clyang@cn.ibm.com>
* fix lint error
* Address review comments
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* generalize artifact injection into Docker images (#12203)
Instead of just adding LICENSES.txt only, also optionally add in the
source code as well, gating on the new EXTRA_ARTIFACTS and
EXTRA_ARTIFACTS_CNI environment variables.
Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e
* Keep going when problem happens checking remote version (#13060)
* remove deprecated show-all flag (#13053)
* Add x alias to experimental istioctl command (#11801)
* Add x alias to experimental istioctl command
I'm super lazy and experimental is far too much effort to type
Signed-off-by: Liam White <liam@tetrate.io>
* Add exp as an additional alias
Signed-off-by: Liam White <liam@tetrate.io>
* Correct the app label for Gateway (#12693)
* update selector for gateway
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* fix build fail
Signed-off-by: clyang82 <clyang@cn.ibm.com>
* Update tracing_datadog_golden.json (#13082)
* Fix small typo (#13089)
can useful -> can be useful
* Add jitter in CSR request (#12805)
* Add jitter in CSR request
* Add log
* Fix comments
* Fix test
* Fix test
* Fix comment
* Allows cleanup.sh to run non-interactively when in terminal (#12635)
This change allows cleanup.sh to run non-interactively in standard terminals.
For example: NAMESPACE="test123" ./cleanup.sh
* 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730)
* update sds secret mount. (#12733)
* Copy data from right place (#12762)
* Fix updateClusterInc for overlapping ports (#12766)
* Fix updateClusterInc for overlapping ports
It is possible that a service will have multiple ports, with the same
port number. The typical example here is kube-dns, which uses port 53
for UDP and TCP. When we do an incremental push, we would select the
first port to match the port number, which would sometimes causes us to
ignore the correct port. This fix searches through all matching ports.
* Ensure port number matches as well
* Add unit tests
* remove dead code
* enable default sidecarscope (#12832)
* [Galley] Fix for ServiceEntry event ordering (#12890)
The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality).
Fixes #12820
* Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706)
* Copy helm data from the right place (#12808)
* Refactor solution based on Costin's feedback (#13027)
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* Enable more linters and fix warnings/errors (#13061)
* Making tags requirement same as those in Kubernetes (#12852)
* Making tags requirement same as those in Kubernetes
Changing validation check to make sure non-empty tags start with an
alphanumeric character
* Validating label keys are not empty strings
Allow empty string for label values
Do not allow empty string for label keys
* Added certmanager flag into helm chart values.yaml (#12953)
* Added certmanager flag into helm chart values.yaml
* Moved certmanager configuration
* Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066)
* adding upstream idle_timeout to cluster definition.
* reverting vendor changes before running dep ensure again.
* running dep ensure update on api from master.
* controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141)
* Patch #12805 to master (#13104)
* Patch #12805 to master
* Fix lint
* Fix HelmDelete command (#12515)
* Fix HelmDelete command
HelmDelete was called with the namespace it needs to be called
with a chartname. Also created a constant to make it more
obvious when called by the other Helm related commands.
* Fix typo
* Goimports fix
* ight modification path (#13148)
* Allow overriding of registry locality (#13077)
Also fixes bug where non-kube envs could override to something that parsed incorrectly
Signed-off-by: Liam White <liam@tetrate.io>
* mixer: add support for standard CRDs for compiled-in adapters (#12815)
* cherry pick subset of https://github.com/istio/istio/pull/12689/
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add support for compiled in adapters
Signed-off-by: Kuat Yessenov <kuat@google.com>
* patch log line
Signed-off-by: Kuat Yessenov <kuat@google.com>
* parse cert to get expire time (#13145)
* parse cert
* cleanup
* unit test coverage
* missing file
* address comments
* rebase and address comment
* Installing istio for perf testing (#13159)
* Perf scripts
* gsutil
* WD
* perf running and geting metrics
* Perf
* perf
* perf
* Perf
* remove
* qq
* Appsv1 pilot (#13050)
* appsv1 for Pilot
* appsv1 for Pilot
* appsv1 for Pilot
* dep update
* fix test
* fix test
* fix test
* fix test
* fix test
* typo
* typo
* typo
* typo
* typo
* update go-control-plane (#13154)
Signed-off-by: Kuat Yessenov <kuat@google.com>
* added sidecar.istio.io/rewriteAppProbers annotation (#13112)
* pilot: registered sidecar.istio.io/rewriteAppProbers annotation
* pilot: checked from sidecar.istio.io/rewriteAppProbers too
* pilot: added webhook inject tests
TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case.
The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation.
TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case.
The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation.
* fixed linter issue in test
* added http probe test for kubeinject case
* added tests and fixed login upon checking RewriteAppHTTPProbe setting
* Add more tests in app_probe_test.go
* renamed RewriteAppProbers to RewriteAppHTTPProbers
* fixed test case for webhook injection
* add description to rewriteAppHTTPProbers annotation
* updated tests in app probe to sync with recent master change
* change validateBool to alwaysValidFunc as per review
* Export inject.injectionData() (#12426)
* Registrator should use master version (#13083)
* dependencies: update cel-go and remove protoc-gen-docs (#12711)
* experiment with COMPAT
Signed-off-by: Kuat Yessenov <kuat@google.com>
* get errors
Signed-off-by: Kuat Yessenov <kuat@google.com>
* get errors
Signed-off-by: Kuat Yessenov <kuat@google.com>
* stop validation
Signed-off-by: Kuat Yessenov <kuat@google.com>
* remove hack
Signed-off-by: Kuat Yessenov <kuat@google.com>
* testing
Signed-off-by: Kuat Yessenov <kuat@google.com>
* only access log
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add runtimeconfig
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add a benchmark
Signed-off-by: Kuat Yessenov <kuat@google.com>
* cel_perf
Signed-off-by: Kuat Yessenov <kuat@google.com>
* update cel
Signed-off-by: Kuat Yessenov <kuat@google.com>
* update examples
Signed-off-by: Kuat Yessenov <kuat@google.com>
* remove unnecessary dependencies
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Fixing copy for helm, one more time. (#13186)
* Run goimports on generated file (#13195)
* Enable disabled mixer tests in New Test Framework (#13151)
* Enable disabled mixer tests in NF
* Change tests config to new style
* Change tests config to new style
* Change tests config to new style
* Fix config for native policybackend
* Fix report test
* Reduce Pilot resource requests for demo (#12477)
* Reduce Pilot resource requests for demo
* Add limits as well
* Added data source for Galley dashboard (#13041)
Fixes: #13040
* fix values for pod anti-affinity. (#12798)
* Add sensible defaults to istio-gateways (#12315)
* report succeed after validation (#13165)
* report succeed after validation
* review comments
* Change exposed port of istio-pilot in consul (#13170)
`15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead,
```
--grpcAddr string Discovery service grpc address (default ":15010")
--secureGrpcAddr string Discovery service grpc address, with https (default ":15012")
```
we know `15010` and `15012` are still using.
* Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973)
* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)
* Add wildcard route fallthrough
Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.
Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.
* add unit tests
* Remove node-level flag
* Fix tests
* Use new env var framework
* Fix long line
* Run format and linter
* CEL checker mutex (#13192)
* checker mutex
Signed-off-by: Kuat Yessenov <kuat@google.com>
* deadlock
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Integration testing for Locality Load Balancing (#13084)
* Initial testing functionality
Signed-off-by: Liam White <liam@tetrate.io>
* appease the linting gods
Signed-off-by: Liam White <liam@tetrate.io>
* Fall back to bootstrap locality as a last resort
Signed-off-by: Liam White <liam@tetrate.io>
* Move service instance check after we set them...
Signed-off-by: Liam White <liam@tetrate.io>
* Add EDS test
Signed-off-by: Liam White <liam@tetrate.io>
* Reorganise tests to run in parallel
Signed-off-by: Liam White <liam@tetrate.io>
* Move to pilot directory
Signed-off-by: Liam White <liam@tetrate.io>
* minor Infof fixes
Signed-off-by: Liam White <liam@tetrate.io>
* fix package name
Signed-off-by: Liam White <liam@tetrate.io>
* Increase propagation sleep and add warning
Signed-off-by: Liam White <liam@tetrate.io>
* [test-framework] Support helm values containing spaces (#13127)
* Support helm values containing spaces in integration test framework
For a helm template command,
e.g., "helm template --set key1=value1 --set key2=value2",
the existing integration test framework assumes the values do not
contain spaces and splits the command argument using the
space character before executing the helm command.
Thus, the existing implementation does not support
helm values (e.g., certificates) containing spaces.
This PR adds the support of helm values that contain spaces.
* Revised to use array based on review comments
* Adding servicegraph testing to postsubmit (#13190)
* Adding servicegraph testing to postsubmit
* m
* perf
* change
* pod
* fix
* Adding E2E Test for kiali (#11448)
* Add Kiali E2E Test
* Minor Fixings on Kiali E2E Test
* Remove unused mixer.enabled value (#13214)
This is not a functional change; this value is never used so it is
misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled
are used.
* Adding aliases for OWNERS (#13194)
* Fixing copy for helm, one more time.
* Adding aliases for test group. Setting up labels and no parent_owners
* prow
* owners
* Fixing helm order (#13224)
* Fixing copy for helm, one more time.
* Fix order of the helm command
* fix lint (#12988)
* update certificates with expiration time 100 years (#13233)
* update certificates with expiration time 100 years
* update testdata/local/etc/certs
* fix original destination bug (#13011)
* fix original destination bug
* add ut
* align init role label. (#13172)
* Remove --platform option (#13187)
* Fix #10380: Remove hardcoded sidecar template for istioctl kube-inject (#10830)
* Remove the hardcoded sidecar template for
* Remove deprecated flags in istioctl kube-inject
* update testdata after rebase
* add rule for kubeinject.go in codecov.threshold
* push client the new root cert when it's changed (#13163)
* refresh root
* refresh root
* unit test
* add logs
* address comment
* more comment
* address comment
* Implement `role` field in AuthorizationPolicy (#13181)
* Add check for role in ServiceRoleBinding
* Implement global role
* Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow (#13199)
* Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow
Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow.
The mutual TLS connection uses the certificates issued by SDS-Vault CA flow
and SDS-Citadel CA flow.
* Use the flag EnableCDSPrecomputation()
* Address review comments
* Ignore missing resources on kubectl delete (#13225)
This makes it so tests won't fail on cleanup for resources that are
already deleted.
* [Testing] Cleanup PortForwarder (#13250)
* Add generated LICENSES.txt to gitignore (#13209)
* remove myself from owners (#13231)
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add upstream_transport_failure_reason to access log (#12434)
* add upstream_transport_failure_reason to access log
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
* update proxy to latest
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
* fix
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
* fix format
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
* Fix integration test errors and refactor security integration tests (#13253)
* Fix integration test errors and refactor security integration tests
- Fix the failure of integration tests when --istio.test.nocleanup=false,
which is the default test setting. The failures of integration tests when
--istio.test.nocleanup=false are caused by that the errors during
cleaning up tests are treated as test failures while the actual tests
have succeeded when --istio.test.nocleanup=true.
- Organize security integration tests under testss/integration/security.
- Refactor the code to share common utility functions and remove
duplicate code.
- Misc fixes.
* Address review comments
* Use a const to represent the test policy directory
* Address review comments
* Fixes the multicluster e2e test (#13246)
The secret was being created after the apps where
deployed on the remote. This was causes the test
to never think the apps successfully deployed since
the envoy sidecar was continually restarting.
* pre-check: fix a logic error (#13278)
`getNameSpace()` always returns an object, even if namespace does
not exist. Checking the error status is safer.
* Remove kubectl from dockerfile prereqs since it pulls it (#13256)
* Fixing EDS unit tests (#12995)
The current EDS test is incorrect and passes because the check calls time
out rather than sucessfully completing. This PR fixes the problem and
add one more test.
fixes issue #12994
* rbac: fix a data race in listener generation (#13308)
* Include js/css files into static folder (#12983)
* Include js/css files
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* Append version to file
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* ignore assets.gen.go in code coverage
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* remove assets.gen.go from codecov test
Signed-off-by: clyang82 <clyang@cn.ibm.com>
* remove skipped test from .cov file
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* fix check chell issue
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* fix shell check issue
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* Fix galley integration test race (#13303)
* [Test Framework] Integrate apps with Galley (#13115)
The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot.
- Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion.
- Removed the ServiceManager altogether - Galley is used for service registration.
Fixes #13090
* Fix again helm copy, was reverted during merge from release 1.1 (#13337)
* Fixing copy for helm, one more time.
* Fixing copy again for master
* Update OpenShift dependencies; Drop [deprecated] legacy schema (#13160)
* Extend istioctl mocking library to allow mocking of authn etc (#13118)
* Fixing iptabes ranges (#13291)
* Fixing iptabes ranges
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* fix shellcheck errors
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* fixing ci failures #1
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* fixing ci failures #2
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com…
lei-tang
added a commit
that referenced
this issue
Apr 23, 2019
* Drop log level for missing service account for spiffe uri (#12239)
* Don't require service account for spiffe
Some kubernetes pods don't have a service account. This causes a log
flood that the spiffe url is invalid, but this doesn't actually have any
negative impact. We can just make it not an error to have no service
account.
* Revert "Don't require service account for spiffe"
This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f.
* Just drop error -> warn
* Fix tests
* Drop log level
* [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460)
* Adding additional fields for bindings and validation. (#11800)
* Implement namespaces for ServiceRoleBindings
* Implement not_namespaces and refactor
* Implement not_ips
* Implement ips (no unit tests)
* Add a unit tests for ips for ServiceRoleBinding
* Implement groups and not_groups for ServiceRoleBinding
* Implement names and not_names
* Check for duplicated definition in constraints/properties and first-class fields
* Disallow using * in names or not_names to prevent ambiguity
* Disallow using * in names or not_names to prevent ambiguity
* Refactor additional fields for bindings
* Update validation.go
* Update validation.go
* enhance verify install command (#12174)
* enhance verify install command
* fix lint
* fix lint
* configure prometheus to monitor citadel. (#12175)
* Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556)
* Add namespace scoping to the Gateway 'port' names (#12500) (#12500)
Currently in order to configure ingressgateway to do TLS termination
using multiple secure virtual hosts with different certificates Istio
requires Gateway 'port' names to be globally unique (i.e. distinct).
I.e. two gateways cannot have secure port named 'https' even if they
reside in different namespaces. Behavior in such case is undefined.
This breaks namespace isolation as a user creating a Gateway in one
namespace might not have access to other namespaces hence can't
if the port name is already 'taken'. Behavior in such case is undefined
and likely to render other virtual hosts unavailable.
This change adds namespace scoping to Gateway port names by appending
namespace suffix to the HTTPS RDS routes. Port names still have to be
unique within the namespace boundaries, but this change makes adding
more specific scoping rather trivial.
* Increase Gateway 'port' names scoping granularity
* Minimal changes to make locality lb not sigsegv (#12649)
* Locality label istio-locality in k8s should not contain `/`, use `.` (#12592)
* Locality label istio-locality in k8s should not contain `/`, use `.` instead
* fix comments
* Only use gateways for servers being processed (#12663)
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* Propagate Envoy Metrics Service Config (#12569)
The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer.
* mixer: add directive demo adapter (#12505)
* finish demo
Signed-off-by: Kuat Yessenov <kuat@google.com>
* printf
Signed-off-by: Kuat Yessenov <kuat@google.com>
* publish keyval
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Adding sidecars to validating webhook configuration (#12233) (#12643)
Addresses issue #12193
* Cleaning up Unit tests for RDS (#12581)
Added a new case and cleaned up the existing test cases.
* switching deployment to v1 api (#10578)
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* Cleanup Galley OWNERS file. (#12676)
* fix uds socket (#12688)
* uds fix
* readonly
* Add unit test to cover multiple different locality case (#12388)
This PR only increases test coverage. Does not impact functionality.
Signed-off-by: Liam White <liam@tetrate.io>
* Build 1.1.1 (#12690)
* Fix LB weight setting for split horizon eds (#12560)
* lb weight for split-horizon-eds shoulb be set correctly
* fix ut
* rename
* fix ut
* fix lint
* fix lint
* fix typo in default envoy JSON log format (#12473)
* Make release-1.1 changes compatible with master
* Remove extra ingress template
* cherry pick 10578
* reformat
* Update rbac.go to use httpfilter when needed
* Integration framework ensure apiVersion is top level
* Update yaml make target
* Disable setup on sidecar_api_test
* clarified mesh connect timeout fields based on code impl (#12089)
* Testing: configurable ports for Echo (#12681)
The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance.
* add image pull secrets for zipkin. (#12327)
* Refresh oop handler with connection config update (#12575)
* refresh handler with connection update
* sanitize test error message
* Fixing coping of the data to the bucket during release (#12585)
* Fixing coping of the data to the bucket.
* Small fix
* RM folder in any case
* 'istioctl proxy-config clusters' cluster type column rendering (#12458)
* Make error message explicit (#12675)
* E2E test for health check under mtls using app prober rewrite. (#11531)
* injector changes for health check, pilot agent take over app readiness check. (#9266)
* WIP injector change to modify istio-proxy.
* move out to app_probe.go
* Iterating sidecartmpl to find the statusPort.
* use the same name for ready path.
* Get rewrite work, almost.
* Some clean up on test and check one container criteria.
* fix the injected test file.
* Add inject test for readiness probe itself.
* Add missing added test file.
* fix helm test.
* fix lint.
* update header based finding the port.
* return to previous injected file status.
* fixing TestIntoResource test.
* sed fixing all remaining injecting files.
* handling named port.
* fixing merginge failure.
* remove the debug print.
* lint fixing.
* Apply the suggestions for finding statusPort arg.
* Address comments, regex support more port value format.
* add app_probe_test.go
* add more test.
* merge fix the test.
* webhook autoinject is ready for review.
* Squashed commit of the following:
commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 18:13:30 2019 -0800
renaming env var.
commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 17:59:25 2019 -0800
finish migrating test to yaml file based.
commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 13:55:00 2019 -0800
get test working.
commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 13:49:58 2019 -0800
WIP add some test files.
commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 13:13:06 2019 -0800
WIP changing to using the environment var.
commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 10:52:47 2019 -0800
add todo for the tests.
commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277d7 4b7b13aef
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 29 10:47:17 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip
commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861
Merge: 98fd48f59 744b07ad2
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 23:15:34 2019 -0800
Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip
commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 23:15:00 2019 -0800
findsidecar.
commit 744b07ad2406d1eb94bcf5492125f91486ad6b10
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 22:29:28 2019 -0800
add FindSidecar.
commit 40ed002ff6f5dd4afe22afa984384addc1be1104
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 21:55:51 2019 -0800
refactor some code.
commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 18:19:32 2019 -0800
Integration test works and fixing a bug.
commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 16:09:13 2019 -0800
all inject tests pass.
commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5
Merge: a2a774498 010d5c266
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 15:22:18 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip
commit a2a774498e1021c1ca01c021c071e225fa330407
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Jan 28 15:16:04 2019 -0800
update the TestWebhookInject.
commit 36fd45c074bcc787702a5a9257d23103521f525c
Author: Jianfei Hu <jianfeih@google.com>
Date: Fri Jan 25 12:13:21 2019 -0800
some document
commit 88dc922719e2c4723a334d1d8d959cac361b1ecb
Author: Jianfei Hu <jianfeih@google.com>
Date: Fri Jan 25 11:43:44 2019 -0800
new version works for kubeinject, webhook unit test.
commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 18:17:38 2019 -0800
WIP working on modifying sidecar.Args first, then modify app container patch.
commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 15:20:36 2019 -0800
WIP add what's missing to get e2e test working.
commit 1595e871c640cdabead372eada2b17d717fa707f
Merge: 256d9635f ac78a552a
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 13:26:05 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 256d9635f4d590936c473bf3be0299064cb9c716
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 12:14:04 2019 -0800
add some debugging log.
commit f70096334464fd1d59a0e81997e8f0fd6623a564
Merge: bdce72119 c7eb603ee
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Jan 24 10:57:43 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit bdce72119ef78dab40b750861768c332811b9ee2
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 18:04:37 2019 -0800
refactor to host something up to caller.
commit b51763c21000ba2b7fe9e2bc728783ce530cfe87
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 16:31:32 2019 -0800
get everything works.
commit 0815695a2fea828f06a31f14ed7795a3b3716111
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 15:48:27 2019 -0800
kubeinject test is working.
commit 14c99b58f0212972d42e298fa4185275642d672c
Merge: d626bb85d 5ea79622c
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 15:38:30 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit d626bb85dee628771f8f41fc90335ac608dea923
Merge: 3561ae0a6 66153da4d
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 23 15:38:23 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 3561ae0a69350730834e625c0710394968f9fcde
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 16:49:44 2019 -0800
WIP, policy is not taking effect, test passing without rewrite.
commit a9bef0f01964a14f6ace0da6217d7a36f364b661
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 16:31:08 2019 -0800
fix the json path in the patch.
commit f1aee91189e16beb0dadee6c612464b1aa9bad21
Merge: 3a7eb48e6 abc53e120
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 14:03:49 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 13:57:55 2019 -0800
fix it, removing namespace since metadata not matching will fail for kubeapply
commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da
Author: Jianfei Hu <jianfeih@google.com>
Date: Wed Jan 16 11:58:39 2019 -0800
WIP, debuggin why mtls policy is not showed up.
commit 72e9c4e488f875ffea0c3a279403277010160ee1
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 15 17:24:16 2019 -0800
working on integration2 test framework.
commit 90c1cce9ddc55ce339aa65eac06602591d3113c9
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 15 17:04:38 2019 -0800
add small comments.
commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676
Merge: 7f5c8cbd8 e45242c0d
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Jan 15 16:43:47 2019 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 18 09:37:53 2018 -0800
check rewriteAppProbe separately.
commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479
Merge: 20f02c045 1ae6b4fde
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 18 09:01:37 2018 -0800
Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject
commit 20f02c04563fab9b81b418c00a5455994fda5148
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 18 08:59:57 2018 -0800
duplicate the rewrite logic.
commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64
Merge: 3b3bcbff8 d8c4579fa
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 18 08:53:44 2018 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1
Author: Jianfei Hu <jianfeih@google.com>
Date: Mon Dec 17 21:56:51 2018 -0800
address comments.
commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 15:24:33 2018 -0800
massage comments.
commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 15:15:50 2018 -0800
helm flag is off, so change the expected outoupt.
commit 43522c15d06054e4bb173ab2c37333a4de647c2d
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 15:09:46 2018 -0800
make webhook support rewriteAppHTTPProbe flag.
commit f60f18f4144482874c1219c7da90e97f19f1172f
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 12:03:04 2018 -0800
fixing the merge typo.
commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 11:56:38 2018 -0800
remove unnecessary changes in test for debugging.
commit a81eacb6892509d8938be8d64f1435cf64e22317
Merge: af1a67989 f6b0ddc30
Author: Jianfei Hu <jianfeih@google.com>
Date: Thu Dec 13 11:53:07 2018 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit af1a6798988f9fe70e40add2a6d4971efa9b50ed
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 18:07:19 2018 -0800
fixing all the test.
commit 58d0bef3520037a81db8baa34d6e13849d20af10
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 17:51:34 2018 -0800
Get TestInject happy.
commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 17:49:42 2018 -0800
make TestHelmInject happy.
commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0
Merge: fcca1f89a bd1631be3
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 16:53:01 2018 -0800
Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject
commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 16:18:20 2018 -0800
get webhook_test.TestInject working.
commit 06f517cfc4214994be1be848d40b12f09ba8a4b8
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 16:10:55 2018 -0800
restructure app_probe_test working for both.
commit 7142e96ed8a3200fc91bc73aee86d471117232fc
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 13:19:41 2018 -0800
starting to work on serious test
commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 11:50:19 2018 -0800
prototyping get familar with the test.
commit 51659dacbc569f4532dc6a37b2091f39c7cf115b
Author: Jianfei Hu <jianfeih@google.com>
Date: Tue Dec 11 11:05:51 2018 -0800
wip for adding test.
* resolve appprobetest.
* update the golden due to another injector change.
* remove unnecessary files in this pr.
* remove the test framework change.
* remove unnecessary testdata file.
* wip for adding health check test app.
* wip very hack working solution app deployed
* finally test starts working
* make sure the test works if and only if the helm flag is turned on.
* refactoring
* small adjustment.
* DeepCopy used.
* working test only healthcheck test.
* remove inline policy
* change RegisterHelmValueOverrides.
* unnecessary change.
* Finish HelmValueMap refactor.
* some cleanup.
* clean up.
* flags helm values takes higher priority.
* fix the lint.
* address comments.
* revert chagnes on HelmValuesMap.
* wip getting helm customizable with new configuration api.
TODO: testing by rebuild image.
* fix the helm value passing overrides.
* wip the app is deployed but not ready and still finishes...
* wip apps configuration not take effect.
* working version of apps configuration.
* clean up some debugging log.
* test documentation.
* WIP changing deploymentFactory to KubeApp.
* verify test works.
* clarify kubeappsconfig doc.
* get the test pass, no apps configuration yet.
* get test working.
* clean up on apps/kube.go
* few clean and update readme doc.
* change the overrides by func callback.
* fix the typo.
* fix the comments.
* Hide ServiceAccounts from PushContext log (#12702)
* Configure localityLbSetting in values.yaml (#12683)
* Configure localityLbSetting in values.yaml
* Update docs
* Fix concurrent map access (#12706)
* Remove when: always from CircleCI configuration for integration tests. (#12679)
This causes the integration tests to run, even if the previous steps fail.
* Removed unused code from EDS (#12221)
* Should not add a worker in GoroutinePool construction func (#12619)
* GoroutinePool does not add a worker in construction func
* fix ut
* remove redundant code (#12656)
* remove redundant k8s discovery code
* remove redundant
* Configure logging level in proxy and control plane (#12639)
* configure proxy log level via helm values for sidecar and gateways
* configure istio control plane log level via helm
* Put back a couple settings for Kiali that were accidentally deleted. (#12472)
Some Kiali settings were accidently deleted when the new installation options for
release-1.1 was published. This is because these settings were commented out in
the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali.
Bug:#3660
* remove to be deprecated critical pod annotation. (#12657)
* remove to be deprecated critical pod annotation.
* fix ci.
* Adding timeouts in Galley processor tests (#12701)
* Adding timeouts in Galley processor tests
This is to help in debugging #12628.
* making await method private
* add pod antiaffinity. (#12691)
* add pod antiaffinity.
* fix gateways issue.
* add pod antiaffnity to helm test pod.
* remove local test file.
* apply comments.
* Adding galley test for sidecar config validation (#12247)
* Adding galley test for sidecar config validation
Test cases related to PR #12233
* Using istio-system as namespace for resource
* Collect details/artifacts for failed tests in Prow. (#12753)
* Add infrastructure to document env var usage. (#12727)
- Introduce the pkg/env package containing a few functions to query environment
variable values. It keeps track of the variables requested so they can be documented.
- Extend pkg/collateral to recognize and output the environment variables used in the
process. This is what is needed to make this stuff show up on istio.io.
- Update all relevant call sites to use the new infrsstructure. It's still missing
descriptions for all the variables, that'll be up to component authors. I'll file
issues to get that work done.
- Fixed bugs in the node_agent_k8s code that was using env vars as the default for
Cobra command-line arguments, resulting in potentially variable default values
produced in the generated docs. Default values need to be static.
* Enable more linters. (#12751)
- Flip on a couple more linters
- Fix a bazzilion warnings produced by these linters,
along with many warnings produced by other not-yet-enabled
linters.
- Fix pkg/version so the tests compile on Mac. This broke a while
back, preventing the linter from running to completion on the Mac.
* Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617)
* Convert galley to reload files via SIGUSR1 or a ctrlz handler
* Fix ctrlz shutdown not to block
* Disable the mtls_healthcheck test until it can be fixed. (#12775)
* Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502)
Change IP addresses to show up as strings in http req in accesslog
Fix lint errors
Fix lint errors
Use stringify function
Updated based on feedback
* upgrade prometheus version. (#12781)
* Wait for endpoints of policy backend, before trying to use it. (#12763)
* Wait for endpoints of policy backend, before trying to use it.
* Minor fix to the structure.
* Add wait logic for waiting Galley to come online.
* Fix minor bug.
* Rename the method so that it is clear what it is doing.
* Add additional constraint check.
* Remove redundant write header (#12731)
Write already writes 200 status code, so this wasn't needed. This caused
unneeded logging every time it was called.
* Tell Kubernetes that Istio validation has no side effects (#12670)
* Tell Kubernetes that Istio validation has no side effects
* Add integration tests for --server-dry-run
* Report version of kubectl and server
* Version check error
* Undo --server-dry-run tests which require K8s 1.12 or higher
* fix uds socket (#12688) (#12802)
* uds fix
* readonly
* mixer: switch to simplified config model (#12689)
* take 2 compiled instances
Signed-off-by: Kuat Yessenov <kuat@google.com>
* try with apa
Signed-off-by: Kuat Yessenov <kuat@google.com>
* quota failure
Signed-off-by: Kuat Yessenov <kuat@google.com>
* false signal?
Signed-off-by: Kuat Yessenov <kuat@google.com>
* more crds
Signed-off-by: Kuat Yessenov <kuat@google.com>
* nil params
Signed-off-by: Kuat Yessenov <kuat@google.com>
* patching config
Signed-off-by: Kuat Yessenov <kuat@google.com>
* remove stale command
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Fix destination host validataion (#12804)
* Implement AuthorizationPolicy with workload selector. (#12050) (#12667)
* WIP AuthorizationPolicy with selector
* WIP AuthorizationPolicy with selector
* Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode
* Support TCP
* Move new functions for RBAC v2 to rbac_v2.go
* Change the structure and refactor tests
* Put services field check back
* Remove services field validation
* Remove optimization
* Add selector no match test
* [Galley] Adding ServiceEntry synthesis (#12409)
Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot.
Partially addresses #10497 and #10589
* Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778)
- Add more unit tests to pkg/env to bring coverage to 100%
- Move existing linter sources from test/util/checker to tools/checker
* Specify istio-init user explicitly (#5453) (#12708)
Istio-init is supposed to be run as a superuser so it can configure
iptables and this is the current default. However many popular Helm
charts typically define a single container pod and specify
`securityContext.runAsUser` on a pod level (rather than the container
level) and that is what istio-init inherits. As the result many Helm
charts aren't working with Istio auto-injection out of the box.
A simple fix would be explicitly setting `securityContext.runAsUser`
for istio-init on the container-level so it takes precedence.
* Removing depencency on the order of returned IP addresses (#12812)
* Removing depencency on the order of returned IP addresses
Allows returned addresses by the default resolver to be in any
order. The first IPv4 address returned by the resolver is used. If
there are no IPv4 address is found, an IPv6 address is used.
Added more unit tests.
* Making logic for local IP the same as the rest
* Disabling flaky parts of Galley integ test (#12837)
This should deflake the test in #12820. Real fix is coming soon.
* Set SAN as critical for workload certs. (#12838)
* inject sds related param in pilot/mixer deployment (#12809)
* inject sds related param in pilot/mixer deployment
* remove args
* Disabling Mixer tests using the new TF in K8s. (#12848)
* Disabling Mixer tests using the new TF in K8s.
* Make linter happy.
* accommodate PR review comments.
* galley: support optional crds (#12822)
* optional galley crds
Signed-off-by: Kuat Yessenov <kuat@google.com>
* review
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Removing a "TODO" that is not necessary any more (#12841)
Cleaning up the comments.
* mixer: add template CRD flag and set it to false (#12851)
* template CRD flag
Signed-off-by: Kuat Yessenov <kuat@google.com>
* missed a flag
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Zombie cleanup. (#12878)
- Delete a bunch of dead code, dead variables, unused parameters, and
superfluous type declarations.
* Refactor Istio deployment code for clarity and add wait for webhook. (#12888)
* Refactor Istio deployment code for clarity and add wait for webhook
to come online.
* Make linter happy.
* Fix stupid bug.
* Remove accidental file add (#12895)
* Re-enable sidecar_api_test (#12887)
* Re-enable sidecar_api_test
* Remove kube setup
* Fix race condition
* Make Mixer readiness timeout configurable. (#12640)
- Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes.
- The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on.
* Minor improvements to the test framework. (#12858)
* Add dump support to policy backend.
* Add a suitecontext dir.
* test: add dump pod events function (#12821)
* Fix flush behavior in Stackdriver adapter. (#12853)
* Fix prometheus and citadel connection tests (#12747)
* Fix test-prometheus-connection.yaml: test never failed
Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>
* Fix test-citadel-connection.yaml: test never failed
Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>
* Fix a bunch more linter items. (#12897)
* delete stale file (#12898)
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Run dep ensure
* Implement EnvoyXdsServer graceful shutdown (#12826)
* update api sha (#12862)
* update api sha
* api files
* Add two sample deployments for user guide of Istio Vault integration (#12917)
* Rename types.go to types.gen.go. (#12921)
* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850)
* Change Ip Address to readable format in accesslog from stdio adapter
* Add a check to validate it's an IP Address before calling ip.string function
* Fix formatting error
* Fix test
* Correct stringify function in instanceUtil.go too for IP address
* Fix based on review
* Fix based on review
* Fix based on review
* Update to latest doc gen tool. (#12932)
* Fix the regular expression that splits the deployment scripts. (#12931)
The script was fixed with a start-line anchor during the merge of 1.1.
However the regular expressions in Go is not multi-line.
* Add labels to the test framework. (#12819)
* Add basic label support to the test framework.
* Refactor test framework surface area to use fluent-style.
* Apply labels to CircleCI tests & stable integration tests.
* Add early exit support to avoid running setup functions when the label
set can never match.
* Add Citadel tests as presubmit tests.
* Remove environments from label usage.
* Fixup some of the label usages, and convert some of the test entry points.
* Fixup label usage.
* Redisable sidecar tests.
* Accommodate PR feedback.
* Accommodate CR feedback.
* Add more CR fixup.
* Introduce pkg/annotations (#12909)
- pkg/annotations lets us track the annotations used by the calling process.
- pkg/collateral now outputs annotations if there are any. This will make annotations
show up on istio.io
- Adjusted how pkg/collateral handles deprecated environment variabes to match how we
handle deprecated fields in protos (by coloring them differently on istio.io)
- Added another test to pkg/env to cover a case I missed originally.
- Updated the sidecar injector and pilot to use pkg/annotations.
- Fixed some invalid HTML generated by pkg/collateral.
I'll file an issue to get descriptions added for the annotations.
* remove unused pdb in remote values. (#12943)
* prevent duplicate inbound listeners (#12937)
* [Galley] Fix race in runtime strategy (#12927)
This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value.
This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race.
Fixes #12628
* Adding unit tests for sidecar scope (#12184)
* Adding unit tests for sidecar scope
* Removing unused variable
* linters: enable errcheck (#12933)
* enable errcheck
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add maligned to exceptions
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905)
* Istio does not use Cluster_LOGICAL_DNS, so remove it
* clean up LOGICAL_DNS in comments
* Clean up Helm README (#12914)
The README has outdated information on the values, we should just defer
to istio.io which is up to date. Additionally, we should point users to
istio.io which has up to date install instructions.
* 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627)
* 'istioctl experimental dashboard' command to show add-ons and sidecars
* Test cases, output of URL, use of Cobra output stream
* Refactor code into istioctl/pkg/kubernetes
* Refactor to expose PortForward stop channel
* Validate new mixer CRDs (#12918)
* Validate new mixer CRDs
* Add templates and adapters
* Test cases for new mixer CRDs
* Add environment variables to allow configuring bookinfo hostnames (#12646)
* Allow bookinfo hostnames to be configurable
- add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment
variables to configure hostnames. Defaults to details, ratings, reviews
respectively
* Bump bookinfo sample to 1.11.0
* Update expected outputs for bookinfo tests
- this is not related to our PR, but the tests were failing
- the apps were changed, but images were not rebuilt
* Add edsClusters should be atomic (#12942)
* Add edsClusters should be atomic
* fix lint
* properly report errors on failure (#12945)
The CI Infrastructure times out after 10 minutes of no activity. In
one of the test case runners, 10 miniutes is specified causing the CI
timeout to flush any debuggable output from the checks. This results
in an in-exact error result to be returned.
Instead a vague reponse about the test case timing out is reported,
resulting in confusion for the PR authors.
The typical max I was able to achieve was ~230 seconds, but I trimmed
to 3 minutes so the test case fails in all conditions and properly
reports the errors.
* Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902)
* [mixer-e2e-test] add retry to prometheus query in check cache test (#12680)
* check cache test sleep longer
* use retry instead of longer waiting
* reword error message
* Fixing typos in unit tests (#12661)
Redoing PR #12035
* respect locality weight set from ServiceEntry (#12714)
* respect the lb weight setting from users
* add ut
* fix golint
* add locality lb setting test
* fix lint
* update test case
* update test case
* lint
* sidecars with workload selector takes precedence over namespace wide one (#12831)
* Auto bind to services for Sidecar listeners with specific ports (#12724)
* auto bind to TCP services for egress ports in Sidecar
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* fix test
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* minor patch (#12963)
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Cleanup gateway vhost config gen (#12847)
* check match direction
* Cleanup http route generation
* undo pickMatching change
* golangbot comments
* address review comments
* fix validation bug
* gofmt
* check for intersection duplicates
* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)
* Add wildcard route fallthrough
Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.
Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.
* add unit tests
* Remove node-level flag
* Fix tests
* Support PKCS#8 private keys. (#12972)
* Support PKCS#8 private keys.
* Small fix.
* Fix LB weight setting for split horizon eds (#12560) (#12827)
* lb weight for split-horizon-eds shoulb be set correctly
* fix ut
* rename
* fix ut
* fix lint
* fix lint
* Restore dump_kubernetes.sh function on OSX (#12159)
* Fixes for Bash 3.x and detecting non-running pods
* Address shellcheck warnings
* Remove Robert Li from tests OWNERS file (#12946)
Robert has had a change in employment and can no longer contribute to
Istio.
* remove unnecessary namespace for webhook configuration (#12981)
* remove deprecated mcpServerAddrs flag (#12954)
* remove deprecated mcpServerAddrs
* fix ut
* support ip:port format configSource
* fix ut
* fix ut
* supprt proxy https app probe (#12872)
* supprt proxy https app probe
* add ut
* fix ut
* add webhook inject test
* fix test
* fix comments by incfly
* Allow some time for the configuration propagation (#12865)
* Allow some time for the listeners config propogation
* change to use watchDiscovery
* samples/bookinfo: easier access to logs (#12584)
* Use shorter namespace prefixes. (#13001)
* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936)
* Change Ip Address to readable format in accesslog from stdio adapter
* Add a check to validate it's an IP Address before calling ip.string function
* Fix formatting error
* Fix test
* Correct stringify function in instanceUtil.go too for IP address
* Fix based on review
* Fix based on review
* Fix based on review
* Update integration test env flag (#12977)
The flag should be "kube" not "kubernetes" but it was not updated in
some places before.
* Support inline role definition in AuthorizationPolicy (#12849)
* Don't fill test logs with "no provious log" (#12857)
This isn't a real error, but it is misleading in the test output. We
have no reason to output all of these errors that there is no previous
container to get logs from.
* mixer: delete old style CRDs from installation (#12710)
* delete old style CRD from installation
Signed-off-by: Kuat Yessenov <kuat@google.com>
* disable galley from listening to old style CRDs
Signed-off-by: Kuat Yessenov <kuat@google.com>
* more hardcoded yamls
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debuggin default install
Signed-off-by: Kuat Yessenov <kuat@google.com>
* fix fmt
Signed-off-by: Kuat Yessenov <kuat@google.com>
* keep galley pipeline
Signed-off-by: Kuat Yessenov <kuat@google.com>
* disable resource ready
Signed-off-by: Kuat Yessenov <kuat@google.com>
* delete debugging line
Signed-off-by: Kuat Yessenov <kuat@google.com>
* fixing testdata
Signed-off-by: Kuat Yessenov <kuat@google.com>
* delete deprecated configs
Signed-off-by: Kuat Yessenov <kuat@google.com>
* remove declarations
Signed-off-by: Kuat Yessenov <kuat@google.com>
* delete more yaml
Signed-off-by: Kuat Yessenov <kuat@google.com>
* merge fix
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Add tests for the effect of mTLS setting to reachability (#11624)
* Reachability test in new ingegration test framework
* Add test for port specific policy
* Expose KubeApp interface and move EndpointForPort to that instead
* Use the retry.UntilSuccess from framework
* Change to UntilSuccessOrFail instead of UntilSucces
* remove deprecated code (#13005)
* remove deprecated code
* remove dep
* Add examples/documentation for the test framework. (#13000)
* Add examples/documentation for the test framework.
* Add more prose about test lifecycle.
* Fix typo.
* Fix typos.
* fix retry loop in mixer crd watch (#13003)
* first change to apps/v1 for Install (#13015)
* first change for install
* appsv1
* indention
* use only ipv4 for pilot and zipkin (#12997)
* do ipv4 lookups for pilot and zipkin
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* update goldens
Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>
* small fix for imports (#13013)
* remove old mcp stack (#12092)
* remove old mcp stack
* remove legacy mcp server from galley
* fix server build
* fix linter
* remove unused code in journal.go
* fix build
* s/server/source
* fix linter errors
* Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251)
* [Galley] Fix race in strategy shutdown. (#13004)
* [Galley] Fix race in strategy shutdown.
The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close.
* cleaning up reset logic to avoid holding on the stateLock
* Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641)
* Adding check/install go in both macOS and Linux.
* Install go if not installed.
* Adding support to run e2e test on KinD locally.
* Adding the ability to run e2e tests locally on KinD.
* Update install_prereqs_debian.sh
* Update setup_test.sh
* Adding the ability to run e2e test on KinD
for presubmit test.
* Presubmit e2e test on KinD.
* Adding the ability to run e2e_simple presubmit on KinD
* Adding README file for testing on KinD locally.
* Revert the changes on adding install_go function.
* Revert install_go in common_macos.sh
* Revert the file changes of deleting newline.
* Reverting the changes.
* Addressing reviews.
* Fixing shellcheck
* respect locality weight set from ServiceEntry (#12714) (#13012)
* respect the lb weight setting from users
* add ut
* fix golint
* add locality lb setting test
* fix lint
* update test case
* update test case
* lint
* Add documentation about -p 1 for integration test framework. (#13032)
* Reduce logs in security/pkg/nodeagent/sds/ (#13035)
* Reduce logs in security/pkg/nodeagent/sds/
https://github.com/istio/istio/issues/13033
* Count the log output times
* Revise the PR based on review comments
* move pkg/mcp/configz to pkg/mcp/configz/client (#12982)
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* Restore TestMtlsHealthCheck in postsubmit, prow. (#12969)
* restore test to debug.
* add presubmit label to the test for triggering.
* change to only run in postsubmit.
* remove postsubmit label just comment.
* Enable more linters and fix warnings/errors (#12993)
* Cherry pick cert file config from master to release-1.1 (#12707)
* Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189)
* Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths.
* Address demands of golangcibot overlord
* Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert
* Address code style violation
* Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners
* Use envoy node metadata cert paths (if available) when constructing clusters
* Rename constants to make golint happy
* Fix imports
* Ignore ordering in test
* Pass around proxy instead of proxy.Metadata
(cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da)
* goimports file
* Allow limiting Citadel to marked namespaces only (#12289)
* Allow limiting Citadel to marked namespaces only
- add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create)
- extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled')
- modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access
* removed left-over debug print, check enable only when explicit opt-in is required
* reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false
* unit tests for checking labels and behavior
* Namespace specified in command line is explicitly enabled
- save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1)
- check SA namespace against explicit namespaces
* use dedicated label name to avoid overloading the injection label
* use istio-managed label in tests
* clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount
* refactor istio managed object test to a function so it can be called from secret deletion handler as well
* fix left over istio-injection label in tests
* manual merge fix
* appsv1 galley (#13047)
* Add support for datadog tracing (on release-1.1 branch) (#12687)
* Add support for datadog tracing.
Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>
* Use $(HOST_IP) instead of special-casing empty address value
Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>
* add param to sidecar to ignore iptables changes (#12829)
* add param to sidecar to ignore iptables changes
* rephrase description
* samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030)
* fix validation logic so that port.name is no longer a valid PortSelector (#13054)
* [Test Framework]: Galley support for deleting config (#13037)
In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well. Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace.
This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource. Once identified, the code now properly updates resources by writing back to the file where the resource was found. Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed).
* Support controlz for mcp server (#12980)
* Support controlz for mcp server
Signed-off-by: clyang82 <clyang@cn.ibm.com>
* fix lint error
* Address review comments
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* generalize artifact injection into Docker images (#12203)
Instead of just adding LICENSES.txt only, also optionally add in the
source code as well, gating on the new EXTRA_ARTIFACTS and
EXTRA_ARTIFACTS_CNI environment variables.
Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e
* Keep going when problem happens checking remote version (#13060)
* remove deprecated show-all flag (#13053)
* Add x alias to experimental istioctl command (#11801)
* Add x alias to experimental istioctl command
I'm super lazy and experimental is far too much effort to type
Signed-off-by: Liam White <liam@tetrate.io>
* Add exp as an additional alias
Signed-off-by: Liam White <liam@tetrate.io>
* Correct the app label for Gateway (#12693)
* update selector for gateway
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* fix build fail
Signed-off-by: clyang82 <clyang@cn.ibm.com>
* Update tracing_datadog_golden.json (#13082)
* Fix small typo (#13089)
can useful -> can be useful
* Add jitter in CSR request (#12805)
* Add jitter in CSR request
* Add log
* Fix comments
* Fix test
* Fix test
* Fix comment
* Allows cleanup.sh to run non-interactively when in terminal (#12635)
This change allows cleanup.sh to run non-interactively in standard terminals.
For example: NAMESPACE="test123" ./cleanup.sh
* 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730)
* update sds secret mount. (#12733)
* Copy data from right place (#12762)
* Fix updateClusterInc for overlapping ports (#12766)
* Fix updateClusterInc for overlapping ports
It is possible that a service will have multiple ports, with the same
port number. The typical example here is kube-dns, which uses port 53
for UDP and TCP. When we do an incremental push, we would select the
first port to match the port number, which would sometimes causes us to
ignore the correct port. This fix searches through all matching ports.
* Ensure port number matches as well
* Add unit tests
* remove dead code
* enable default sidecarscope (#12832)
* [Galley] Fix for ServiceEntry event ordering (#12890)
The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality).
Fixes #12820
* Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706)
* Copy helm data from the right place (#12808)
* Refactor solution based on Costin's feedback (#13027)
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* Enable more linters and fix warnings/errors (#13061)
* Making tags requirement same as those in Kubernetes (#12852)
* Making tags requirement same as those in Kubernetes
Changing validation check to make sure non-empty tags start with an
alphanumeric character
* Validating label keys are not empty strings
Allow empty string for label values
Do not allow empty string for label keys
* Added certmanager flag into helm chart values.yaml (#12953)
* Added certmanager flag into helm chart values.yaml
* Moved certmanager configuration
* Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066)
* adding upstream idle_timeout to cluster definition.
* reverting vendor changes before running dep ensure again.
* running dep ensure update on api from master.
* controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141)
* Patch #12805 to master (#13104)
* Patch #12805 to master
* Fix lint
* Fix HelmDelete command (#12515)
* Fix HelmDelete command
HelmDelete was called with the namespace it needs to be called
with a chartname. Also created a constant to make it more
obvious when called by the other Helm related commands.
* Fix typo
* Goimports fix
* ight modification path (#13148)
* Allow overriding of registry locality (#13077)
Also fixes bug where non-kube envs could override to something that parsed incorrectly
Signed-off-by: Liam White <liam@tetrate.io>
* mixer: add support for standard CRDs for compiled-in adapters (#12815)
* cherry pick subset of https://github.com/istio/istio/pull/12689/
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add support for compiled in adapters
Signed-off-by: Kuat Yessenov <kuat@google.com>
* patch log line
Signed-off-by: Kuat Yessenov <kuat@google.com>
* parse cert to get expire time (#13145)
* parse cert
* cleanup
* unit test coverage
* missing file
* address comments
* rebase and address comment
* Installing istio for perf testing (#13159)
* Perf scripts
* gsutil
* WD
* perf running and geting metrics
* Perf
* perf
* perf
* Perf
* remove
* qq
* Appsv1 pilot (#13050)
* appsv1 for Pilot
* appsv1 for Pilot
* appsv1 for Pilot
* dep update
* fix test
* fix test
* fix test
* fix test
* fix test
* typo
* typo
* typo
* typo
* typo
* update go-control-plane (#13154)
Signed-off-by: Kuat Yessenov <kuat@google.com>
* added sidecar.istio.io/rewriteAppProbers annotation (#13112)
* pilot: registered sidecar.istio.io/rewriteAppProbers annotation
* pilot: checked from sidecar.istio.io/rewriteAppProbers too
* pilot: added webhook inject tests
TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case.
The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation.
TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case.
The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation.
* fixed linter issue in test
* added http probe test for kubeinject case
* added tests and fixed login upon checking RewriteAppHTTPProbe setting
* Add more tests in app_probe_test.go
* renamed RewriteAppProbers to RewriteAppHTTPProbers
* fixed test case for webhook injection
* add description to rewriteAppHTTPProbers annotation
* updated tests in app probe to sync with recent master change
* change validateBool to alwaysValidFunc as per review
* Export inject.injectionData() (#12426)
* Registrator should use master version (#13083)
* dependencies: update cel-go and remove protoc-gen-docs (#12711)
* experiment with COMPAT
Signed-off-by: Kuat Yessenov <kuat@google.com>
* get errors
Signed-off-by: Kuat Yessenov <kuat@google.com>
* get errors
Signed-off-by: Kuat Yessenov <kuat@google.com>
* stop validation
Signed-off-by: Kuat Yessenov <kuat@google.com>
* remove hack
Signed-off-by: Kuat Yessenov <kuat@google.com>
* testing
Signed-off-by: Kuat Yessenov <kuat@google.com>
* only access log
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* debugging
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add runtimeconfig
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add a benchmark
Signed-off-by: Kuat Yessenov <kuat@google.com>
* cel_perf
Signed-off-by: Kuat Yessenov <kuat@google.com>
* update cel
Signed-off-by: Kuat Yessenov <kuat@google.com>
* update examples
Signed-off-by: Kuat Yessenov <kuat@google.com>
* remove unnecessary dependencies
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Fixing copy for helm, one more time. (#13186)
* Run goimports on generated file (#13195)
* Enable disabled mixer tests in New Test Framework (#13151)
* Enable disabled mixer tests in NF
* Change tests config to new style
* Change tests config to new style
* Change tests config to new style
* Fix config for native policybackend
* Fix report test
* Reduce Pilot resource requests for demo (#12477)
* Reduce Pilot resource requests for demo
* Add limits as well
* Added data source for Galley dashboard (#13041)
Fixes: #13040
* fix values for pod anti-affinity. (#12798)
* Add sensible defaults to istio-gateways (#12315)
* report succeed after validation (#13165)
* report succeed after validation
* review comments
* Change exposed port of istio-pilot in consul (#13170)
`15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead,
```
--grpcAddr string Discovery service grpc address (default ":15010")
--secureGrpcAddr string Discovery service grpc address, with https (default ":15012")
```
we know `15010` and `15012` are still using.
* Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973)
* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)
* Add wildcard route fallthrough
Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.
Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.
* add unit tests
* Remove node-level flag
* Fix tests
* Use new env var framework
* Fix long line
* Run format and linter
* CEL checker mutex (#13192)
* checker mutex
Signed-off-by: Kuat Yessenov <kuat@google.com>
* deadlock
Signed-off-by: Kuat Yessenov <kuat@google.com>
* Integration testing for Locality Load Balancing (#13084)
* Initial testing functionality
Signed-off-by: Liam White <liam@tetrate.io>
* appease the linting gods
Signed-off-by: Liam White <liam@tetrate.io>
* Fall back to bootstrap locality as a last resort
Signed-off-by: Liam White <liam@tetrate.io>
* Move service instance check after we set them...
Signed-off-by: Liam White <liam@tetrate.io>
* Add EDS test
Signed-off-by: Liam White <liam@tetrate.io>
* Reorganise tests to run in parallel
Signed-off-by: Liam White <liam@tetrate.io>
* Move to pilot directory
Signed-off-by: Liam White <liam@tetrate.io>
* minor Infof fixes
Signed-off-by: Liam White <liam@tetrate.io>
* fix package name
Signed-off-by: Liam White <liam@tetrate.io>
* Increase propagation sleep and add warning
Signed-off-by: Liam White <liam@tetrate.io>
* [test-framework] Support helm values containing spaces (#13127)
* Support helm values containing spaces in integration test framework
For a helm template command,
e.g., "helm template --set key1=value1 --set key2=value2",
the existing integration test framework assumes the values do not
contain spaces and splits the command argument using the
space character before executing the helm command.
Thus, the existing implementation does not support
helm values (e.g., certificates) containing spaces.
This PR adds the support of helm values that contain spaces.
* Revised to use array based on review comments
* Adding servicegraph testing to postsubmit (#13190)
* Adding servicegraph testing to postsubmit
* m
* perf
* change
* pod
* fix
* Adding E2E Test for kiali (#11448)
* Add Kiali E2E Test
* Minor Fixings on Kiali E2E Test
* Remove unused mixer.enabled value (#13214)
This is not a functional change; this value is never used so it is
misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled
are used.
* Adding aliases for OWNERS (#13194)
* Fixing copy for helm, one more time.
* Adding aliases for test group. Setting up labels and no parent_owners
* prow
* owners
* Fixing helm order (#13224)
* Fixing copy for helm, one more time.
* Fix order of the helm command
* fix lint (#12988)
* update certificates with expiration time 100 years (#13233)
* update certificates with expiration time 100 years
* update testdata/local/etc/certs
* fix original destination bug (#13011)
* fix original destination bug
* add ut
* align init role label. (#13172)
* Remove --platform option (#13187)
* Fix #10380: Remove hardcoded sidecar template for istioctl kube-inject (#10830)
* Remove the hardcoded sidecar template for
* Remove deprecated flags in istioctl kube-inject
* update testdata after rebase
* add rule for kubeinject.go in codecov.threshold
* push client the new root cert when it's changed (#13163)
* refresh root
* refresh root
* unit test
* add logs
* address comment
* more comment
* address comment
* Implement `role` field in AuthorizationPolicy (#13181)
* Add check for role in ServiceRoleBinding
* Implement global role
* Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow (#13199)
* Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow
Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow.
The mutual TLS connection uses the certificates issued by SDS-Vault CA flow
and SDS-Citadel CA flow.
* Use the flag EnableCDSPrecomputation()
* Address review comments
* Ignore missing resources on kubectl delete (#13225)
This makes it so tests won't fail on cleanup for resources that are
already deleted.
* [Testing] Cleanup PortForwarder (#13250)
* Add generated LICENSES.txt to gitignore (#13209)
* remove myself from owners (#13231)
Signed-off-by: Kuat Yessenov <kuat@google.com>
* add upstream_transport_failure_reason to access log (#12434)
* add upstream_transport_failure_reason to access log
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
* update proxy to latest
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
* fix
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
* fix format
Signed-off-by: Lizan Zhou <lizan@tetrate.io>
* Fix integration test errors and refactor security integration tests (#13253)
* Fix integration test errors and refactor security integration tests
- Fix the failure of integration tests when --istio.test.nocleanup=false,
which is the default test setting. The failures of integration tests when
--istio.test.nocleanup=false are caused by that the errors during
cleaning up tests are treated as test failures while the actual tests
have succeeded when --istio.test.nocleanup=true.
- Organize security integration tests under testss/integration/security.
- Refactor the code to share common utility functions and remove
duplicate code.
- Misc fixes.
* Address review comments
* Use a const to represent the test policy directory
* Address review comments
* Fixes the multicluster e2e test (#13246)
The secret was being created after the apps where
deployed on the remote. This was causes the test
to never think the apps successfully deployed since
the envoy sidecar was continually restarting.
* pre-check: fix a logic error (#13278)
`getNameSpace()` always returns an object, even if namespace does
not exist. Checking the error status is safer.
* Remove kubectl from dockerfile prereqs since it pulls it (#13256)
* Fixing EDS unit tests (#12995)
The current EDS test is incorrect and passes because the check calls time
out rather than sucessfully completing. This PR fixes the problem and
add one more test.
fixes issue #12994
* rbac: fix a data race in listener generation (#13308)
* Include js/css files into static folder (#12983)
* Include js/css files
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* Append version to file
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* ignore assets.gen.go in code coverage
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* remove assets.gen.go from codecov test
Signed-off-by: clyang82 <clyang@cn.ibm.com>
* remove skipped test from .cov file
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* fix check chell issue
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* fix shell check issue
Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>
* Fix galley integration test race (#13303)
* [Test Framework] Integrate apps with Galley (#13115)
The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot.
- Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion.
- Removed the ServiceManager altogether - Galley is used for service registration.
Fixes #13090
* Fix again helm copy, was reverted during merge from release 1.1 (#13337)
* Fixing copy for helm, one more time.
* Fixing copy again for master
* Update OpenShift dependencies; Drop [deprecated] legacy schema (#13160)
* Extend istioctl mocking library to allow mocking of authn etc (#13118)
* Fixing iptabes ranges (#13291)
* Fixing iptabes ranges
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* fix shellcheck errors
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* fixing ci failures #1
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* fixing ci failures #2
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* fixing ci failures #3
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* Addressing comments
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
* Don't apply locality label unless provided (#13297)
* Single Template injection spec fully at runtime (#13147)
* Template injection spec fully at runtime
This eliminates the need to have two layers of templates, which adds a
lot of complexity to the template.
* Get tests working and rebase on removal of hardcoded template
* Remove unused vars
* Fix istioctl tests
* Report circleci status to testgrid k8s dump (#13340)
The dump script often fails for the same reason the test fails. The dump
script should probably be hardened, but in the mean time we can just
make sure we report the failure (high priority) before we dump the
state.
* Add integration tests for RBAC v2 (#13353)
* Implement RBAC v2 intergration test
* Add Galley to app for security tests
* Disable locality LB tests (#13305)
* [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry (#13255)
* [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry
…
geeknoid
pushed a commit
that referenced
this issue
May 1, 2019
* Add two sample deployments for user guide of Istio Vault integration (#12917) * prevent duplicate inbound listeners (#12937) * respect locality weight set from ServiceEntry (#12714) * respect the lb weight setting from users * add ut * fix golint * add locality lb setting test * fix lint * update test case * update test case * lint * Auto bind to services for Sidecar listeners with specific ports (#12724) * auto bind to TCP services for egress ports in Sidecar Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * fix test Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * Cleanup gateway vhost config gen (#12847) * check match direction * Cleanup http route generation * undo pickMatching change * golangbot comments * address review comments * fix validation bug * gofmt * check for intersection duplicates * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936) * Change Ip Address to readable format in accesslog from stdio adapter * Add a check to validate it's an IP Address before calling ip.string function * Fix formatting error * Fix test * Correct stringify function in instanceUtil.go too for IP address * Fix based on review * Fix based on review * Fix based on review * use only ipv4 for pilot and zipkin (#12997) * do ipv4 lookups for pilot and zipkin Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * update goldens Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com> * Cherry pick cert file config from master to release-1.1 (#12707) * Cherry pick from master: Configuration: no longer hardcode mesh certs (#12189) * Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths. * Address demands of golangcibot overlord * Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert * Address code style violation * Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners * Use envoy node metadata cert paths (if available) when constructing clusters * Rename constants to make golint happy * Fix imports * Ignore ordering in test * Pass around proxy instead of proxy.Metadata (cherry picked from commit 7c34274) * goimports file * Add support for datadog tracing (on release-1.1 branch) (#12687) * Add support for datadog tracing. Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * Use $(HOST_IP) instead of special-casing empty address value Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com> * fix validation logic so that port.name is no longer a valid PortSelector (#13054) * Add x alias to experimental istioctl command (#11801) * Add x alias to experimental istioctl command I'm super lazy and experimental is far too much effort to type Signed-off-by: Liam White <liam@tetrate.io> * Add exp as an additional alias Signed-off-by: Liam White <liam@tetrate.io> * Update tracing_datadog_golden.json (#13082) * Add jitter in CSR request (#12805) * Add jitter in CSR request * Add log * Fix comments * Fix test * Fix test * Fix comment * 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730) * update sds secret mount. (#12733) * Copy data from right place (#12762) * Fix updateClusterInc for overlapping ports (#12766) * Fix updateClusterInc for overlapping ports It is possible that a service will have multiple ports, with the same port number. The typical example here is kube-dns, which uses port 53 for UDP and TCP. When we do an incremental push, we would select the first port to match the port number, which would sometimes causes us to ignore the correct port. This fix searches through all matching ports. * Ensure port number matches as well * Add unit tests * remove dead code * Allow overriding of registry locality (#13077) Also fixes bug where non-kube envs could override to something that parsed incorrectly Signed-off-by: Liam White <liam@tetrate.io> * mixer: add support for standard CRDs for compiled-in adapters (#12815) * cherry pick subset of #12689 Signed-off-by: Kuat Yessenov <kuat@google.com> * add support for compiled in adapters Signed-off-by: Kuat Yessenov <kuat@google.com> * patch log line Signed-off-by: Kuat Yessenov <kuat@google.com> * parse cert to get expire time (#13145) * parse cert * cleanup * unit test coverage * missing file * address comments * rebase and address comment * Installing istio for perf testing (#13159) * Perf scripts * gsutil * WD * perf running and geting metrics * Perf * perf * perf * Perf * remove * qq * Appsv1 pilot (#13050) * appsv1 for Pilot * appsv1 for Pilot * appsv1 for Pilot * dep update * fix test * fix test * fix test * fix test * fix test * typo * typo * typo * typo * typo * update go-control-plane (#13154) Signed-off-by: Kuat Yessenov <kuat@google.com> * added sidecar.istio.io/rewriteAppProbers annotation (#13112) * pilot: registered sidecar.istio.io/rewriteAppProbers annotation * pilot: checked from sidecar.istio.io/rewriteAppProbers too * pilot: added webhook inject tests TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case. The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation. TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case. The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation. * fixed linter issue in test * added http probe test for kubeinject case * added tests and fixed login upon checking RewriteAppHTTPProbe setting * Add more tests in app_probe_test.go * renamed RewriteAppProbers to RewriteAppHTTPProbers * fixed test case for webhook injection * add description to rewriteAppHTTPProbers annotation * updated tests in app probe to sync with recent master change * change validateBool to alwaysValidFunc as per review * Export inject.injectionData() (#12426) * Registrator should use master version (#13083) * dependencies: update cel-go and remove protoc-gen-docs (#12711) * experiment with COMPAT Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * get errors Signed-off-by: Kuat Yessenov <kuat@google.com> * stop validation Signed-off-by: Kuat Yessenov <kuat@google.com> * remove hack Signed-off-by: Kuat Yessenov <kuat@google.com> * testing Signed-off-by: Kuat Yessenov <kuat@google.com> * only access log Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * debugging Signed-off-by: Kuat Yessenov <kuat@google.com> * add runtimeconfig Signed-off-by: Kuat Yessenov <kuat@google.com> * add a benchmark Signed-off-by: Kuat Yessenov <kuat@google.com> * cel_perf Signed-off-by: Kuat Yessenov <kuat@google.com> * update cel Signed-off-by: Kuat Yessenov <kuat@google.com> * update examples Signed-off-by: Kuat Yessenov <kuat@google.com> * remove unnecessary dependencies Signed-off-by: Kuat Yessenov <kuat@google.com> * Fixing copy for helm, one more time. (#13186) * Run goimports on generated file (#13195) * Enable disabled mixer tests in New Test Framework (#13151) * Enable disabled mixer tests in NF * Change tests config to new style * Change tests config to new style * Change tests config to new style * Fix config for native policybackend * Fix report test * Reduce Pilot resource requests for demo (#12477) * Reduce Pilot resource requests for demo * Add limits as well * Added data source for Galley dashboard (#13041) Fixes: #13040 * fix values for pod anti-affinity. (#12798) * Add sensible defaults to istio-gateways (#12315) * report succeed after validation (#13165) * report succeed after validation * review comments * Change exposed port of istio-pilot in consul (#13170) `15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, ``` --grpcAddr string Discovery service grpc address (default ":15010") --secureGrpcAddr string Discovery service grpc address, with https (default ":15012") ``` we know `15010` and `15012` are still using. * Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973) * Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) * Add wildcard route fallthrough Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port. Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there is already an http service. This is misleading, as it can be conflated with a 404 error returned from the actual service. When in REGISTRY_ONLY mode, we instead return a 502 error to indicate the request is blocked. * add unit tests * Remove node-level flag * Fix tests * Use new env var framework * Fix long line * Run format and linter * CEL checker mutex (#13192) * checker mutex Signed-off-by: Kuat Yessenov <kuat@google.com> * deadlock Signed-off-by: Kuat Yessenov <kuat@google.com> * Integration testing for Locality Load Balancing (#13084) * Initial testing functionality Signed-off-by: Liam White <liam@tetrate.io> * appease the linting gods Signed-off-by: Liam White <liam@tetrate.io> * Fall back to bootstrap locality as a last resort Signed-off-by: Liam White <liam@tetrate.io> * Move service instance check after we set them... Signed-off-by: Liam White <liam@tetrate.io> * Add EDS test Signed-off-by: Liam White <liam@tetrate.io> * Reorganise tests to run in parallel Signed-off-by: Liam White <liam@tetrate.io> * Move to pilot directory Signed-off-by: Liam White <liam@tetrate.io> * minor Infof fixes Signed-off-by: Liam White <liam@tetrate.io> * fix package name Signed-off-by: Liam White <liam@tetrate.io> * Increase propagation sleep and add warning Signed-off-by: Liam White <liam@tetrate.io> * [test-framework] Support helm values containing spaces (#13127) * Support helm values containing spaces in integration test framework For a helm template command, e.g., "helm template --set key1=value1 --set key2=value2", the existing integration test framework assumes the values do not contain spaces and splits the command argument using the space character before executing the helm command. Thus, the existing implementation does not support helm values (e.g., certificates) containing spaces. This PR adds the support of helm values that contain spaces. * Revised to use array based on review comments * Adding servicegraph testing to postsubmit (#13190) * Adding servicegraph testing to postsubmit * m * perf * change * pod * fix * Adding E2E Test for kiali (#11448) * Add Kiali E2E Test * Minor Fixings on Kiali E2E Test * Remove unused mixer.enabled value (#13214) This is not a functional change; this value is never used so it is misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled are used. * Adding aliases for OWNERS (#13194) * Fixing copy for helm, one more time. * Adding aliases for test group. Setting up labels and no parent_owners * prow * owners * fix(helm/sidecar-injector-configmap): run as root (#13217) * Destination host cannot be * (#13222) * destination host cannot be * * fix test * Fixing helm order (#13224) * Fixing copy for helm, one more time. * Fix order of the helm command * automating Mixer samples (#13196) * move samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add metric samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * typo Signed-off-by: Kuat Yessenov <kuat@google.com> * typo Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * add samples Signed-off-by: Kuat Yessenov <kuat@google.com> * Add upstream idle_timeout to cluster definition (#13146) * fix lint (#12988) * update certificates with expiration time 100 years (#13233) * update certificates with expiration time 100 years * update testdata/local/etc/certs * Cherry pick #13233 to fix expired certificates (#13234) * update certificates with expiration time 100 years * update testdata/local/etc/certs * fix original destination bug (#13011) * fix original destination bug * add ut * fix original destination bug (#13242) * fix original destination bug * add ut * Fix #11818 fix workloadSelector for Sidecars (#12666) * Fix test error in mixer/adapter/bypass * Fixes #11818. Extend ServiceRegistries to return workload labels independent of Services * Added test for getting workload labels from consul registry * Removed expected errors and results for now from MemoryRegistry.GetProxyWorkloadLabels() * Added LDS test for consumer without Service and workload specific Sidecar * Removed unnecessary fake for service_accounts * Fix #12957. Match EnvoyFilter.workloadSelector against Pod labels, instead of Service labels * Don't dump config in EnvoyFilter LDSTest * Added missing test data * Implemented review comments. * Added test for generation of inbound listeners for proxies without services. * Add ingress to Sidecar configuration for consumer-only Sidecar.workloadSelector test * Formatted imports based review comments * Only log at debug level if ServiceRegistries fail at determining workload labels * Right place to copy data from (#13149) * Right place to copy data from * Copy riught place * align init role label. (#13172) * Remove --platform option (#13187) * Fix #10380: Remove hardcoded sidecar template for istioctl kube-inject (#10830) * Remove the hardcoded sidecar template for * Remove deprecated flags in istioctl kube-inject * update testdata after rebase * add rule for kubeinject.go in codecov.threshold * push client the new root cert when it's changed (#13163) * refresh root * refresh root * unit test * add logs * address comment * more comment * address comment * use port 80 for HTTP from details, for TLS origination (#13206) Istio now can rewrite the port to 443 and perform TLS origination no need to use port 443 for HTTP traffic * Implement `role` field in AuthorizationPolicy (#13181) * Add check for role in ServiceRoleBinding * Implement global role * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow (#13199) * Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow. The mutual TLS connection uses the certificates issued by SDS-Vault CA flow and SDS-Citadel CA flow. * Use the flag EnableCDSPrecomputation() * Address review comments * Ignore missing resources on kubectl delete (#13225) This makes it so tests won't fail on cleanup for resources that are already deleted. * [Testing] Cleanup PortForwarder (#13250) * Add generated LICENSES.txt to gitignore (#13209) * remove myself from owners (#13231) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix ingress sds memory leak (#13251) * use syncmap to avoid race conditions * Do not let ingress gateway agent send SDS response if secret is not ready. * fix test * add test * add liveness probe for citadel. (#12734) * Make 15020 first port in ingressgateway service (#12668) * Make 15020 first port in ingressgateway service Fixes: #12503 * Updated test utils to use NodePort for port 80 Test utils were dependent on the ordering of the ports to work, updated it so that they use the NodePort for port 80 explicitly. * Fixed lint issues * add upstream_transport_failure_reason to access log (#12434) * add upstream_transport_failure_reason to access log Signed-off-by: Lizan Zhou <lizan@tetrate.io> * update proxy to latest Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix format Signed-off-by: Lizan Zhou <lizan@tetrate.io> * Allow Locality Distribute without outlierDetection (#12965) * Enable distribute locality LB without outlier detection Failover needs outlier detection to mark hosts unhealthy and fall down to the next priority, but this is not needed for distribute. * fix testS * Fix integration test errors and refactor security integration tests (#13253) * Fix integration test errors and refactor security integration tests - Fix the failure of integration tests when --istio.test.nocleanup=false, which is the default test setting. The failures of integration tests when --istio.test.nocleanup=false are caused by that the errors during cleaning up tests are treated as test failures while the actual tests have succeeded when --istio.test.nocleanup=true. - Organize security integration tests under testss/integration/security. - Refactor the code to share common utility functions and remove duplicate code. - Misc fixes. * Address review comments * Use a const to represent the test policy directory * Address review comments * Fixes the multicluster e2e test (#13246) The secret was being created after the apps where deployed on the remote. This was causes the test to never think the apps successfully deployed since the envoy sidecar was continually restarting. * pre-check: fix a logic error (#13278) `getNameSpace()` always returns an object, even if namespace does not exist. Checking the error status is safer. * patch deprecated field (#13266) * patch deprecated field Signed-off-by: Kuat Yessenov <kuat@google.com> * ge11 Signed-off-by: Kuat Yessenov <kuat@google.com> * typo Signed-off-by: Kuat Yessenov <kuat@google.com> * Remove kubectl from dockerfile prereqs since it pulls it (#13256) * Fixing EDS unit tests (#12995) The current EDS test is incorrect and passes because the check calls time out rather than sucessfully completing. This PR fixes the problem and add one more test. fixes issue #12994 * Skip validating non ingress gateway secret at secret fetcher. (#13281) * use syncmap to avoid race conditions * Do not let ingress gateway agent send SDS response if secret is not ready. * fix test * add test * Skip validating non ingress gateway secret * Fix labels on manifests (#11788) * add missing labels on mixer resources * update istio chart helper to match other charts * disable a test (#13295) Signed-off-by: Kuat Yessenov <kuat@google.com> * Import istio/proxy for 1.1.3 (#13296) * Update proxy version to 1.1.3 (#13300) * move to newer grafana (#13273) * rbac: fix a data race in listener generation (#13308) * Include js/css files into static folder (#12983) * Include js/css files Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Append version to file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * ignore assets.gen.go in code coverage Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * remove assets.gen.go from codecov test Signed-off-by: clyang82 <clyang@cn.ibm.com> * remove skipped test from .cov file Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix check chell issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * fix shell check issue Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com> * Fix galley integration test race (#13303) * [Test Framework] Integrate apps with Galley (#13115) The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot. - Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion. - Removed the ServiceManager altogether - Galley is used for service registration. Fixes #13090 * Fix again helm copy, was reverted during merge from release 1.1 (#13337) * Fixing copy for helm, one more time. * Fixing copy again for master * Update OpenShift dependencies; Drop [deprecated] legacy schema (#13160) * Extend istioctl mocking library to allow mocking of authn etc (#13118) * Fixing iptabes ranges (#13291) * Fixing iptabes ranges Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fix shellcheck errors Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #1 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #2 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing ci failures #3 Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Addressing comments Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Don't apply locality label unless provided (#13297) * Single Template injection spec fully at runtime (#13147) * Template injection spec fully at runtime This eliminates the need to have two layers of templates, which adds a lot of complexity to the template. * Get tests working and rebase on removal of hardcoded template * Remove unused vars * Fix istioctl tests * Report circleci status to testgrid k8s dump (#13340) The dump script often fails for the same reason the test fails. The dump script should probably be hardened, but in the mean time we can just make sure we report the failure (high priority) before we dump the state. * use syncmap in secretcache (#13333) * Gateway names cannot contain dot (#13351) * Sidecar Capture mode NONE to use Bind (#13202) * Sidecar Capture mode NONE to use Bind Signed-off-by: Shakti shaktiprakash.das@salesforce.com * Added test, updated comments * format file * Add integration tests for RBAC v2 (#13353) * Implement RBAC v2 intergration test * Add Galley to app for security tests * Disable locality LB tests (#13305) * [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry (#13255) * [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry The k8s Endpoints NotReadyAddresses are used by Pilot to create inbound ports. Without these ports, the endpoints will never become "ready". Supports #10589 * addressing comments * remove unneeded ClusterRole and ClusteRroleBinding in gateway (#13292) * Initial RPM packaging (#13088) This adds the make targets `rpm/istio` and `rpm/proxy` for creating rpm's for Istio components. Artifacts will be created in `$ISTIO_OUT/rpm`. It also creates a target `rpm/builder-image`, which creates a docker builder image necessary to build istio and proxy rpm's. All RPM's will have as the version number whatever is defined at `VERSION` variable. So, a typical usage will be `make VERSION=1.1.0 rpm/istio`. * Simplified issue templates. (#13380) * [Testing] Minor improvements to kube utilities (#13377) * spiffe: fix a data race in writing trust domain. (#13343) * min ring size for hash lb policy was getting to zero in default case instead of doc'd 1024 (#13275) * appsv1 mixer (#13164) * Fix security tests (#13368) They try to read testdata/testdata/... instead of testdata/... before this change. * Adding exec permissions to files. (#13401) * Fixing copy for helm, one more time. * Adding permissions * Add locality failover integration testing (#13252) * Add locality failover integration testing Signed-off-by: Liam White <liam@tetrate.io> * Fix up prioritized integration test Signed-off-by: Liam White <liam@tetrate.io> * Fix panic in loadbalancer and more failover tests Signed-off-by: Liam White <liam@tetrate.io> * Add no test check Signed-off-by: Liam White <liam@tetrate.io> * stop doing dumb things with errors Signed-off-by: Liam White <liam@tetrate.io> * Fix description of failover tests Signed-off-by: Liam White <liam@tetrate.io> * fix function signature change Signed-off-by: Liam White <liam@tetrate.io> * Use better practice framework usage Signed-off-by: Liam White <liam@tetrate.io> * turn on locality in makefile Signed-off-by: Liam White <liam@tetrate.io> * Enable more linters and fix warnings/errors. (#13245) * Enable next step for perf testing (#13381) * Fixing copy for helm, one more time. * Next step for perf was added * Fix MCP dial-out mode. (#13399) * Fix MCP dial-out mode. + The MCP dial-out mode sends an initial trigger response to trigger proper server/client communication. This is needed under certain scenarios. The original code expected a NACK response to this using a synchronous wait. However, this caused problems as the NACK can be sent *after* the actual resource requests are enqueued in the gRPC stream. This PR fixes the issue by making the handling of the trigger response in-line, as part of regular stream handling. + Adding a new dial-out integration tests capturing the basic scenario. + Adding a sleep in the Galley integration component, as the component startup is inherently racy. There is a race between setting the os signal event handlers during startup and applicatrion of configuration (and subsequent event trigger). The stop-gap solution is to sleep. The right solution is to go back to the correct ordering model for the startup of Galley. * Add an explicit name to the trigger collection to avoid collisions. * Fix lint issues. * Fix lint issues. * Remove failing test case. * Update code coverage. * Fix bug causing deleted endpoints to not be updated (#13402) (#13403) * Fix cluster name, the value in aggregate map must match the cluster ID. * Address review comments, add few more comments * Broken productpage css and glyphicons fonts (#13314) * productpage css and fonts broken #13244 * remove .DS_Store * Update bookinfo image tags to 1.12.0 * update tests * Fixes panic in pilot agent when provided with custom cert paths. (#13409) * Configure logging level in proxy and control plane (#12639) (#13369) * configure proxy log level via helm values for sidecar and gateways * configure istio control plane log level via helm * min ring size for hash lb policy was getting to zero in default case instead of doc'd 1024 (#13284) * [Testing] Improve logging for echo application (#13376) * [Testing] Improve logging for echo application * switch to use Cobra * Add istioctl completion to the 'istioctl' make target. (#13024) Signed-off-by: Jason Clark <jason.clark.oss@gmail.com> * [Testing] Adding integration test instructions (GKE) (#13404) * [Testing] Adding integration test instructions (GKE) These started as a copy of of the ones under e2e. Removed instructions specific to the old test framework. Also cleaned up other instructions and added a script to simplify creation of a cluster. * Fixing spellcheck errors. * Add integration tests that detect race condition (#13342) * Add integration tests that detect race condition * Address review comments * Remove log level * Change to reuse e2e-suite.sh * Address review comments * Fix a duplicate * Fix envvar linter use. (#13411) - envvar linter now fails with an error code when it finds problems. - Stop running the linter over useless directories - Only try to lint go files - Fix discovered unregistered uses of env vars in the code base. * replace ayj with ozevren as istioctl owner (#13335) * [Testing] Various fixes for structpath (#13375) * Fix a linter warning. (#13426) * Refactor integration tests of Citadel (#13304) * Refactor integration tests of Citadel - Citadel is a security component -> organize Citadel integration tests under the security integration tests folder. - The common utility functions are refactored into the util folder. * Fix lint error * Fix manual injection when webhook disabled (#13434) * Fix manual injection when webhook disabled If webook is disabled, then Helm values for the webhook will not be exposed. This means that in the ConfigMap that stores the values, we will not have the rewriteAppHTTPProbe variable, causing errors. By defaulting this to false, we keep the same behavior but succeed in the case when the config is not present. I also verified this is the only case of this bug, all other variables read in the injection template are from global. * Fix linter and check nil * Add field to explicitly define Istio kind for config data (#13347) * Add field to explicitely define Istio kind for config data * Lint * Add missing space in log statement (#10982) * Add missing space in log statement Previously, the log statement was: "Failed to generate bootstrap configopen /etc..." (note that there's no space in configopen). This commit fixes the statement, so it reads "Failed to generate bootstrap config: open /etc/..." * Add missing spaces to all Debuga,Infoa,Warna,Errora,Fatala statements * add CRD sample for rate limiting task (#13370) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix make test-bins (#13124) Prior to this PR, make test-bins produces no action. * Scrape internal Grafana metrics. (#12509) * [Test Framework] Fix forward echo timeout (#13459) This was using picoseconds instead of microseconds * Fix test flakes in pkg/cache. (#13454) - Run the expirstion tests with no background evicter goroutine, which eliminates the non-determinism. - Stop using time.UTC(), turns out its unnecessary when using time.UnixNanos - Correctly initialize the base nanosecond value when using the caches with no evicter goroutine. - Add a missing delay in the test for EvictExpired uncovered by setting the base nanosecond value above. * Add integration test for outboundTrafficPolicy (#13099) * Add outboundTrafficPolicy integration test * Run format * Fix lint errors * Fix call validation * Fix native and comment why we can't use native * Remove all checks except count * Remove Servicegraph, and therefore addons. (#12470) Servicegraph was deprecated but available in 1.1, with a plan to remove in subsequent releases. * [Test Framework] Support Pilot mesh config (#13460) * Refactor authentication plugin code to support future policy versions (#13441) * Refactor authentication plugin code to support future policy versions * Consolidate support functions * Lint * Fix import * Rename Applier to PolicyApplier * Fix EnableFallthroughRoute for HTTPS traffic (#13440) HTTPS traffic does not go through the route config like http, so the fix to allow outbound traffic properly is not applied. Instead, we can do the same thing at the listener level. Because we cannot do a direct response here, we can't return a 502 in the case of REGISTRY_ONLY, but we can still block the traffic (same behavior as if we had no listener on the port). * New prow e2e Multi-cluster test for Split Horizon EDS (#12709) * Add an e2e testing environment and tests for split horizon multicluster * Temporarily run the new mc test instead of old one * Revert "Temporarily run the new mc test instead of old one" This reverts commit 8634ae1. * Revert "Revert "Temporarily run the new mc test instead of old one"" This reverts commit 39e007c. * return errors if the split horizon test runs without auth and automatic sidecar injection * remove the separate prow test for split horizon, add it to the multicluster test * move the auth-enable flag from the prow script into tests/istio.mk * remove the flat network multicluster test until it will be fixed * fix the comment of KubeCommand * TestRemoteInstanceAcessible -> TestRemoteInstanceAccessible * add use-automatic-injection flag to the split horizon test * Revert "add use-automatic-injection flag to the split horizon test" This reverts commit c488cd8. * for split horizon check that the framework's automatic injection is not set * add the split horizon flat to e2e README * use strings.Contains instead of strings.IndexOf >= 0 * do not redefine err * use "naked" return consistently * return error if some pods are not running * Revert "remove the separate prow test for split horizon, add it to the multicluster test" This reverts commit c2d0ece. * istio-pilot-e2e-split-horizon-eds.sh -> e2e-split-horizon-eds.sh * Revert "Revert "Revert "Temporarily run the new mc test instead of old one""" This reverts commit 46c4a98. * reduce timeout from 50 to 15 * [Code Mauve]: Get TcpMetrics test working again in new test framework (#13247) * Code Mauve: Get Tcp test working again in new test framework Code Mauve: Get Tcp test working again in new test framework Code Mauve: Get Tcp test working again in new test framework Fix based on reviews Fix based on reviews Fix based on reviews Fix based on reviews Fix formatting error Fix failing codecoverage and unit test on circle as they are getting killed because of short timeout Trying to fix circleci tests Trying to apply gateway file in bookinfo namespace only * Fix linting error * deploy bookinfo in its own namespace for all mixer tests * deploy bookinfo in its own namespace for loadbalancing test too * Fix perfcheck script (#13461) * Make sure all flags get pulled during init. (#13513) * Make sure all flags get pulled during init. * Fix lint errors. * Fix example_test. * Sleep to prevent test flakes in outbound traffic (#13514) * Fix configz test failures (#13478) * Fix configz test failures * Dynamically assign port * [Test Framework] Expand capability of Echo component (#13175) * [Test Framework] Expand capability of Echo component The Echo component API was essentially a rewrite of the Apps component, but allows the test author more flexibility in the behavior of the application instances. This PR merges the functionality of the Apps component (including running on Kubernetes as well as running natively with a sidecar) into the Echo component. Once this lands, we can remove the Apps component entirely. * addressing comments * various fixes * attempt to update golangcilint (#13525) Signed-off-by: Kuat Yessenov <kuat@google.com> * Adding unit tests for gateway (#12792) * Adding unit tests for gateway * Fixing the lint issue * Fixing the copyright year * Making changes suggested in the reviews. Changes the name of a function and location of another. * Support using the kiali-viewer role directly from Helm chart configuration (#13528) * Support using the kiali-viewer role * Switch to viewOnlyMode name to be consistent with Kiali operator name * multicluster: fix panic caused by invalid kubeconfig (#13451) * multicluster: fix panic caused by invalid kubeconfig * fix comment * [WIP] Preventing duplicate route entries (#13431) Addresses issue #13267 Adds unit tests * Fix bug causing deleted endpoints to not be updated (#13402) (#13403) (#13470) * Fix cluster name, the value in aggregate map must match the cluster ID. * Address review comments, add few more comments * Fix SE with non FQDN hosts (#13447) * Adding the missing validation pieces for CORS (#12840) * Adding the missing validation pieces for CORS Includes new unit test case * Allow for http/https schemes specified * Making "*" the only host with wildcard allowed for allow-origin * Allow port number in CORS Allow Origin Having a port number in "Allow Origin" is accepted according to the spec. * Using strings.TrimPrefix as suggested by lint * fix panic (#13548) * Fix RBAC integration tests (#13384) * update to go1.12 (#13531) * update CI image to 1.12 Signed-off-by: Kuat Yessenov <kuat@google.com> * fix coverage test Signed-off-by: Kuat Yessenov <kuat@google.com> * fix coverage once again Signed-off-by: Kuat Yessenov <kuat@google.com> * rbac: refactor filter generation and split filter logic (#13488) * move istioctl completion generator to its own target (#13567) * Fix potential fd leak (#13310) * update jinja and urllib3 (#13585) * set GOGC (#13587) Signed-off-by: Kuat Yessenov <kuat@google.com> * make GC more aggressive (#13596) Signed-off-by: Kuat Yessenov <kuat@google.com> * Fix bug: when pod occur later than sidecar connection, the sidecar in… (#13229) * Fix bug: when pod occur later than sidecar connection, the sidecar inbound listener will not be pushed * fix comments: only do a full push to the added sidecar * optimize: do not record workloads that have no sidecars or have not connected with pilot * add istioctl experimental auth for checking TLS/JWT/RBAC setting on a pod. (#12774) * add istioctl auth command for checking TLS/JWT/RBAC setting on a pod. This is still experimental and under active undevelopment, not ready for production use. * fix lint. * Support reading from file, refine the help message. * update cluster to show 'none' for certs. * update google.golang.org/grpc * add whitespace in column * add unit test * fix lint * fix lint * make --remote and --s as default for istioctl version command (#13389) * make remote and short as default * fix lint * remove unused permission in istio_init. (#12978) * Update UsingGKE.md (#13560) To avoid confusion, per the gcloud SDK documentation: https://cloud.google.com/sdk/gcloud/reference/#--project, project ID instead of project name should be used for the project flag. * Fix several lint issues on Citadel Agent. (#13558) * Fix several error handling and lint. * Small fix. * Small fix * fix broken links in readme. (#13610) * Cache values config in sidecar injector (#13480) Values were read each time during injection, rather than cached like mesh config and the injection template. * Add integration tests for Istio authorization for groups and list claims (#13557) * Add integration tests for Istio authorization for groups and list claims * Separate RBAC tests to avoid interference from each other * Add headers from the test options * Fix lint errors * Add headers in the native environment * Add headers in echo component * Refactor the test structure * add MacOS support KinD (#13583) * Do not use sh in istioctl. (#13395) * Do not use sh in istioctl. Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * Fix lint errors. Co-authored-by: Jakob Schmid <jakob.schmid@sap.com> * For RBAC v2, add integration tests for authorization of groups and list claims (#13628) * For RBAC v2, add integration tests for authorization of groups and list claims * Add to-do * cleans up unnecessary left over comment (#13137) * Adding a unit test case Adds a unit test case aand cleans up unnecessary left over comment * Removing the extraneous comment * Remove trailing tab chars from each line ending. (#13570) Trailing tabs were left in the rendered template, having the yaml linter throw warnings. * show detailed mcp resource information in ctrlz page (#12999) Signed-off-by: clyang82 <clyang@cn.ibm.com> * Re-enable Mixer validation (#13379) * cleaning up mixer validation Signed-off-by: Kuat Yessenov <kuat@google.com> * fixes Signed-off-by: Kuat Yessenov <kuat@google.com> * fix mixer tests Signed-off-by: Kuat Yessenov <kuat@google.com> * fix galley test Signed-off-by: Kuat Yessenov <kuat@google.com> * less diff Signed-off-by: Kuat Yessenov <kuat@google.com> * no edge case possible Signed-off-by: Kuat Yessenov <kuat@google.com> * fixing the adapter dependencies Signed-off-by: Kuat Yessenov <kuat@google.com> * enable validation Signed-off-by: Kuat Yessenov <kuat@google.com> * goimports Signed-off-by: Kuat Yessenov <kuat@google.com> * missed an adapter Signed-off-by: Kuat Yessenov <kuat@google.com> * edge case Signed-off-by: Kuat Yessenov <kuat@google.com> * coverage Signed-off-by: Kuat Yessenov <kuat@google.com> * Pass componentLogLevel to Envoy to disable deprecation warnings (#13182) Istio users do not care about Envoy features we choose to use the are deprecated, but we spam their logs with thousands of warnings about deprecations. This turns off these messages, and allows proxy log level to be tuned by operators to their preferences (including re-enabling deprecation warnings if they wish). * Add Redis Ratelimiting tests in new test framework (#11209) * Add Redis Ratelimiting tests in new test framework Fix based on reviews Fix based on reviews Fix based on reviews Also, deploy tiller before deploying redis Fix based on reviews Increase timeout value for fetching values from prometheus to make it more reliable Wait for Tiller to start before using it Increase test timeout as Redis tests have increased the overall runtime of the tests Increase reliability of rate limiting tests fix failing test fix failing test fix failing test Try to decrease runtime of the test Fix descriptors.go after rebase Fix lint error Add debugging steps in original redisquota tests Debugging failure in ratelimit test when running in prow Debug test in prow Fix conflict error Fix errors Fix config for redis using new style crds Refactored to reduce setup time nit fix Fix golang errors Fix golang errors Fix errors in config Fix errors in config and golang errors Fix errors in config Fix errors in config Fix golang errors Fix TestRateLimiting_DefaultLessThanOverride test Formatting file Refactor common code Fix golang errors Fix golang errors Fix tests Reduce timeouts * Fix golang error * fix typo in pilot/cmd/pilot-agent/status/ready/probe.go (#12321) * Try out a template experiment. * Another template update. * Template tweakathon. * Skip failing test case (#13669) This test breaks all commits, likely cause by TLS certs expired. This means all past commits will no longer pass tests, and all new commits will be blocked. We should disable this test for now until it can be properly fixed. * Stop using task lists since they cause GitHub to mark issues as 0/7 completed... * correct example text for istioctl authn tls-check command (#13561) * Fix integration tests and user guide of SDS Vault CA flow (#13685) * Fix integration tests and user guide of SDS Vault CA flow Tests under tests/integration/security/sds_vault_flow/ fail because the cluster hosting the test Vault server was deleted. This PR: - Fixes the failed integration tests to use a new Vault server. - Fixes an example Vault CA server config used in user guide. * Address review comments * fix namespace parsing in istioctl validate (#13624) * fix namespace parsing in istioctl validate Signed-off-by: Kuat Yessenov <kuat@google.com> * merge fix Signed-off-by: Kuat Yessenov <kuat@google.com> * revert yaml v3 change Signed-off-by: Kuat Yessenov <kuat@google.com> * manually transform map interface Signed-off-by: Kuat Yessenov <kuat@google.com> * restore extra field test Signed-off-by: Kuat Yessenov <kuat@google.com> * bootstrap: add test to confirm ISTIO_META_ envvar (#13645) ISTIO_META_key=val env variable can be encoded into node metadata as "key" to "val" Signed-off-by: Yuchen Dai <silentdai@gmail.com> * release: Update latest stable Istio CNI SHA (#13556) * Lock down development of installer (#13350) * Lock down development of installer All development should be done on the istio-installer repo. * Top level owners * Update url * Fix isValidIP in iptable-start.sh and add unit test for it. (#13563) * refactoring validations Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * addressing comments Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * Addressing more comments Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fix typo Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * shellcheck error Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing unbound variable error Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fixing CI failure Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * shell check Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * dealing with ipv6 special case Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com> * fix broken links. (#13741) * add samples validation linter (#13736) * add samples validation linter Signed-off-by: Kuat Yessenov <kuat@google.com> * typo Signed-off-by: Kuat Yessenov <kuat@google.com> * print deprecation warnings Signed-off-by: Kuat Yessenov <kuat@google.com> * english Signed-off-by: Kuat Yessenov <kuat@google.com> * [Testing] Refactoring Echo application (#13586) The echo application has gotten hard to follow. - Restructuring code into more sensible packages. - Adding readiness. The echo app will now return 503s until all ports are up. - Propagating timeouts throughout the call chain. - Use Cobra in client main. This also required that all uses of the client switch to using double dashes for flags (they were previously using single dashes). Fixes #13553 * Fix unit tests of Vault CA integration (#13683) * Fix unit tests of Vault CA integration Tests under security/pkg/nodeagent/caclient/providers/vault/ fail because the cluster hosting the test Vault server was deleted. This PR: - Fixes the failed tests to use a new Vault server. - Moves the tests using real Vault server to integration tests. * Add a documentation * Opt in the test framework and label the test as post-submit * Fix istioctl test (#13750) * Fixing copy for helm, one more time. * Fixing test * Refactor Test Framework API Surface, and add complete Galley component methods. (#13738) * Implement Missing Galley functionality and more framework tests. + Adding missing methods for Galley Kubernetes component. + Tests for creating/deleting namespaces. + Tests for Galley snapshot reading. * Remove accidental edit. * Remove unused field. * Add a new Yaml resource tracker utility to yml package. * Fixup tests. * fix lint errors. * more lint fixes. * Remove offending test. * Update Galley code to use tracker Re-disable conversion test for Kubernetes environment. * Refactor API surface and a test for framework.Suite * Update Readme file. * code review feedback. * Fixup new tests. * Add straggler test. * Extend fake policy backend for OOP adapter integration test (#13729) * extend fake policy backend for out of process adapter integration test * Make valid duration and valid count configurable
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The current EDS test is incorrect and passes because the check calls time
out rather than successfully completing.
Return values of some adsc.Wait() calls are not checked and in the following case the parameter being passed is incorrect: https://github.com/istio/istio/blob/master/pilot/pkg/proxy/envoy/v2/eds_test.go#L310-L312
The text was updated successfully, but these errors were encountered: