spiffe: fix handling of trust bundles with multiple keys #44831
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
😊 Welcome @rohitagarwal003! This is either your first contribution to the Istio istio repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
istio-testing
added
the
size/S
|
Hi @rohitagarwal003. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
istio-testing
added
ok-to-test
rohitagarwal003
force-pushed
the
rohitagarwal--spiffe
branch
from
2a0690b
to
e736712
Compare
istio-testing
added
size/L
|
@howardjohn Added tests and a release note. |
|
@rohitagarwal003: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
In the existing implementation, we were overriding the `cert` while iterating over doc.Keys. This commit fixes that. Further, there was an unnecessary check for the existence of `ret[trustDomain]`. We are iterating over a map with `trustDomain` as keys, maps don't have duplicate keys, and so `ret[trustDomain]` would never have had a key before we set it in this iteration. Change-Id: I4132cd1edb18e415f5d1c228c04d60adaddc7445
rohitagarwal003
force-pushed
the
rohitagarwal--spiffe
branch
from
e736712
to
2765664
Compare
rohitagarwal003
added a commit
to rohitagarwal003/istio
that referenced
this pull request
May 14, 2023
In the existing implementation, we were overriding the `cert` while iterating over doc.Keys. This commit fixes that. Further, there was an unnecessary check for the existence of `ret[trustDomain]`. We are iterating over a map with `trustDomain` as keys, maps don't have duplicate keys, and so `ret[trustDomain]` would never have had a key before we set it in this iteration. This is a cherry-pick for istio#44831 (with modifications in the tests to avoid conflicts). Change-Id: Ie3dd2d52d365054a621b6c0e50f5b4c8b9f9246b
|
@rohitagarwal003, Don't we need to cherry pick this to 1.18 as well? |
istio-testing
pushed a commit
that referenced
this pull request
May 16, 2023
In the existing implementation, we were overriding the `cert` while iterating over doc.Keys. This commit fixes that. Further, there was an unnecessary check for the existence of `ret[trustDomain]`. We are iterating over a map with `trustDomain` as keys, maps don't have duplicate keys, and so `ret[trustDomain]` would never have had a key before we set it in this iteration. This is a cherry-pick for #44831 (with modifications in the tests to avoid conflicts). Change-Id: Ie3dd2d52d365054a621b6c0e50f5b4c8b9f9246b
rohitagarwal003
added a commit
to rohitagarwal003/istio
that referenced
this pull request
May 16, 2023
In the existing implementation, we were overriding the `cert` while iterating over doc.Keys. This commit fixes that. Further, there was an unnecessary check for the existence of `ret[trustDomain]`. We are iterating over a map with `trustDomain` as keys, maps don't have duplicate keys, and so `ret[trustDomain]` would never have had a key before we set it in this iteration. This is a cherry-pick for istio#44831 (with modifications in the tests to avoid conflicts). This was cherry-picked in 1.17 as istio#44909. Change-Id: Ibf68f75cc667a72cce68bd42e4f600bd37946222
istio-testing
pushed a commit
that referenced
this pull request
May 17, 2023
In the existing implementation, we were overriding the `cert` while iterating over doc.Keys. This commit fixes that. Further, there was an unnecessary check for the existence of `ret[trustDomain]`. We are iterating over a map with `trustDomain` as keys, maps don't have duplicate keys, and so `ret[trustDomain]` would never have had a key before we set it in this iteration. This is a cherry-pick for #44831 (with modifications in the tests to avoid conflicts). This was cherry-picked in 1.17 as #44909. Change-Id: Ibf68f75cc667a72cce68bd42e4f600bd37946222
johnma14
pushed a commit
to johnma14/istio
that referenced
this pull request
May 25, 2023
In the existing implementation, we were overriding the `cert` while iterating over doc.Keys. This commit fixes that. Further, there was an unnecessary check for the existence of `ret[trustDomain]`. We are iterating over a map with `trustDomain` as keys, maps don't have duplicate keys, and so `ret[trustDomain]` would never have had a key before we set it in this iteration. This is a cherry-pick for istio#44831 (with modifications in the tests to avoid conflicts). Change-Id: Ie3dd2d52d365054a621b6c0e50f5b4c8b9f9246b
psbrar99
added a commit
to tetratelabs/istio
that referenced
this pull request
Aug 7, 2023
* Retry when east-west gateway hostname resolution fails (istio#44192) * retry when gateway hostnames resolution failed * add a ut * add a release note * test * test retry period * test * test * update retry period * distinguish server failure * fix * fix ttl * remove named return values * address comments * Automator: update proxy@master in istio/istio@master (istio#44295) * gateway: skip un-managed types in deploymentcontroller (istio#43541) * Automator: update proxy@master in istio/istio@master (istio#44298) * Add nil-check for WASM validation (istio#44296) * kube-probe: avoid duplicate probe headers (istio#44297) This is a regression of istio#28466 from istio#31866 The 31866 fixed the k8s spec having duplicates, but we end up duplicating all headers twice - the kubelet adds the header from HTTPHeaders and we also add from HTTPHeaders, resulting in 2x every header. Instead, we simply copy the incoming request headers and host, making us a fairly transparent proxy. * Refactor multi network manage (istio#44190) * Refactor multi network * Change reloadXX to networkManager's private method * Automator: update go-control-plane in istio/istio@master (istio#44301) * Automator: update proxy@master in istio/istio@master (istio#44302) * Automator: update common-files@master in istio/istio@master (istio#44305) * skip gateway.istio.io/controller-version anno message that is not created by users (istio#44306) * Automator: update istio/client-go@master dependency in istio/istio@master (istio#44312) * Fix the metric and log reports for the dryrun gateway config (istio#44303) * fix reporting metric for dryrun gateway config * add releasnotes * improve log * Automator: update common-files@master in istio/istio@master (istio#44314) * Early update_deps.sh before branching (istio#44317) * e2e: refactor grpc stats test (istio#44307) * e2e: refactor grpc stats test * fix gen * fix build * fix analyze * fix buildGRPCQuery Signed-off-by: hejianpeng <hejianpeng2@huawei.com> --------- Signed-off-by: hejianpeng <hejianpeng2@huawei.com> * Automator: update proxy@master in istio/istio@master (istio#44320) * Fix system namespace filtering (istio#44325) * update istio.io/api (istio#44330) * validation: add another nil check (istio#44332) * Fix type at shared.go (istio#44326) Signed-off-by: jongwooo <jongwooo.han@gmail.com> * Update istio.io modules (istio#44331) * Update istio.io modules * Run `mske gen` * Add update_ztunnel script (istio#44334) * remove sync all (istio#44111) * remove syncall * update * update * Fix namespace equal check * Fix ClusterExternalAddresses race * Fix * Add bookinfo demo for PSA (istio#44214) Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> * Integration tests for ENABLE_ENHANCED_RESOURCE_SCOPING feature (istio#44246) * Integration tests for ENABLE_ENHANCED_RESOURCE_SCOPING feature Signed-off-by: Faseela K <faseela.k@est.tech> * fix lint Signed-off-by: Faseela K <faseela.k@est.tech> * add build tag Signed-off-by: Faseela K <faseela.k@est.tech> * fix lint Signed-off-by: Faseela K <faseela.k@est.tech> * skip VMs Signed-off-by: Faseela K <faseela.k@est.tech> * Require singlecluster Signed-off-by: Faseela K <faseela.k@est.tech> * SkipExternalControlPlaneTopology Signed-off-by: Faseela K <faseela.k@est.tech> * Require Multi Primary Signed-off-by: Faseela K <faseela.k@est.tech> * add build tag Signed-off-by: Faseela K <faseela.k@est.tech> * replace httpbin.org with echo external service Signed-off-by: Faseela K <faseela.k@est.tech> --------- Signed-off-by: Faseela K <faseela.k@est.tech> * Update deps 2023 04 10 (istio#44319) * ./bin/update_deps.sh * update go deps * Remove default.yaml * Make gen * Revert change to distroless * Fix controller runtime * Update istio.io/api and istio.io/pkg * Run go mod tidy * Update release prow * Update istio.io/api * Automator: update istio/client-go@master dependency in istio/istio@master (istio#44339) * Use official 0.27.0 release (istio#44340) * reduced tokenWaitBackoff from 1 second to 10 millis (istio#44338) * Fix the ztunnel iop specification for resources leads to a patch error. (istio#44322) * fix ztunnel iop resource * add test * Automator: update proxy@master in istio/istio@master (istio#44343) * Fix ServiceEntry WorkloadInstanceHandler for label change in Pods (istio#42922) * Fix ServiceEntry WorkloadInstanceHandler for label change in Pods For a label change in WorkloadInstance, which results in a mismatch with a previously matching ServiceEntry, the whole update event is skipped. Which results in the WorkloadInstance not getting removed from the ServiceEntry. This fix changes the behaviour for such cases to handle those updates similar to a delete event and clean up the WorkloadInstance from the list. Fixes [istio#42921] * use DeepEquals to avoid SubsetOf iteration * gocritic linting fix * go back to the first approach * fix workloadInstanceDiff * fix linting errors * change test cases to table format * fix testcase for new Event type * fix Event Type * go fmt * remove wi diff * Update BASE_VERSION to master-2023-04-12T19-02-00 (istio#44357) * Add docs for Calico, set the annotation by default. (istio#44259) * Add docs for Calico, set the annotation by default. * Finish the comment. * Remove debug, kubectl debug works * indent * Update manifests/charts/istio-cni/README.md --------- Co-authored-by: John Howard <howardjohn@google.com> * update_deps.sh change (istio#44373) * fix gateway service name (istio#44365) * Automator: update proxy@master in istio/istio@master (istio#44380) * validation: add small nil check (istio#44360) * Remove kustomize and precompute manifests (istio#44376) See istio#44237 for more info * Add a better check for ztunnel pod guess (istio#44292) * add a better check for ztunnel guess * rebise based on comments * cni: drop experimental taint controller (istio#44377) This controller was added many years ago as an experiment and hasn't progressed. Unless there are users who have remained hidden during this time, I think its effectively dead code we should cleanup. * kube: use protobuf in client (istio#44379) * kube: use protobuf in client This was attempted in istio#38658 but the `config` set is never used there. Also add an opt-out and AcceptContentTypes to allow json fallback as recommended by k8s * fix writes * Remove release note approval by release-managers (istio#44395) * gateway: prevent duplicate `istio_authn` network filter in the filter chain (istio#44388) * gateway: prevent duplicate `istio_authn` network filter in the filter chain Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * add release notes Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * fix lint Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * fixup Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * ensure stability of the unit test Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> --------- Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * Add response headers for grpc (istio#44394) * Add response headers for grpc * Update the output * Automator: update istio/client-go@master dependency in istio/istio@master (istio#44396) * Automator: update common-files@master in istio/istio@master (istio#44398) * Use k8s 1.27.0 as the default node image for integration testing (istio#44400) * Automator: update proxy@master in istio/istio@master (istio#44403) * remove deadcode from operator proto (istio#44397) Was missed in previous PR * fix:productpage build fail (istio#44405) Signed-off-by: xin.li <xin.li@daocloud.io> * Run update_deps.sh (istio#44404) * chore: Fix function name of comment (istio#44406) Correct name is runAllTypes but comment has pruneAllTypes * Automator: update go-control-plane in istio/istio@master (istio#44407) * Automator: update proxy@master in istio/istio@master (istio#44408) * Automator: update ztunnel@master in istio/istio@master (istio#44409) * Remove hard coded Istio namespace (istio#44410) * Automator: update proxy@master in istio/istio@master (istio#44411) * Analyze: add cert check for gateway credential (istio#43921) * add cert check for gateway credential * add releasenotes and lint * reuse some logics and add more checks * make gen * remove unnecessary releasenotes * Automator: update proxy@master in istio/istio@master (istio#44419) * Fix webhook issues in installation process (istio#44345) * fix webhook creation in install process * add releasenotes * Only set the WorkloadSelector of ServiceEntry if the label is not empty (istio#44420) Signed-off-by: Yanqiang Miao <miaoyq_2010@163.com> * Setting the control plane lazily (istio#44417) Change-Id: I31adfcb808d04aef51c42ddaed5b3473db2397a5 * Automator: update proxy@master in istio/istio@master (istio#44431) * "istioctl pc route" output add "VHOST NAME" (istio#44414) * "istioctl pc route" output add "VHOST NAME" * add releasenote * fix * Update releasenotes/notes/44414.yaml Co-authored-by: Yossi Mesika <ymesika@gmail.com> --------- Co-authored-by: Yossi Mesika <ymesika@gmail.com> * Temper severity of extraneous errors (istio#44416) When the CNI initially runs on a node that is clean of the ztunnel chains errors and warnings are logged that are extraneous. This change reduces the severity and adds comments in the code. * cleanup message.yaml (istio#44421) * update_deps for 1.18 branch cut (istio#44436) * Automator: update proxy@master in istio/istio@master (istio#44442) * fix wrong example for admin log (istio#44438) Signed-off-by: xin.li <xin.li@daocloud.io> * add validation for empty prefix header match (istio#44428) * add validation for empty prefix header match * fix linter issues * update error message + add a release note * add "prefix" to the error message * >fix `istioctl analyze` to panic when the server port in gateway is nil. (istio#44321) * >fix `istioctl analyze` to panic when the server port in gateway is nil. * Update releasenotes/notes/fix-44318.yaml Co-authored-by: Xiaopeng Han <hanxiaop8@outlook.com> --------- Co-authored-by: Xiaopeng Han <hanxiaop8@outlook.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44527) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44550) * [release-1.18] Automated branching step 4 (istio#44553) * Automator: update istio/pkg@release-1.18 dependency in istio/istio@release-1.18 (istio#44559) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44560) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44564) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44563) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44567) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44569) * Update BASE_VERSION to release-1.18-2023-04-26T19-01-40 (istio#44576) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44607) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44610) * Update master to 1.18 (istio#44615) * gateway-api: start reading ReferenceGrant beta (istio#44619) Co-authored-by: John Howard <howardjohn@google.com> * update to kiali 1.67.0 (istio#44504) Co-authored-by: John Mazzitelli <mazz@redhat.com> * revise waypoint examples (istio#44511) Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Use safer dedupe for config (istio#44521) This is just appending them, there is no guarantee of conflicts being avoided Co-authored-by: John Howard <howardjohn@google.com> * disable automount SA token only on tests with min istio revisions >= 1.16 (istio#44533) Testing multiple istio versions involves older istio versions which doesn't support sidecars with disable automount SA token. This was enabled form 1.16 onwards. Co-authored-by: akshayjnambiar <akshayjnambiar@google.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44625) * [release-1.18] Fix pilot using wrong readinessprobe check, should check if /validate and /inject endpoints are ready. (istio#44632) * fix validationcontroller not having readinessprobe * add releasenotes * revise based on comments * revise based on comments * Delete 44526.yaml --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * typo fix for failover validation (istio#44638) Co-authored-by: Greg Hanson <gregory.hanson@solo.io> * telemetry: deflake access log tests (istio#44645) Example failure: https://prow.istio.io/view/gs/istio-prow/pr-logs/directory/integ-telemetry_istio/1652008195079540736 It looks like the XDS push is just causing too much load and it takes more than 10s to process. We see during XDS push /stats/prometheus also times out. Co-authored-by: John Howard <howardjohn@google.com> * [release-1.18] Support p384 curves (istio#44628) * support p384 curves * code review and make gen * cleanup test * fix linter * only support 256 and 384 * cleanup tests --------- Co-authored-by: Jacob Delgado <jacob.delgado@volunteers.acasi.info> * Automator: update go-control-plane in istio/istio@release-1.18 (istio#44651) * [release-1.18] Skip runtime resources when analyzing files (istio#44663) * Skip runtime resources when analyzing files * add test data and fmt * add support for tests to analyze pods * update analyze test to respect file exclusions * show failed json in message * fix json formatting * differentiate json analyzer tests * add release note --------- Co-authored-by: Mitch Connors <mitchconnors@gmail.com> * [release-1.18] gateway: fix and test unmanaged skipping (istio#44508) * gateway: fix and test unmanaged skipping istio#43541 didn't work quite right due to a rebasing issue. Fix it and add better tests * fix test * fix log * use unique name (istio#44528) (cherry picked from commit 7033e9537a68f23a77f804f35413c7d00b6e00be) (cherry picked from commit c8f7331) --------- Co-authored-by: John Howard <howardjohn@google.com> * vwh: speedup reconcilation and fix test flake (istio#44658) Fixes https://prow.istio.io/view/gs/istio-prow/logs/integ-pilot-cpp_istio_postsubmit/1651656748131422208 failure This is a 1.18 regression since we changed the queue backoff. This fixes it in 2 ways: * Make sure we don't ahve to wait 1min every time * Make sure once one webhook succeeds, all of them do This also makes the test more robust to wait for all webhooks instead of just one. Co-authored-by: John Howard <howardjohn@google.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44672) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44669) * Use go-control-plane from the last commmit before 1.26 was cut (istio#44674) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44682) * Fix new test which was broken on distroless (istio#44685) There is no distroless app container Co-authored-by: John Howard <howardjohn@google.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44694) * update_deps output priot to beta0 build (istio#44699) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44707) * Actually change the rate limiter type (istio#44726) Co-authored-by: John Howard <howardjohn@google.com> * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44727) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44724) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44728) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44738) * Fix multi-cluster issue by increasing the timeout of listing CRDs (istio#44715) (istio#44740) When a new secret is added, a watcher will be created based on the remote secret. The process can fail if the API server doesn't respond in 10 seconds which can be the case if the cluster contains a lot of CRDs. This PR bumps the timeout to 60 seconds which is the default timeout value (specified in --request-timeout) for requests to API server. * [release-1.18] Fix persistent sessions scale down with envoy (istio#44653) * Missing change for persistent session support. Without it envoy will drop the draining endpoints and scale down will break. * Update the cluster status to be more future proof, add grpc, c++ implementation requires this * Remove unhealthy --------- Co-authored-by: Costin Manolache <costin@gmail.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#44760) * [release-1.18] Fix gateway hostname resolution TTL (istio#44768) * fix gateway hostname resolution ttl * add tests --------- Co-authored-by: dddddai <dddwq@foxmail.com> * [release-1.18] Fix verify-install to work with multi iops (istio#44752) * fix verify-install with multi iops * Update releasenotes/notes/verify-install-multi-iops.yaml Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * deployment controller: add leaderelection back (istio#44746) (istio#44771) * Add per-revision leader election * Add leader election for deployment controller (cherry picked from commit acd30f9) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44774) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#44780) * fix missing gateway services (istio#44461) Co-authored-by: dddddai <dddwq@foxmail.com> * add support for security.istio.io/v1beta1 api in authz tests when testing multiple istio versions (istio#44806) Testing multiple istio versions involves older istio versions which uses the v1beta1 api. This change will start using v1 for 1.17+ and v1beta1 for 1.16-. Co-authored-by: Akshay J Nambiar <akshayjnambiar@users.noreply.github.com> * set delay between retry attempts (istio#44809) Co-authored-by: dddddai <dddwq@foxmail.com> * [release-1.18] istiod: drop Alpha Gateway API types by default (istio#44812) * istiod: drop Alpha Gateway API types by default This is problematic because most providers will not install Alpha CRDs. So once these promote to Beta, clusters will have *only* beta version in the CRD. We would detect the CRD and attempt to watch, but fail as alpha does not exist. This makes the alpha enablement an explicit opt-in to avoid this. An alternative could be to read the actual CRD to check it has the version we want. However, this is not safe -- a user may silently stop reading critical configurations. This is not needed for Istio CRDs as we don't remove old versions. * Fix test * fix build * fix note --------- Co-authored-by: John Howard <howardjohn@google.com> * [release-1.18] Fix precheck and analysis messages (istio#44832) * fix precheck and analysis messages * fix lint --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * update_deps prior to beta1 build (istio#44846) * inject: remove unknown fields from template (istio#44860) We have a number of cases where we insert unknown fields into the template. This eventually gets marshalled into a `v1.Pod`, so the unknown fields are dropped. So it has no impact, but it is "wrong". However, one of the fields we have (restartPolicy) is actually going to be a valid field in future k8s, so would start breaking at that point. So this *will* be a critical bug for future k8s versions. Test with: Replace applyOverlayYAML with ``` decoder := json.NewDecoder(bytes.NewReader(patched)) decoder.DisallowUnknownFields() if err := decoder.Decode(&pod); err != nil { return nil, fmt.Errorf("unmarshal patched pod: %v", err) } ``` Its probably a nice idea to keep it as non-strict to be resilient to unexpected issues? Co-authored-by: John Howard <howardjohn@google.com> * [release-1.18] vm: support health checks for VMs that are not using auto-registration (istio#44866) * vm: support health checks for VMs that are not using auto-registration Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> * add release notes Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> --------- Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> Co-authored-by: Yaroslav Skopets <yaroslav@tetrate.io> * remove file from file certs before triggering call backs (istio#44907) Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> * spiffe: fix handling of trust bundles with multiple keys (istio#44947) In the existing implementation, we were overriding the `cert` while iterating over doc.Keys. This commit fixes that. Further, there was an unnecessary check for the existence of `ret[trustDomain]`. We are iterating over a map with `trustDomain` as keys, maps don't have duplicate keys, and so `ret[trustDomain]` would never have had a key before we set it in this iteration. This is a cherry-pick for istio#44831 (with modifications in the tests to avoid conflicts). This was cherry-picked in 1.17 as istio#44909. Change-Id: Ibf68f75cc667a72cce68bd42e4f600bd37946222 * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#44992) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45001) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#44994) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45008) * [release-1.18] deploymentcontroller: add support for ProxyConfig CRD (istio#44987) * deploymentcontroller: add support for ProxyConfig CRD (istio#44916) * deploymentcontroller: add support for ProxyConfig CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Handle default gateway labels Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove a comment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Handle pod annotations Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Encapsulate EffectiveProxyConfig into GetProxyConfigOrDefault Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove default pod label service.istio.io/canonical-name Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Respect only istio.io/gateway-name label when matching ProxyConfig with Gateway Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add release note Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Change area in the relase note Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove support for proxy.istio.io/config annotation applied to k8s Gateway pods Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix unit tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45024) * [release-1.18] Fix bug report missing all logs for json logs (istio#45026) * Add json log parsing * Remove bug report file * Omit filter and add tests * Extract to parseLog * Fix test failures * Fix format --------- Co-authored-by: Siyi Wang <siyiwang@google.com> * telemetry: enable experimental mertic expiry (istio#44605) (istio#45037) * mertic-expiry * fix test * fix lint * add release-notes * fix gen * use ProxyMetadata * fix rebase * add test * update release-notes * fix not working * reduce xds size * use pilot ENV * update with john's comment * add UT * fix lint --------- Signed-off-by: hejianpeng <hejianpeng2@huawei.com> * [release-1.18] fix backoff and read ca file interval (istio#45038) * fix read ca file interval * fix backoff never stop * address comment * remove permanent error * Address comment --------- Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com> * fix waypoint list summary and add revision (istio#45052) Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45072) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45074) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45076) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45094) * Update BASE_VERSION to release-1.18-2023-05-24T19-03-47 (istio#45109) * RetryWithContext should use the new NextBackOff() (istio#45123) Signed-off-by: Faseela K <faseela.k@est.tech> Co-authored-by: Faseela K <faseela.k@est.tech> * rc.0 step 1 - update deps (istio#45134) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45139) * Temporarily remove eBPF impl pending CNCF guidance (istio#45167) eBPF support is temporarily disabled pending CNCF establishing guidance around dual-licensed eBPF bytecode cncf/toc#1000 (comment) Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> * 1.17: bump docker dep (istio#45199) This has a "CVE". It doesn't impact Istio but makes scanners unhappy. The dep is only used in WASM code and is a small bump so pretty low risk * Update BASE_VERSION to release-1.18-2023-05-31T19-02-09 (istio#45225) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45281) * Update BASE_VERSION to release-1.18-2023-06-05T19-04-11 (istio#45289) * Update deps prior to 1.18.0 GA (istio#45310) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45325) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45326) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45333) * precise-errorcode-debuggen (istio#45164) Change-Id: Ia2654e18006b7cc2d54bb86ff9c9a2abe9e28bf5 Co-authored-by: Ingwon Song <igsong@google.com> * [release-1.18]Manual cherry-pick of 44481 and 44775 (istio#45081) * add PDB to gateway chart * add releasenotes * revise based on comments * revise values to have better control * disable PDB by default * [release-1.18] Certificate Revocation List support (istio#45130) * refactor KeyCertAndStaple (istio#44764) Doing this refactoring in preparation for CRL support Signed-off-by: Faseela K <faseela.k@est.tech> * Certificate Revocation List support (istio#45104) Signed-off-by: Faseela K <faseela.k@est.tech> * populate crl only when the key is present in secret (istio#45112) Signed-off-by: Faseela K <faseela.k@est.tech> * skip empty ocsp staple configuration (istio#45159) Signed-off-by: Faseela K <faseela.k@est.tech> --------- Signed-off-by: Faseela K <faseela.k@est.tech> * Adding LRS support (istio#45165) Change-Id: Ifd075d62a5f0dda3b4b57eb807677f1637bed04f Co-authored-by: Ingwon Song <igsong@google.com> * Fix invalid XDS configuration for wildcard Ingress HTTP path (istio#44898) (istio#45168) * Fix invalid XDS configuration for wildcard Ingress path Updates Ingress to VirtualService translation to not create a HTTPRequestMatch when the URI is nil. The URI is nil when the path is a wildcard or is empty and the pathType is nil or implementationSpecific. This change prevents an Envoy failure. Envoy regex fails when the path seperated prefix is empty or has a trailing "/". * Fix failing unit tests - handle sorting HTTPRoutes with no HTTPRequestMatches * Update golden converion tests for ingress. Remove empty match. --------- Signed-off-by: jaellio <jaellio@microsoft.com> * Fix Telemetry disablement matching (istio#45303) Co-authored-by: John Howard <howardjohn@google.com> * Add rolling update max unavailable to CNI chart to speed up deploys (cherry pick to release-1.18) (istio#44934) * Add rolling update max unavailable to CNI chart to speed up deploys * Update generated code * Update chart updating instructions * Add release note * Skip config from istio#44642 * [release-1.18] Fix istioctl pc secret cert validity not accurate (istio#45343) * fix istioctl pc secret cert valid * lint and add releasenotes --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Change to use Node instead of RawMeta (istio#45359) Change-Id: I21117025bb99b62c18484d2f1598a001751faaa4 Co-authored-by: Ingwon Song <igsong@google.com> * [release-1.18] Check the disabled status when adding a log provider (istio#45373) * Check the disabled status when adding a log provider By checking the disabled status when adding a log provider, this PR fixes an issue where disabling a log provider through Istio telemetry API would not work. Otherwise, a disabled log provider may still be added to the log configuration and cause the disabling to not work as expected. The test case in this PR verifies that with the fix this PR, a disabled log provider will not be added to the log configuration. * Update the variable name --------- Co-authored-by: Lei Tang <32078630+lei-tang@users.noreply.github.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45381) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45450) * [release-1.18] Update min supported k8s version to 1.24 (istio#45444) * update min supported k9s version to 1.24 * add releasenotes --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * [release-1.18] cherry-pick: add debug info when generating certs for workloads (istio#45194) * cherry-pick: add debug info when generating certs for workloads istio#45183 Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * remove signer and make ttl human readable Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * Update BASE_VERSION to 1.18-2023-06-15T19-02-54 (istio#45495) * [release-1.18] improve accesslog mode e2e tests (istio#45519) * improve accesslog mode e2e tests * retry Signed-off-by: hejianpeng <hejianpeng2@huawei.com> * fix --------- Signed-off-by: hejianpeng <hejianpeng2@huawei.com> Co-authored-by: hejianpeng <hejianpeng2@huawei.com> * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45569) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45570) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45579) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45587) * prow: move to use WI for auth_header in private (istio#45609) This replaces authentikos Co-authored-by: John Howard <howardjohn@google.com> * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45667) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45660) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45690) * Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 (istio#45684) Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45702) * Fix auth header syntax (istio#45711) Co-authored-by: John Howard <howardjohn@google.com> * gcp metadata: compute GCPClusterURL from metadata (istio#45741) This allows computing GCPClusterURL from GCP_METADATA env var, if it is set. This allows usage with zero dependency on the metadata server. * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45747) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45769) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45771) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#45834) * [release-1.18] Fix a potential nil panic of endpointindex (istio#45808) * fix a potential nil panic of endpointindex * add releasenotes * revise releasenotes --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45857) * [release-1.18] Fix bug report include option not working as expected (istio#45860) * fix bug report include option * add releasenotes --------- Co-authored-by: xiaopeng <hanxiaop8@outlook.com> * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45876) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45875) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45892) * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45936) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45938) * [release-1.18] Fix health probe port overwrite (istio#45873) * Remove app req host override with req host on health-check Signed-off-by: jaellio <jaellio@microsoft.com> * set appReq host to prober host value Signed-off-by: jaellio <jaellio@microsoft.com> * add conditional check before setting appReq host to probe host Signed-off-by: jaellio <jaellio@microsoft.com> * Remove host override from app probe unit tests. The explicit override does not reflect the actual request host value on health probe requests. Prior to being processed in the istio-proxy the host of the request should not be set to the app port. Signed-off-by: jaellio <jaellio@microsoft.com> --------- Signed-off-by: jaellio <jaellio@microsoft.com> Co-authored-by: jaellio <jaellio@microsoft.com> * Add release note for istio#45632 (istio#45927) Signed-off-by: jaellio <jaellio@microsoft.com> Co-authored-by: jaellio <jaellio@microsoft.com> * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#45948) * [release-1.18] Set inject true for compatibility tests (istio#45928) * Set inject true for compatibility tests * adding the fix to TestProxyProtocolTCPGateway and TestCustomGateway --------- Co-authored-by: Riya Sinha <riyasinha@google.com> * [release-1.18] prevent port conflict with sidecar static listener like 15021 15090 (istio#45966) * prevent port conflict with sidecar static listener 15021 15090 * remove duplicate conflict detection * address comment --------- Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com> * Update image from (istio#45958) Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Automator: update common-files@release-1.18 in istio/istio@release-1.18 (istio#45995) * Automator: update istio/client-go@release-1.18 dependency in istio/istio@release-1.18 (istio#45996) * Automator: update ztunnel@release-1.18 in istio/istio@release-1.18 (istio#46000) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#46007) * Exit if sds socket not found (istio#45941) (istio#46014) * Exit if sds socket not found (istio#45941) * adding - exit if sds socket not found * fix release note for # 45941 * renaming flag to USE_EXTERNAL_WORKLOAD_SDS * rewording release note for istio#45941, describe usage of USE_EXTERNAL_SDS_SOCKET * fix cherry-pick * fix conflict (istio#46017) Signed-off-by: Kuat Yessenov <kuat@google.com> Co-authored-by: Kuat Yessenov <kuat@google.com> * fix concurrent map access in endpoint metadata (istio#44473) (istio#46021) * fix concurrent map access in endpoint metadata * only clone as needed * only clone as needed * remove unnecessary code * review comments * fix ut * add test case * add lock --------- Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> * Fix nil map for cluster builder (istio#46024) Co-authored-by: Sergii Shapar <sshapar@google.com> * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#46025) * Automator: update proxy@release-1.18 in istio/istio@release-1.18 (istio#46039) * Bump proxy version (#122) * Add validation of workload entry identity (#117) (cherry picked from commit b6eefaf3045227431b60384002e5b0c57740288d) * 1.18.2 tetrate build Signed-off-by: psbrar99 <brargg1989@gmail.com> * eks patch Signed-off-by: psbrar99 <brargg1989@gmail.com> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <brargg1989@gmail.com> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <brargg1989@gmail.com> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <brargg1989@gmail.com> * 1.18.2 tetratefips build Signed-off-by: psbrar99 <brargg1989@gmail.com> * bump proxy SHA Signed-off-by: psbrar99 <brargg1989@gmail.com> * envoy cves Signed-off-by: psbrar99 <brargg1989@gmail.com> * envoy cves Signed-off-by: psbrar99 <brargg1989@gmail.com> * bump proxy SHA Signed-off-by: psbrar99 <brargg1989@gmail.com> * running e2e tests for pilot Signed-off-by: psbrar99 <brargg1989@gmail.com> * running e2e tests for pilot Signed-off-by: psbrar99 <brargg1989@gmail.com> * running e2e tests for pilot Signed-off-by: psbrar99 <brargg1989@gmail.com> * bump runners Signed-off-by: psbrar99 <brargg1989@gmail.com> * bump runners Signed-off-by: psbrar99 <brargg1989@gmail.com> * publish release Signed-off-by: psbrar99 <brargg1989@gmail.com> * update tetrate-workflow branch Signed-off-by: psbrar99 <brargg1989@gmail.com> * update tetrate-workflow branch Signed-off-by: psbrar99 <brargg1989@gmail.com> * update tetrate-workflow branch Signed-off-by: psbrar99 <brargg1989@gmail.com> * update tetrate-workflow branch Signed-off-by: psbrar99 <brargg1989@gmail.com> * Removing unnecessary code Signed-off-by: psbrar99 <brargg1989@gmail.com> * addressed comment Signed-off-by: psbrar99 <brargg1989@gmail.com> * address reveiw comments Signed-off-by: psbrar99 <brargg1989@gmail.com> * cleanup and updated new patch for eks Signed-off-by: psbrar99 <brargg1989@gmail.com> * Update tetrateci/version_check.py Co-authored-by: zirain <zirain2009@gmail.com> * fix WF for make release job Signed-off-by: psbrar99 <brargg1989@gmail.com> * fips.md update Signed-off-by: psbrar99 <brargg1989@gmail.com> * Update fips.md * Update .github/workflows/make_release.yml Co-authored-by: zirain <zirain2009@gmail.com> * Update .github/workflows/make_release.yml Co-authored-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: hejianpeng <hejianpeng2@huawei.com> Signed-off-by: jongwooo <jongwooo.han@gmail.com> Signed-off-by: Kalya Subramanian <kasubra@microsoft.com> Signed-off-by: Faseela K <faseela.k@est.tech> Signed-off-by: Yaroslav Skopets <yaroslav@tetrate.io> Signed-off-by: xin.li <xin.li@daocloud.io> Signed-off-by: Yanqiang Miao <miaoyq_2010@163.com> Signed-off-by: Rama Chavali <rama.rao@salesforce.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> Signed-off-by: jaellio <jaellio@microsoft.com> Signed-off-by: huabing zhao <zhaohuabing@gmail.com> Signed-off-by: Kuat Yessenov <kuat@google.com> Signed-off-by: psbrar99 <brargg1989@gmail.com> Co-authored-by: dwq <dddwq@foxmail.com> Co-authored-by: Istio Automation <istio-testing-bot@google.com> Co-authored-by: John Howard <howardjohn@google.com> Co-authored-by: Zhonghu Xu <xuzhonghu@huawei.com> Co-authored-by: Xiaopeng Han <hanxiaop8@outlook.com> Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> Co-authored-by: zirain <hejianpeng2@huawei.com> Co-authored-by: Jongwoo Han <jongwooo.han@gmail.com> Co-authored-by: Kalya Subramanian <42158129+ksubrmnn@users.noreply.github.com> Co-authored-by: Faseela K <faseela.k@est.tech> Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info> Co-authored-by: cebernardi <cbernardi@expediagroup.com> Co-authored-by: Rajat Sharma <rajat.shrma94@gmail.com> Co-authored-by: Costin Manolache <costin@gmail.com> Co-authored-by: pmerrison <pmerrison@me.com> Co-authored-by: Yaroslav Skopets <yaroslav@tetrate.io> Co-authored-by: my-git9 <xin.li@daocloud.io> Co-authored-by: Ikumi Nakamura <28798279+johnmanjiro13@users.noreply.github.com> Co-authored-by: Yossi Mesika <yossi.mesika@solo.io> Co-authored-by: Yanqiang Miao <miaoyq_2010@163.com> Co-authored-by: Ingwon Song <102102227+ingwonsong@users.noreply.github.com> Co-authored-by: zengyuxing <newday.jesse@gmail.com> Co-authored-by: Yossi Mesika <ymesika@gmail.com> Co-authored-by: john-a-joyce <joycej@cisco.com> Co-authored-by: pmerrison <paul@tetrate.io> Co-authored-by: Peter Jausovec <peterj@users.noreply.github.com> Co-authored-by: Nicole LiHui <nicolelihui@outlook.com> Co-authored-by: John Mazzitelli <mazz@redhat.com> Co-authored-by: akshayjnambiar <akshayjnambiar@google.com> Co-authored-by: Greg Hanson <gregory.hanson@solo.io> Co-authored-by: Mitch Connors <mitchconnors@gmail.com> Co-authored-by: Rui Gu <ruigu@google.com> Co-authored-by: Akshay J Nambiar <akshayjnambiar@users.noreply.github.com> Co-authored-by: Rama Chavali <rama.rao@salesforce.com> Co-authored-by: Rohit Agarwal <mindprince@gmail.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Siyi Wang <siyiwang@google.com> Co-authored-by: Ben Leggett <854255+bleggett@users.noreply.github.com> Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Ingwon Song <igsong@google.com> Co-authored-by: Jackie Elliott <64559656+jaellio@users.noreply.github.com> Co-authored-by: Dwayne Schultz <myshkin5@users.noreply.github.com> Co-authored-by: Lei Tang <32078630+lei-tang@users.noreply.github.com> Co-authored-by: zhaohuabing <zhaohuabing@gmail.com> Co-authored-by: jaellio <jaellio@microsoft.com> Co-authored-by: Riya Sinha <riyasinha@google.com> Co-authored-by: Adam Sayah <adam.sayah@solo.io> Co-authored-by: Kuat Yessenov <kuat@google.com> Co-authored-by: Hemendra Teli <8605932+hemendrateli@users.noreply.github.com> Co-authored-by: Sergii Shapar <sshapar@google.com> Co-authored-by: zirain <zirain2009@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please provide a description of this PR:
In the existing implementation, we were overriding the
certwhile iterating over doc.Keys. This commit fixes that.Further, there was an unnecessary check for the existence of
ret[trustDomain]. We are iterating over a map withtrustDomainas keys, maps don't have duplicate keys, and soret[trustDomain]would never have had a key before we set it in this iteration.