Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm stable/redis does not work with istio sidecar #5453

Closed
kminehart opened this issue May 7, 2018 · 21 comments
Closed

helm stable/redis does not work with istio sidecar #5453

kminehart opened this issue May 7, 2018 · 21 comments
Assignees
@philrud

Comments

@kminehart
Copy link

Here's the yaml i generated from helm install stable/redis.

# Source: redis/templates/redis-master-svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: rune-redis-master
  labels:
    app: redis
    chart: redis-3.2.0
    release: "rune-redis"
    heritage: "Tiller"
  annotations:
spec:
  type: ClusterIP
  ports:
  - name: redis
    port: 6379
    targetPort: redis
  selector:
    app: redis
    release: "rune-redis"
    role: master
---
# Source: redis/templates/redis-slave-svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: rune-redis-slave
  labels:
    app: redis
    chart: redis-3.2.0
    release: "rune-redis"
    heritage: "Tiller"
  annotations:
spec:
  type: ClusterIP
  ports:
  - name: redis
    port: 6379
    targetPort: redis
  selector:
    app: redis
    release: "rune-redis"
    role: slave
---
# Source: redis/templates/redis-slave-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: rune-redis-slave
  labels:
    app: redis
    chart: redis-3.2.0
    release: "rune-redis"
    heritage: "Tiller"
spec:
  replicas: 3
  template:
    metadata:
      labels:
        release: "rune-redis"
        role: slave
        app: redis
      annotations:
        sidecar.istio.io/inject: "false"
        
    spec:      
      securityContext:
        fsGroup: 1001
        runAsUser: 1001
      containers:
      - name: rune-redis
        image: docker.io/bitnami/redis:4.0.9
        imagePullPolicy: "Always"
        env:
        - name: REDIS_REPLICATION_MODE
          value: slave
        - name: REDIS_MASTER_HOST
          value: rune-redis-master
        - name: REDIS_PORT
          value: "6379"
        - name: REDIS_MASTER_PORT_NUMBER
          value: "6379"
        - name: ALLOW_EMPTY_PASSWORD
          value: "yes"
        - name: REDIS_DISABLE_COMMANDS
          value: 
        ports:
        - name: redis
          containerPort: 6379        
        livenessProbe:
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
          exec:
            command:
            - redis-cli
            - ping        
        readinessProbe:
          initialDelaySeconds: 5
          periodSeconds: 10
          timeoutSeconds: 1
          successThreshold: 1
          failureThreshold: 5
          exec:
            command:
            - redis-cli
            - ping
        resources:
          null
---
# Source: redis/templates/redis-master-statefulset.yaml
apiVersion: apps/v1beta2
kind: StatefulSet
metadata:
  name: rune-redis-master
  labels:
    app: redis
    chart: redis-3.2.0
    release: "rune-redis"
    heritage: "Tiller"
spec:
  selector:
    matchLabels:
      release: "rune-redis"
      role: master
      app: redis
  serviceName: "redis-master"  
  template:
    metadata:
      labels:
        release: "rune-redis"
        role: master
        app: redis
      annotations:
        sidecar.istio.io/inject: "false"
        
    spec:
      securityContext:
        fsGroup: 1001
        runAsUser: 1001
      containers:
      - name: rune-redis
        image: "docker.io/bitnami/redis:4.0.9"
        imagePullPolicy: "Always"
        env:
        - name: REDIS_REPLICATION_MODE
          value: master
        - name: ALLOW_EMPTY_PASSWORD
          value: "yes"
        - name: REDIS_PORT
          value: "6379"
        - name: REDIS_DISABLE_COMMANDS
          value: 
        ports:
        - name: redis
          containerPort: 6379
        livenessProbe:
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
          exec:
            command:
            - redis-cli
            - ping
        readinessProbe:
          initialDelaySeconds: 5
          periodSeconds: 10
          timeoutSeconds: 1
          successThreshold: 1
          failureThreshold: 5
          exec:
            command:
            - redis-cli
            - ping
        resources:
          null
          
        volumeMounts:
        - name: redis-data
          mountPath: /bitnami/redis/data
          subPath: 
  volumeClaimTemplates:
    - metadata:
        name: redis-data
        labels:
          app: "redis"
          chart: redis-3.2.0
          component: "master"
          release: "rune-redis"
          heritage: "Tiller"
      spec:
        accessModes:
          - "ReadWriteOnce"
        resources:
          requests:
            storage: "8Gi"

Most of it is pretty irrelevant but what you'd expect to be there is there:

  1. The pods do not have the istio sidecar on them.
  2. The service ports are named:
  ports:
  - name: redis
    port: 6379
    targetPort: redis

Istio version: 7.0.1

I thought this was fixed in 5.0.0?

Istio auto-injector version: 7.0.1
@kminehart
Copy link
Author

kminehart commented May 7, 2018
edited

Some more info:

kubectl run --namespace default redis-client --rm --tty -i --image docker.io/bitnami/redis:4.0.9 -- bash

I have no name!@redis-client-9f45fc688-dxs5c:/$ redis-cli -h rune-redis-master
Could not connect to Redis at rune-redis-master:6379: Connection refused

It doesn't matter if I don't name the service's port or if it's named redis.

However, there is an older version of this chart on the cluster and it does did work from a sidecarred service. It no longer does though after today... How can I find out what the difference is to istio, exactly?

@kminehart
Copy link
Author

Whoops, meant to put this in istio/issues

@proddam
Copy link

proddam commented Sep 1, 2018

I have the same issue. Did you find a solution? I think istio sidecars don't fit k8s statefulsets.

@kminehart
Copy link
Author

They do though.

It really looked like Istio wasn't able to handle the "redis" protocol traffic. I had it working for a while before I started running into this issue; make sure the port is named "redis".

I ditched istio whenever i couldn't figure it out, unfortunately.

@swistaczek
Copy link

@proddam did you managed to run helm/stable redis chart on istio cluster?

@emmekappa
Copy link

I'm having the same issue.

@kminehart
Copy link
Author

I think the issue might be that StatefulSets usually have 2 services mapped to the same pod, which Istio does not support. (Or did not support at the time). Did an update fix this or anything?

@kminehart kminehart reopened this Sep 27, 2018
@iroller
Copy link

iroller commented Sep 27, 2018
edited

If the issue that you see is istio sidecar not starting then check istio sidecar logs and look for envoy missing listener for inbound application port. If that's the case then creating a dummy service for your redis pods will help to get it working.

See https://github.com/istio/istio/blob/master/pilot/cmd/pilot-agent/status/ready/probe.go#L41-L65 and spotahome/redis-operator#93 (comment).

@amyroh
Copy link

amyroh commented Oct 4, 2018
edited

Commenting out securityContext from deployment.yaml works for me.

    spec:
#      securityContext:
#        runAsUser: 1001
#        fsGroup: 1001

@jaygorrell
Copy link
Contributor

@iroller I'm getting the message you mentioned (envoy missing listener for inbound application port) but I do have a service. The only thing of note here is that the container port and the service are both UDP... is it required to have a TCP-based port on the service?

@iroller
Copy link

iroller commented Oct 8, 2018
edited

@jaygorrell you probably have rfs-app-redis service for sentinel, right? Try creating rfr-...-redis service for redis pods. I provided an example below.

apiVersion: v1
kind: Service
metadata:
  name: rfr-app-redis-dummy
spec:
  ports:
    - name: redis-dummy
      port: 16379
      protocol: TCP
      targetPort: 6379
  selector:
    app: redis-failover
    component: redis
    creator: redisfailover
    redisfailover: app-redis

At least that's how services are named in redis-operator. You might want to tweak the selector for redis helm chart but the idea is create a service for redis pods, not only for sentinel.

@jaygorrell
Copy link
Contributor

Sorry @iroller, I didn't give enough info. This isn't actually a Redis service but your comment was the closest I've seen to the problem (missing listener for inbound application port).

It's a service with only a UDP port exposed. I have a service for that port with the protocol specified, but Istio fails to become healthy with that error message.

@grantbachman
Copy link

I ran into a similar issue, where my redis pod would CrashLoop after enabling the istio sidecar proxy. The root cause was actually in the Istio InitContainer, which needed to be run as root. Setting the following in the redis helm chart fixed it for me:

master:
  securityContext:
    runAsUser: 0

@stepro stepro mentioned this issue Oct 25, 2018
Closed
@stale
Copy link

stale bot commented Jan 20, 2019

This issue has been automatically marked as stale because it has not had activity in the last 90 days. It will be closed in the next 30 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jan 20, 2019
@stale
Copy link

stale bot commented Feb 19, 2019

This issue has been automatically closed because it has not had activity in the last month and a half. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

@stale stale bot closed this as completed Feb 19, 2019
@costinm costinm removed the stale label Mar 19, 2019
@costinm costinm reopened this Mar 19, 2019
@philrud
Copy link
Member

philrud commented Mar 22, 2019

Confirming what previously has been mentioned: this not a sidecar/traffic management issue. The problem is that the securityContext.runAsUser = 1001 directive is on a Pod level hence affecting all containers in the Pod including istio-init. istio-init has to be run as root in order to configure iptables.

Commenting out runAsUser field (or moving it to the container level) resolves the issue and Redis Cluster works fine with sidecars enabled. Replicas are able to establish connections to master just fine and I'm able to execute commands via redis-cli on both master and replicas.

I suspect many charts may not work because of similar issue, one thing we could do is explicitly adding securityContext.runAsUser = 0 to the istio-init container (by default, with an option to disable that via a Helm option) so that this setting takes precedence over the pod-level one. istio-init currently requires running as root anyways.

@XBeg9
Copy link

XBeg9 commented Mar 22, 2019

@philrud that's totally right, we should disable runAsUser if want to inject istio's sidecars.

I am curious, do you use mTLS? Have you got a chance to run redis with mTLS? Thanks

@philrud
Copy link
Member

philrud commented Mar 22, 2019

@XBeg9 yes, I was running that setup with mTLS=on

@XBeg9
Copy link

XBeg9 commented Mar 22, 2019

@philrud namespace-policy or global one?

@howardjohn howardjohn mentioned this issue Mar 26, 2019
Closed
philrud pushed a commit to philrud/istio that referenced this issue Mar 26, 2019
Specify istio-init user explicitly (istio#5453)
2fcce93 
Istio-init is supposed to be run as a superuser so it can configure
iptables and this is the current default. However many popular Helm
charts typically define a single container pod and specify
`securityContext.runAsUser` on a pod level (rather than the container
level) and that is what istio-init inherits. As the result many Helm
charts aren't working with Istio auto-injection out of the box.

A simple fix would be explicitly setting `securityContext.runAsUser`
for istio-init on the container-level so it takes precedence.
duderino pushed a commit that referenced this issue Mar 27, 2019
@philrud
Specify istio-init user explicitly (#5453) (#12708)
bf0ae49 
Istio-init is supposed to be run as a superuser so it can configure
iptables and this is the current default. However many popular Helm
charts typically define a single container pod and specify
`securityContext.runAsUser` on a pod level (rather than the container
level) and that is what istio-init inherits. As the result many Helm
charts aren't working with Istio auto-injection out of the box.

A simple fix would be explicitly setting `securityContext.runAsUser`
for istio-init on the container-level so it takes precedence.
@howardjohn
Copy link
Member

@philrud is this fixed now?

@philrud
Copy link
Member

philrud commented Apr 9, 2019

yes, the fix will go live with 1.1.3, closing

@philrud philrud closed this as completed Apr 9, 2019
diemtvu added a commit that referenced this issue Apr 12, 2019
@diemtvu
Merge master to collab-authn (#13254)
c45e15d 
* Testing: support retries in Structpath (#12539)

* Testing: support retries in Structpath

The current structpath library automatically fails the test as soon as an error occurs.

This change splits structpath into 2 types:

Instance: methods return errors.

InstanceForTest: delegates to Instance and fails the test if an error occurs.

Tests that allow retries will use Instance and handle the errors manually.

* splitting out the test and non-test instances

* Fixing TestMain for sidecar_api_test

* fixing bug in ForTest

* Switching to single fluent-style api

* Move Distributor interface back to runtime. (#12242)

Distributor is an interface consumed by the runtime package.

* [Kiali][master] things needed for next version of Kiali (#11823)

* things needed for next version of kiali

* additions needed for https://issues.jboss.org/browse/KIALI-2417

* install kiali v0.15

* add read-only role for people to use if they don't want to grant write access to kiali

* mount secret to volume now, not env vars

* add rbacconfigs - https://issues.jboss.org/browse/KIALI-2564

* add prometheus scrape annotations to scrape the new metrics endpoint

* everything is now up to date for kiali v0.16

* Canonicalize help strings for CLI (#12219)

* Fix recently broken racetest on master (#12383)

* Fix racetest

* Lint

* One more race

* Added a todo with issue ref

* missing comment on exported function ConstructCustomDNSNames (#12492)

* missing comment on exported function ConstructCustomDNSNames

* Document customization process

* Merge collab-test-framework to master (#12574)

* Fix deps and broken merge for mixer test

* Fix overly restrictive golang version match

* Fix integration test framework merge issues

* Fix line length lint issue

* Interim checkin of Test Framework refactorings. (#11718)

Seeding collab-test-framework

* Tf 11 scopes (#11772)

Cleaning up the new prototype code.

* Remove hardwired constants from the deployment file.

* Fixup some tests

* Use framework2 for pilot tests (#12243)

* WIP updating sidecar test to new framework

* Re-create Pilot tests based on framework2

* Merge master => collab-test-framework (#12374)

* [Galley] Standardize worker thread lifecycles (#12125)

* [Galley] Standardize worker thread lifecycles

We currently have several worker classes that follow a similar lifecycle pattern, but are inconsistent. This PR makes standardizes the lifecycle management logic into a new Worker class.

* addressing comments.

* addressing comments.

* Update to grafana 6.0.0 (#12191)

* Support offline running productpage by packing js and css in image (#12218)

* Make code more reusable in other contexts (#11353)

* Make code more reusable in other contexts
- Export processStream methods, they are useful when using the code
outside of Istio
- Move verifySentResourcesMultipleTypes to client_test.go

* Add licence

* Correct TestAdmitPilot Case (#12281)

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Fix pilot grpc failure in Consul (#12273)

* fix wrong link for mixer (#12347)

* Update OWNERS (#12361)

* Update OWNERS

* Update OWNERS

* mixer: CEL runtime (#12145)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Change IP addresses to show up as strings in label maps in accesslog (#11740)

Change IP addresses to show up as strings in http req  in accesslog

Fix lint errors

Fix lint errors

Use stringify function

Updated based on feedback

* Improve resource lifecycle management and debuggability. (#12402)

* Improve lifecycle model.

- Add defer context.Done() to sidecar_api_test for resource cleanup.
- Ensure that Pilot's Close returns after the background go-routine is torn down.
- Properly register components/resources for cleanup purposes.
- Reverse the resource cleanup loop to make sure resource dependencies are
handled properly.
- Add friendly ids to test framework components to help with debugging.
- Refactor environment names to avoid cyclic dependencies.

* Fix lint issues.

* Major refactoring of the new framework & ensure the native mode tests work.

* Fix runaway refactoring.

* Make Istio deployment work.

* Fix some Kubernetes based tests.

- Accommodate code review feedback.

* Fix all K8s tests.

* Cleaning up of the core framework API surface.

* More cleanup of the surface area.

* Fix lint and formatting

* Update Makefile & related settings.

* Move collateral docs to framework2, remove framework and integration.

* Move framework2 -> framework

* Fixup echo.

* Fix minor bug.

* Fix lint issue.

* Minor clarification to the output message.

* Fix Makefile

* Temporarily add debug log output for tf.

* Improve in-CI debugging.

* Fix lint problem.

* Add CI Mode flag.

* Convert Always to IfNotPresent

* Convert Always to IfNotPresent

* Fix Citadel component init.

* Write pod state to files.

* Fix galley.New()

* Minor fix.

* Refactor Hub/Tag/PullPolicy usage.

* Increase deployment timeouts.

* Fix formatting bug.

* Make linter happy

* More diagnostic output support.

* minor cleanup

* Fix Yaml deployment code.

* link fixes.

* Fix comment.

* Set minikube ingress to minikube-none.

* More minukube fixes.

* Final cleanups.

* extract namespace to its own component.

* Major cleanup of structure/packages.

* Post merge fixups.

* Fixup sidecar api tests post-merge.

* Fix structpath panic.

* Increase the deployment timeouts in CI.

* Add istio 1.2 CRD file.

* Fix linting.

* Fix imports.

* Disable sidecar_api_test.go test (which is already disabled in master).

* Remove debug flag.

* Fix lint errors.

* Fix testcontext format parameters

* Disable the sidecar tests before the merge.

* Fix CI Mode timings.

* Fix CI Mode timings.

* Make linter happy.

* Cherry-pick Galley/MCP changes from 1.1 => master (#12604)

* Add dynamic discovery and listener initialization for supported k8s resource types (#11871)

* wip: dynamically discover supported crd types

* fix linter errors

* improve logs when resource type not found

* increase code coverage

* address review comments

* add a comment

* fix linter error

* extract Galley root command to server. (#12073)

* Replace root command of Galley with server mode.

* Fix linter issue.

* Wire-up excluded resource types list to the CRD check and update logging (#12143)

* - Wire-up excluded resource types list to the CRD check.
- Update logging.

* Revert copyright.

* Revert copyright.

* Do not reject entire batch of updates, if items get past validation. (#12476)

* Do not drop the whole batch, if validatin of a single resource fails.

* minor comment cleanup.

* Adding unit tests.

* Make linter happy happy happy.

* Remove myself from OWNERS files (#12608)

* add a e2e test for oop (#12577)

* Add a config package folder. (#12611)

* Hide most logging CLI options from istioctl (#12633)

* Log descriptions of pods when tests break (#11904)

* Log descriptions of pods when tests break

* Don't overwhelm the logs for a possibly transient error

* Fix kubectl syntax

* Back out change in retry behavior to avoid masking root cause

* add istio-init.yaml to .gitignore (#12542)

* authz: add authorization policy CRD to helm-init (#12541)

* Fix bug in locality LB normalization (#12532) (#12579)

The priority needs to be normalized (so it is always has no gaps), so
priorities [0,2] should be changed to [0,1]. However, we were changing
the wrong endpoint's priorities.

* Apply locality weighted lb config correctly (#12588)

Previously, this value was not set if the load balancer config was nil.
However, it should actually set anytime outlier detection is enabled, so
that locality lb can behave correctly.

* Fix bug causing empty endpoints per locality (#12615)

* Fix bug causing empty endpoints per locality

Before, we were allocating the array then appending to it, creating
empty endpoints at the start of the array.

* Predefine slice size

* Fix the MCP Client ConfigZ page (#12626)

* Fix the MCP Client ConfigZ page.

* Fix the tests

* Update test name to clear confusion.

* Add threshold for rds.go codecov (#12499)

Test is flakey, saying it has droppped coverage when it has not due to
it being nondeterministic.

* Drop log level for missing service account for spiffe uri (#12239)

* Don't require service account for spiffe

Some kubernetes pods don't have a service account. This causes a log
flood that the spiffe url is invalid, but this doesn't actually have any
negative impact. We can just make it not an error to have no service
account.

* Revert "Don't require service account for spiffe"

This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f.

* Just drop error -> warn

* Fix tests

* Drop log level

* [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460)

* Adding additional fields for bindings and validation. (#11800)

* Implement namespaces for ServiceRoleBindings

* Implement not_namespaces and refactor

* Implement not_ips

* Implement ips (no unit tests)

* Add a unit tests for ips for ServiceRoleBinding

* Implement groups and not_groups for ServiceRoleBinding

* Implement names and not_names

* Check for duplicated definition in constraints/properties and first-class fields

* Disallow using * in names or not_names to prevent ambiguity

* Disallow using * in names or not_names to prevent ambiguity

* Refactor additional fields for bindings

* Update validation.go

* Update validation.go

* enhance verify install command (#12174)

* enhance verify install command

* fix lint

* fix lint

* configure prometheus to monitor citadel. (#12175)

* Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556)

* Add namespace scoping to the Gateway 'port' names (#12500) (#12500)

Currently in order to configure ingressgateway to do TLS termination
using multiple secure virtual hosts with different certificates Istio
requires Gateway 'port' names to be globally unique (i.e. distinct).
I.e. two gateways cannot have secure port named 'https' even if they
reside in different namespaces. Behavior in such case is undefined.

This breaks namespace isolation as a user creating a Gateway in one
namespace might not have access to other namespaces hence can't
if the port name is already 'taken'. Behavior in such case is undefined
and likely to render other virtual hosts unavailable.

This change adds namespace scoping to Gateway port names by appending
namespace suffix to the HTTPS RDS routes. Port names still have to be
unique within the namespace boundaries, but this change makes adding
more specific scoping rather trivial.

* Increase Gateway 'port' names scoping granularity

* Minimal changes to make locality lb not sigsegv (#12649)

* Locality label istio-locality in k8s should not contain `/`, use `.` (#12592)

* Locality label istio-locality in k8s should not contain `/`, use `.` instead

* fix comments

* Only use gateways for servers being processed (#12663)

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* Propagate Envoy Metrics Service Config (#12569)

The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer.

* mixer: add directive demo adapter (#12505)

* finish demo

Signed-off-by: Kuat Yessenov <kuat@google.com>

* printf

Signed-off-by: Kuat Yessenov <kuat@google.com>

* publish keyval

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding sidecars to validating webhook configuration (#12233) (#12643)

Addresses issue #12193

* Cleaning up Unit tests for RDS (#12581)

Added a new case and cleaned up the existing test cases.

* switching deployment to v1 api (#10578)

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Cleanup Galley OWNERS file. (#12676)

* fix uds socket (#12688)

* uds fix

* readonly

* Add unit test to cover multiple different locality case (#12388)

This PR only increases test coverage. Does not impact functionality.

Signed-off-by: Liam White <liam@tetrate.io>

* Build 1.1.1 (#12690)

* Fix LB weight setting for split horizon eds (#12560)

* lb weight for split-horizon-eds shoulb be set correctly

* fix ut

* rename

* fix ut

* fix lint

* fix lint

* fix typo in default envoy JSON log format (#12473)

* Make release-1.1 changes compatible with master

* Remove extra ingress template
* cherry pick 10578
* reformat
* Update rbac.go to use httpfilter when needed
* Integration framework ensure apiVersion is top level
* Update yaml make target
* Disable setup on sidecar_api_test

* clarified mesh connect timeout fields based on code impl (#12089)

* Testing: configurable ports for Echo (#12681)

The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance.

* add image pull secrets for zipkin. (#12327)

* Refresh oop handler with connection config update (#12575)

* refresh handler with connection update

* sanitize test error message

* Fixing coping of the data to the bucket during release (#12585)

* Fixing coping of the data to the bucket.

* Small fix

* RM folder in any case

* 'istioctl proxy-config clusters' cluster type column rendering (#12458)

* Make error message explicit (#12675)

* E2E test for health check under mtls using app prober rewrite. (#11531)

* injector changes for health check, pilot agent take over app readiness check. (#9266)

* WIP injector change to modify istio-proxy.

* move out to app_probe.go

* Iterating sidecartmpl to find the statusPort.

* use the same name for ready path.

* Get rewrite work, almost.

* Some clean up on test and check one container criteria.

* fix the injected test file.

* Add inject test for readiness probe itself.

* Add missing added test file.

* fix helm test.

* fix lint.

* update header based finding the port.

* return to previous injected file status.

* fixing TestIntoResource test.

* sed fixing all remaining injecting files.

* handling named port.

* fixing merginge failure.

* remove the debug print.

* lint fixing.

* Apply the suggestions for finding statusPort arg.

* Address comments, regex support more port value format.

* add app_probe_test.go

* add more test.

* merge fix the test.

* webhook autoinject is ready for review.

* Squashed commit of the following:

commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 18:13:30 2019 -0800

    renaming env var.

commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 17:59:25 2019 -0800

    finish migrating test to yaml file based.

commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:55:00 2019 -0800

    get test working.

commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:49:58 2019 -0800

    WIP add some test files.

commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:13:06 2019 -0800

    WIP changing to using the environment var.

commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:52:47 2019 -0800

    add todo for the tests.

commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277d7 4b7b13aef
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:47:17 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861
Merge: 98fd48f59 744b07ad2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:34 2019 -0800

    Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip

commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:00 2019 -0800

    findsidecar.

commit 744b07ad2406d1eb94bcf5492125f91486ad6b10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 22:29:28 2019 -0800

    add FindSidecar.

commit 40ed002ff6f5dd4afe22afa984384addc1be1104
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 21:55:51 2019 -0800

    refactor some code.

commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 18:19:32 2019 -0800

    Integration test works and fixing a bug.

commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 16:09:13 2019 -0800

    all inject tests pass.

commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5
Merge: a2a774498 010d5c266
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:22:18 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit a2a774498e1021c1ca01c021c071e225fa330407
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:16:04 2019 -0800

    update the TestWebhookInject.

commit 36fd45c074bcc787702a5a9257d23103521f525c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 12:13:21 2019 -0800

    some document

commit 88dc922719e2c4723a334d1d8d959cac361b1ecb
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 11:43:44 2019 -0800

    new version works for kubeinject, webhook unit test.

commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 18:17:38 2019 -0800

    WIP working on modifying sidecar.Args first, then modify app container patch.

commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 15:20:36 2019 -0800

    WIP add what's missing to get e2e test working.

commit 1595e871c640cdabead372eada2b17d717fa707f
Merge: 256d9635f ac78a552a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 13:26:05 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 256d9635f4d590936c473bf3be0299064cb9c716
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 12:14:04 2019 -0800

    add some debugging log.

commit f70096334464fd1d59a0e81997e8f0fd6623a564
Merge: bdce72119 c7eb603ee
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 10:57:43 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit bdce72119ef78dab40b750861768c332811b9ee2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 18:04:37 2019 -0800

    refactor to host something up to caller.

commit b51763c21000ba2b7fe9e2bc728783ce530cfe87
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 16:31:32 2019 -0800

    get everything works.

commit 0815695a2fea828f06a31f14ed7795a3b3716111
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:48:27 2019 -0800

    kubeinject test is working.

commit 14c99b58f0212972d42e298fa4185275642d672c
Merge: d626bb85d 5ea79622c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:30 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit d626bb85dee628771f8f41fc90335ac608dea923
Merge: 3561ae0a6 66153da4d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:23 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3561ae0a69350730834e625c0710394968f9fcde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:49:44 2019 -0800

    WIP, policy is not taking effect, test passing without rewrite.

commit a9bef0f01964a14f6ace0da6217d7a36f364b661
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:31:08 2019 -0800

    fix the json path in the patch.

commit f1aee91189e16beb0dadee6c612464b1aa9bad21
Merge: 3a7eb48e6 abc53e120
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 14:03:49 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 13:57:55 2019 -0800

    fix it, removing namespace since metadata not matching will fail for kubeapply

commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 11:58:39 2019 -0800

    WIP, debuggin why mtls policy is not showed up.

commit 72e9c4e488f875ffea0c3a279403277010160ee1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:24:16 2019 -0800

    working on integration2 test framework.

commit 90c1cce9ddc55ce339aa65eac06602591d3113c9
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:04:38 2019 -0800

    add small comments.

commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676
Merge: 7f5c8cbd8 e45242c0d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 16:43:47 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:37:53 2018 -0800

    check rewriteAppProbe separately.

commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479
Merge: 20f02c045 1ae6b4fde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:01:37 2018 -0800

    Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject

commit 20f02c04563fab9b81b418c00a5455994fda5148
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:59:57 2018 -0800

    duplicate the rewrite logic.

commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64
Merge: 3b3bcbff8 d8c4579fa
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:53:44 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Dec 17 21:56:51 2018 -0800

    address comments.

commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:24:33 2018 -0800

    massage comments.

commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:15:50 2018 -0800

    helm flag is off, so change the expected outoupt.

commit 43522c15d06054e4bb173ab2c37333a4de647c2d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:09:46 2018 -0800

    make webhook support rewriteAppHTTPProbe flag.

commit f60f18f4144482874c1219c7da90e97f19f1172f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 12:03:04 2018 -0800

    fixing the merge typo.

commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:56:38 2018 -0800

    remove unnecessary changes in test for debugging.

commit a81eacb6892509d8938be8d64f1435cf64e22317
Merge: af1a67989 f6b0ddc30
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:53:07 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit af1a6798988f9fe70e40add2a6d4971efa9b50ed
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 18:07:19 2018 -0800

    fixing all the test.

commit 58d0bef3520037a81db8baa34d6e13849d20af10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:51:34 2018 -0800

    Get TestInject happy.

commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:49:42 2018 -0800

    make TestHelmInject happy.

commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0
Merge: fcca1f89a bd1631be3
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:53:01 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:18:20 2018 -0800

    get webhook_test.TestInject working.

commit 06f517cfc4214994be1be848d40b12f09ba8a4b8
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:10:55 2018 -0800

    restructure app_probe_test working for both.

commit 7142e96ed8a3200fc91bc73aee86d471117232fc
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 13:19:41 2018 -0800

    starting to work on serious test

commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:50:19 2018 -0800

    prototyping get familar with the test.

commit 51659dacbc569f4532dc6a37b2091f39c7cf115b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:05:51 2018 -0800

    wip for adding test.

* resolve appprobetest.

* update the golden due to another injector change.

* remove unnecessary files in this pr.

* remove the test framework change.

* remove unnecessary testdata file.

* wip for adding health check test app.

* wip very hack working solution app deployed

* finally test starts working

* make sure the test works if and only if the helm flag is turned on.

* refactoring

* small adjustment.

* DeepCopy used.

* working test only healthcheck test.

* remove inline policy

* change RegisterHelmValueOverrides.

* unnecessary change.

* Finish HelmValueMap refactor.

* some cleanup.

* clean up.

* flags helm values takes higher priority.

* fix the lint.

* address comments.

* revert chagnes on HelmValuesMap.

* wip getting helm customizable with new configuration api.

TODO: testing by rebuild image.

* fix the helm value passing overrides.

* wip the app is deployed but not ready and still finishes...

* wip apps configuration not take effect.

* working version of apps configuration.

* clean up some debugging log.

* test documentation.

* WIP changing deploymentFactory to KubeApp.

* verify test works.

* clarify kubeappsconfig doc.

* get the test pass, no apps configuration yet.

* get test working.

* clean up on apps/kube.go

* few clean and update readme doc.

* change the overrides by func callback.

* fix the typo.

* fix the comments.

* Hide ServiceAccounts from PushContext log (#12702)

* Configure localityLbSetting in values.yaml (#12683)

* Configure localityLbSetting in values.yaml

* Update docs

* Fix concurrent map access (#12706)

* Remove when: always from CircleCI configuration for integration tests. (#12679)

This causes the integration tests to run, even if the previous steps fail.

* Removed unused code from EDS (#12221)

* Should not add a worker in GoroutinePool construction func (#12619)

* GoroutinePool does not add a worker in construction func

* fix ut

* remove redundant code (#12656)

* remove redundant k8s discovery code

* remove redundant

* Configure logging level in proxy and control plane (#12639)

* configure proxy log level via helm values for sidecar and gateways

* configure istio control plane log level via helm

* Put back a couple settings for Kiali that were accidentally deleted. (#12472)

Some Kiali settings were accidently deleted when the new installation options for
release-1.1 was published. This is because these settings were commented out in
the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali.

Bug:#3660

* remove to be deprecated critical pod annotation. (#12657)

* remove to be deprecated critical pod annotation.

* fix ci.

* Adding timeouts in Galley processor tests (#12701)

* Adding timeouts in Galley processor tests

This is to help in debugging #12628.

* making await method private

* add pod antiaffinity. (#12691)

* add pod antiaffinity.

* fix gateways issue.

* add pod antiaffnity to helm test pod.

* remove local test file.

* apply comments.

* Adding galley test for sidecar config validation (#12247)

* Adding galley test for sidecar config validation

Test cases related to PR #12233

* Using istio-system as namespace for resource

* Collect details/artifacts for failed tests in Prow. (#12753)

* Add infrastructure to document env var usage. (#12727)

- Introduce the pkg/env package containing a few functions to query environment
variable values. It keeps track of the variables requested so they can be documented.

- Extend pkg/collateral to recognize and output the environment variables used in the
process. This is what is needed to make this stuff show up on istio.io.

- Update all relevant call sites to use the new infrsstructure. It's still missing
descriptions for all the variables, that'll be up to component authors. I'll file
issues to get that work done.

- Fixed bugs in the node_agent_k8s code that was using env vars as the default for
Cobra command-line arguments, resulting in potentially variable default values
produced in the generated docs. Default values need to be static.

* Enable more linters. (#12751)

- Flip on a couple more linters

- Fix a bazzilion warnings produced by these linters,
along with many warnings produced by other not-yet-enabled
linters.

- Fix pkg/version so the tests compile on Mac. This broke a while
back, preventing the linter from running to completion on the Mac.

* Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617)

* Convert galley to reload files via SIGUSR1 or a ctrlz handler

* Fix ctrlz shutdown not to block

* Disable the mtls_healthcheck test until it can be fixed. (#12775)

* Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502)

Change IP addresses to show up as strings in http req  in accesslog

Fix lint errors

Fix lint errors

Use stringify function

Updated based on feedback

* upgrade prometheus version. (#12781)

* Wait for endpoints of policy backend, before trying to use it. (#12763)

* Wait for endpoints of policy backend, before trying to use it.

* Minor fix to the structure.

* Add wait logic for waiting Galley to come online.

* Fix minor bug.

* Rename the method so that it is clear what it is doing.

* Add additional constraint check.

* Remove redundant write header (#12731)

Write already writes 200 status code, so this wasn't needed. This caused
unneeded logging every time it was called.

* Tell Kubernetes that Istio validation has no side effects (#12670)

* Tell Kubernetes that Istio validation has no side effects

* Add integration tests for --server-dry-run

* Report version of kubectl and server

* Version check error

* Undo --server-dry-run tests which require K8s 1.12 or higher

* fix uds socket (#12688) (#12802)

* uds fix

* readonly

* mixer: switch to simplified config model (#12689)

* take 2 compiled instances

Signed-off-by: Kuat Yessenov <kuat@google.com>

* try with apa

Signed-off-by: Kuat Yessenov <kuat@google.com>

* quota failure

Signed-off-by: Kuat Yessenov <kuat@google.com>

* false signal?

Signed-off-by: Kuat Yessenov <kuat@google.com>

* more crds

Signed-off-by: Kuat Yessenov <kuat@google.com>

* nil params

Signed-off-by: Kuat Yessenov <kuat@google.com>

* patching config

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove stale command

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix destination host validataion (#12804)

* Implement AuthorizationPolicy with workload selector. (#12050) (#12667)

* WIP AuthorizationPolicy with selector

* WIP AuthorizationPolicy with selector

* Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode

* Support TCP

* Move new functions for RBAC v2 to rbac_v2.go

* Change the structure and refactor tests

* Put services field check back

* Remove services field validation

* Remove optimization

* Add selector no match test

* [Galley] Adding ServiceEntry synthesis (#12409)

Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot.

Partially addresses #10497 and #10589

* Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778)

- Add more unit tests to pkg/env to bring coverage to 100%

- Move existing linter sources from test/util/checker to tools/checker

* Specify istio-init user explicitly (#5453) (#12708)

Istio-init is supposed to be run as a superuser so it can configure
iptables and this is the current default. However many popular Helm
charts typically define a single container pod and specify
`securityContext.runAsUser` on a pod level (rather than the container
level) and that is what istio-init inherits. As the result many Helm
charts aren't working with Istio auto-injection out of the box.

A simple fix would be explicitly setting `securityContext.runAsUser`
for istio-init on the container-level so it takes precedence.

* Removing depencency on the order of returned IP addresses (#12812)

* Removing depencency on the order of returned IP addresses

Allows returned addresses by the default resolver to be in any
order. The first IPv4 address returned by the resolver is used. If
there are no IPv4 address is found, an IPv6 address is used.

Added more unit tests.

* Making logic for local IP the same as the rest

* Disabling flaky parts of Galley integ test (#12837)

This should deflake the test in #12820. Real fix is coming soon.

* Set SAN as critical for workload certs. (#12838)

* inject sds related param in pilot/mixer deployment (#12809)

* inject sds related param in pilot/mixer deployment

* remove args

* Disabling Mixer tests using the new TF in K8s. (#12848)

* Disabling Mixer tests using the new TF in K8s.

* Make linter happy.

* accommodate PR review comments.

* galley: support optional crds (#12822)

* optional galley crds

Signed-off-by: Kuat Yessenov <kuat@google.com>

* review

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Removing a "TODO" that is not necessary any more (#12841)

Cleaning up the comments.

* mixer: add template CRD flag and set it to false (#12851)

* template CRD flag

Signed-off-by: Kuat Yessenov <kuat@google.com>

* missed a flag

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Zombie cleanup. (#12878)

- Delete a bunch of dead code, dead variables, unused parameters, and
superfluous type declarations.

* Refactor Istio deployment code for clarity and add wait for webhook. (#12888)

* Refactor Istio deployment code for clarity and add wait for webhook
to come online.

* Make linter happy.

* Fix stupid bug.

* Remove accidental file add (#12895)

* Re-enable sidecar_api_test (#12887)

* Re-enable sidecar_api_test

* Remove kube setup

* Fix race condition

* Make Mixer readiness timeout configurable. (#12640)

- Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes.
- The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on.

* Minor improvements to the test framework. (#12858)

* Add dump support to policy backend.

* Add a suitecontext dir.

* test: add dump pod events function (#12821)

* Fix flush behavior in Stackdriver adapter. (#12853)

* Fix prometheus and citadel connection tests (#12747)

* Fix test-prometheus-connection.yaml: test never failed

Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>

* Fix test-citadel-connection.yaml: test never failed

Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>

* Fix a bunch more linter items. (#12897)

* delete stale file (#12898)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Run dep ensure

* Implement EnvoyXdsServer graceful shutdown (#12826)

* update api sha (#12862)

* update api sha

* api files

* Add two sample deployments for user guide of Istio Vault integration (#12917)

* Rename types.go to types.gen.go. (#12921)

* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850)

* Change Ip Address to readable format in accesslog from stdio adapter

* Add a check to validate it's an IP Address before calling ip.string function

* Fix formatting error

* Fix test

* Correct stringify function in instanceUtil.go too for IP address

* Fix based on review

* Fix based on review

* Fix based on review

* Update to latest doc gen tool. (#12932)

* Fix the regular expression that splits the deployment scripts. (#12931)

The script was fixed with a start-line anchor during the merge of 1.1.
However the regular expressions in Go is not multi-line.

* Add labels to the test framework. (#12819)

* Add basic label support to the test framework.

* Refactor test framework surface area to use fluent-style.

* Apply labels to CircleCI tests & stable integration tests.

* Add early exit support to avoid running setup functions when the label
set can never match.

* Add Citadel tests as presubmit tests.

* Remove environments from label usage.

* Fixup some of the label usages, and convert some of the test entry points.

* Fixup label usage.

* Redisable sidecar tests.

* Accommodate PR feedback.

* Accommodate CR feedback.

* Add more CR fixup.

* Introduce pkg/annotations (#12909)

- pkg/annotations lets us track the annotations used by the calling process.

- pkg/collateral now outputs annotations if there are any. This will make annotations
show up on istio.io

- Adjusted how pkg/collateral handles deprecated environment variabes to match how we
handle deprecated fields in protos (by coloring them differently on istio.io)

- Added another test to pkg/env to cover a case I missed originally.

- Updated the sidecar injector and pilot to use pkg/annotations.

- Fixed some invalid HTML generated by pkg/collateral.

I'll file an issue to get descriptions added for the annotations.

* remove unused pdb in remote values. (#12943)

* prevent duplicate inbound listeners (#12937)

* [Galley] Fix race in runtime strategy (#12927)

This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value.

This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race.

Fixes #12628

* Adding unit tests for sidecar scope (#12184)

* Adding unit tests for sidecar scope

* Removing unused variable

* linters: enable errcheck (#12933)

* enable errcheck

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add maligned to exceptions

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905)

* Istio does not use Cluster_LOGICAL_DNS, so remove it

* clean up LOGICAL_DNS in comments

* Clean up Helm README (#12914)

The README has outdated information on the values, we should just defer
to istio.io which is up to date. Additionally, we should point users to
istio.io which has up to date install instructions.

* 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627)

* 'istioctl experimental dashboard' command to show add-ons and sidecars

* Test cases, output of URL, use of Cobra output stream

* Refactor code into istioctl/pkg/kubernetes

* Refactor to expose PortForward stop channel

* Validate new mixer CRDs (#12918)

* Validate new mixer CRDs

* Add templates and adapters

* Test cases for new mixer CRDs

* Add environment variables to allow configuring bookinfo hostnames (#12646)

* Allow bookinfo hostnames to be configurable

- add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment
variables to configure hostnames. Defaults to details, ratings, reviews
respectively

* Bump bookinfo sample to 1.11.0

* Update expected outputs for bookinfo tests

- this is not related to our PR, but the tests were failing
- the apps were changed, but images were not rebuilt

* Add edsClusters should be atomic (#12942)

* Add edsClusters should be atomic

* fix lint

* properly report errors on failure (#12945)

The CI Infrastructure times out after 10 minutes of no activity.  In
one of the test case runners, 10 miniutes is specified causing the CI
timeout to flush any debuggable output from the checks.  This results
in an in-exact error result to be returned.

Instead a vague reponse about the test case timing out is reported,
resulting in confusion for the PR authors.

The typical max I was able to achieve was ~230 seconds, but I trimmed
to 3 minutes so the test case fails in all conditions and properly
reports the errors.

* Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902)

* [mixer-e2e-test] add retry to prometheus query in check cache test (#12680)

* check cache test sleep longer

* use retry instead of longer waiting

* reword error message

* Fixing typos in unit tests (#12661)

Redoing PR #12035

* respect locality weight set from ServiceEntry (#12714)

* respect the lb weight setting from users

* add ut

* fix golint

* add locality lb setting test

* fix lint

* update test case

* update test case

* lint

* sidecars with workload selector takes precedence over namespace wide one (#12831)

* Auto bind to services for Sidecar listeners with specific ports (#12724)

* auto bind to TCP services for egress ports in Sidecar

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* fix test

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* minor patch (#12963)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Cleanup gateway vhost config gen (#12847)

* check match direction

* Cleanup http route generation

* undo pickMatching change

* golangbot comments

* address review comments

* fix validation bug

* gofmt

* check for intersection duplicates

* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)

* Add wildcard route fallthrough

Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.

Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.

* add unit tests

* Remove node-level flag

* Fix tests

* Support PKCS#8 private keys. (#12972)

* Support PKCS#8 private keys.

* Small fix.

* Fix LB weight setting for split horizon eds (#12560) (#12827)

* lb weight for split-horizon-eds shoulb be set correctly

* fix ut

* rename

* fix ut

* fix lint

* fix lint

* Restore dump_kubernetes.sh function on OSX (#12159)

* Fixes for Bash 3.x and detecting non-running pods

* Address shellcheck warnings

* Remove Robert Li from tests OWNERS file (#12946)

Robert has had a change in employment and can no longer contribute to
Istio.

* remove unnecessary namespace for webhook configuration (#12981)

* remove deprecated mcpServerAddrs flag (#12954)

* remove deprecated mcpServerAddrs

* fix ut

* support ip:port format configSource

* fix ut

* fix ut

* supprt proxy https app probe (#12872)

* supprt proxy https app probe

* add ut

* fix ut

* add webhook inject test

* fix test

* fix comments by incfly

* Allow some time for the configuration propagation (#12865)

* Allow some time for the listeners config propogation

* change to use watchDiscovery

* samples/bookinfo: easier access to logs (#12584)

* Use shorter namespace prefixes. (#13001)

* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936)

* Change Ip Address to readable format in accesslog from stdio adapter

* Add a check to validate it's an IP Address before calling ip.string function

* Fix formatting error

* Fix test

* Correct stringify function in instanceUtil.go too for IP address

* Fix based on review

* Fix based on review

* Fix based on review

* Update integration test env flag (#12977)

The flag should be "kube" not "kubernetes" but it was not updated in
some places before.

* Support inline role definition in AuthorizationPolicy (#12849)

* Don't fill test logs with "no provious log" (#12857)

This isn't a real error, but it is misleading in the test output. We
have no reason to output all of these errors that there is no previous
container to get logs from.

* mixer: delete old style CRDs from installation (#12710)

* delete old style CRD from installation

Signed-off-by: Kuat Yessenov <kuat@google.com>

* disable galley from listening to old style CRDs

Signed-off-by: Kuat Yessenov <kuat@google.com>

* more hardcoded yamls

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debuggin default install

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix fmt

Signed-off-by: Kuat Yessenov <kuat@google.com>

* keep galley pipeline

Signed-off-by: Kuat Yessenov <kuat@google.com>

* disable resource ready

Signed-off-by: Kuat Yessenov <kuat@google.com>

* delete debugging line

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fixing testdata

Signed-off-by: Kuat Yessenov <kuat@google.com>

* delete deprecated configs

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove declarations

Signed-off-by: Kuat Yessenov <kuat@google.com>

* delete more yaml

Signed-off-by: Kuat Yessenov <kuat@google.com>

* merge fix

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Add tests for the effect of mTLS setting to reachability (#11624)

* Reachability test in new ingegration test framework

* Add test for port specific policy

* Expose KubeApp interface and move EndpointForPort to that instead

* Use the retry.UntilSuccess from framework

* Change to UntilSuccessOrFail instead of UntilSucces

* remove deprecated code (#13005)

* remove deprecated code

* remove dep

* Add examples/documentation for the test framework. (#13000)

* Add examples/documentation for the test framework.

* Add more prose about test lifecycle.

* Fix typo.

* Fix typos.

* fix retry loop in mixer crd watch (#13003)

* first change to apps/v1 for Install (#13015)

* first change for install

* appsv1

* indention

* use only ipv4 for pilot and zipkin (#12997)

* do ipv4 lookups for pilot and zipkin

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* update goldens

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* small fix for imports (#13013)

* remove old mcp stack (#12092)

* remove old mcp stack

* remove legacy mcp server from galley

* fix server build

* fix linter

* remove unused code in journal.go

* fix build

* s/server/source

* fix linter errors

* Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251)

* [Galley] Fix race in strategy shutdown. (#13004)

* [Galley] Fix race in strategy shutdown.

The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close.

* cleaning up reset logic to avoid holding on the stateLock

* Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641)

* Adding check/install go in both macOS and Linux.

* Install go if not installed.

* Adding support to run e2e test on KinD locally.

* Adding the ability to run e2e tests locally on KinD.

* Update install_prereqs_debian.sh

* Update setup_test.sh

* Adding the ability to run e2e test on KinD
for presubmit test.

* Presubmit e2e test on KinD.

* Adding the ability to run e2e_simple presubmit on KinD

* Adding README file for testing on KinD locally.

* Revert the changes on adding install_go function.

* Revert install_go in common_macos.sh

* Revert the file changes of deleting newline.

* Reverting the changes.

* Addressing reviews.

* Fixing shellcheck

* respect locality weight set from ServiceEntry (#12714) (#13012)

* respect the lb weight setting from users

* add ut

* fix golint

* add locality lb setting test

* fix lint

* update test case

* update test case

* lint

* Add documentation about -p 1 for integration test framework. (#13032)

* Reduce logs in security/pkg/nodeagent/sds/ (#13035)

* Reduce logs in security/pkg/nodeagent/sds/

https://github.com/istio/istio/issues/13033

* Count the log output times

* Revise the PR based on review comments

* move pkg/mcp/configz to pkg/mcp/configz/client (#12982)

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Restore TestMtlsHealthCheck in postsubmit, prow. (#12969)

* restore test to debug.

* add presubmit label to the test for triggering.

* change to only run in postsubmit.

* remove postsubmit label just comment.

* Enable more linters and fix warnings/errors (#12993)

* Cherry pick cert file config from master to release-1.1 (#12707)

* Cherry pick from master: Configuration:  no longer hardcode mesh certs (#12189)

* Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths.

* Address demands of golangcibot overlord

* Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert

* Address code style violation

* Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners

* Use envoy node metadata cert paths (if available) when constructing clusters

* Rename constants to make golint happy

* Fix imports

* Ignore ordering in test

* Pass around proxy instead of proxy.Metadata

(cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da)

* goimports file

* Allow limiting Citadel to marked namespaces only (#12289)

* Allow limiting Citadel to marked namespaces only

- add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create)
- extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled')
- modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access

* removed left-over debug print, check enable only when explicit opt-in is required

* reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false

* unit tests for checking labels and behavior

* Namespace specified in command line is explicitly enabled

- save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1)
- check SA namespace against explicit namespaces

* use dedicated label name to avoid overloading the injection label

* use istio-managed label in tests

* clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount

* refactor istio managed object test to a function so it can be called from secret deletion handler as well

* fix left over istio-injection label in tests

* manual merge fix

* appsv1 galley (#13047)

* Add support for datadog tracing (on release-1.1 branch) (#12687)

* Add support for datadog tracing.

Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>

* Use $(HOST_IP) instead of special-casing empty address value

Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>

* add param to sidecar to ignore iptables changes (#12829)

* add param to sidecar to ignore iptables changes

* rephrase description

* samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030)

* fix validation logic so that port.name is no longer a valid PortSelector (#13054)

* [Test Framework]: Galley support for deleting config (#13037)

In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well.  Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace.

This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource.  Once identified, the code now properly updates resources by writing back to the file where the resource was found.  Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed).

* Support controlz for mcp server (#12980)

* Support controlz for mcp server

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* fix lint error

* Address review comments

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* generalize artifact injection into Docker images (#12203)

Instead of just adding LICENSES.txt only, also optionally add in the
source code as well, gating on the new EXTRA_ARTIFACTS and
EXTRA_ARTIFACTS_CNI environment variables.

Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e

* Keep going when problem happens checking remote version (#13060)

* remove deprecated show-all flag (#13053)

* Add x alias to experimental istioctl command (#11801)

* Add x alias to experimental istioctl command

I'm super lazy and experimental is far too much effort to type

Signed-off-by: Liam White <liam@tetrate.io>

* Add exp as an additional alias

Signed-off-by: Liam White <liam@tetrate.io>

* Correct the app label for Gateway (#12693)

* update selector for gateway

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* fix build fail

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* Update tracing_datadog_golden.json (#13082)

* Fix small typo (#13089)

can useful -> can be useful

* Add jitter in CSR request (#12805)

* Add jitter in CSR request

* Add log

* Fix comments

* Fix test

* Fix test

* Fix comment

* Allows cleanup.sh to run non-interactively when in terminal (#12635)

This change allows cleanup.sh to run non-interactively in standard terminals.
For example: NAMESPACE="test123" ./cleanup.sh

* 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730)

* update sds secret mount. (#12733)

* Copy data from right place (#12762)

* Fix updateClusterInc for overlapping ports (#12766)

* Fix updateClusterInc for overlapping ports

It is possible that a service will have multiple ports, with the same
port number. The typical example here is kube-dns, which uses port 53
for UDP and TCP. When we do an incremental push, we would select the
first port to match the port number, which would sometimes causes us to
ignore the correct port. This fix searches through all matching ports.

* Ensure port number matches as well

* Add unit tests

* remove dead code

* enable default sidecarscope (#12832)

* [Galley] Fix for ServiceEntry event ordering (#12890)

The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality).

Fixes #12820

* Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706)

* Copy helm data from the right place (#12808)

* Refactor solution based on Costin's feedback (#13027)

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Enable more linters and fix warnings/errors (#13061)

* Making tags requirement same as those in Kubernetes (#12852)

* Making tags requirement same as those in Kubernetes

Changing validation check to make sure non-empty tags start with an
alphanumeric character

* Validating label keys are not empty strings

Allow empty string for label values
Do not allow empty string for label keys

* Added certmanager flag into helm chart values.yaml (#12953)

* Added certmanager flag into helm chart values.yaml

* Moved certmanager configuration

* Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066)

* adding upstream idle_timeout to cluster definition.

* reverting vendor changes before running dep ensure again.

* running dep ensure update on api from master.

* controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141)

* Patch #12805 to master (#13104)

* Patch #12805 to master

* Fix lint

* Fix HelmDelete command (#12515)

* Fix HelmDelete command

HelmDelete was called with the namespace it needs to be called
with a chartname.  Also created a constant to make it more
obvious when called by the other Helm related commands.

* Fix typo

* Goimports fix

* ight modification path (#13148)

* Allow overriding of registry locality (#13077)

Also fixes bug where non-kube envs could override to something that parsed incorrectly

Signed-off-by: Liam White <liam@tetrate.io>

* mixer: add support for standard CRDs for compiled-in adapters (#12815)

* cherry pick subset of https://github.com/istio/istio/pull/12689/

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add support for compiled in adapters

Signed-off-by: Kuat Yessenov <kuat@google.com>

* patch log line

Signed-off-by: Kuat Yessenov <kuat@google.com>

* parse cert to get expire time  (#13145)

* parse cert

* cleanup

* unit test coverage

* missing file

* address comments

* rebase and address comment

* Installing istio for perf testing (#13159)

* Perf scripts

* gsutil

* WD

* perf running and geting metrics

* Perf

* perf

* perf

* Perf

* remove

* qq

* Appsv1 pilot (#13050)

* appsv1 for Pilot

* appsv1 for Pilot

* appsv1 for Pilot

* dep update

* fix test

* fix test

* fix test

* fix test

* fix test

* typo

* typo

* typo

* typo

* typo

* update go-control-plane (#13154)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* added sidecar.istio.io/rewriteAppProbers annotation (#13112)

* pilot: registered sidecar.istio.io/rewriteAppProbers annotation

* pilot: checked from sidecar.istio.io/rewriteAppProbers too

* pilot: added webhook inject tests

TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case.
The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation.

TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case.
The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation.

* fixed linter issue in test

* added http probe test for kubeinject case

* added tests and fixed login upon checking RewriteAppHTTPProbe setting

* Add more tests in app_probe_test.go

* renamed RewriteAppProbers to RewriteAppHTTPProbers

* fixed test case for webhook injection

* add description to rewriteAppHTTPProbers annotation

* updated tests in app probe to sync with recent master change

* change validateBool to alwaysValidFunc as per review

* Export inject.injectionData() (#12426)

* Registrator should use master version (#13083)

* dependencies: update cel-go and remove protoc-gen-docs (#12711)

* experiment with COMPAT

Signed-off-by: Kuat Yessenov <kuat@google.com>

* get errors

Signed-off-by: Kuat Yessenov <kuat@google.com>

* get errors

Signed-off-by: Kuat Yessenov <kuat@google.com>

* stop validation

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove hack

Signed-off-by: Kuat Yessenov <kuat@google.com>

* testing

Signed-off-by: Kuat Yessenov <kuat@google.com>

* only access log

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add runtimeconfig

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add a benchmark

Signed-off-by: Kuat Yessenov <kuat@google.com>

* cel_perf

Signed-off-by: Kuat Yessenov <kuat@google.com>

* update cel

Signed-off-by: Kuat Yessenov <kuat@google.com>

* update examples

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove unnecessary dependencies

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fixing copy for helm, one more time. (#13186)

* Run goimports on generated file (#13195)

* Enable disabled mixer tests in New Test Framework (#13151)

* Enable disabled mixer tests in NF

* Change tests config to new style

* Change tests config to new style

* Change tests config to new style

* Fix config for native policybackend

* Fix report test

* Reduce Pilot resource requests for demo (#12477)

* Reduce Pilot resource requests for demo

* Add limits as well

* Added data source for Galley dashboard (#13041)

Fixes: #13040

* fix values for pod anti-affinity. (#12798)

* Add sensible defaults to istio-gateways (#12315)

* report succeed after validation (#13165)

* report succeed after validation

* review comments

* Change exposed port of istio-pilot in consul (#13170)

`15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, 
```
   --grpcAddr string                     Discovery service grpc address (default ":15010")
   --secureGrpcAddr string               Discovery service grpc address, with https (default ":15012")
```
we know `15010` and `15012` are still using.

* Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973)

* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)

* Add wildcard route fallthrough

Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.

Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.

* add unit tests

* Remove node-level flag

* Fix tests

* Use new env var framework

* Fix long line

* Run format and linter

* CEL checker mutex (#13192)

* checker mutex

Signed-off-by: Kuat Yessenov <kuat@google.com>

* deadlock

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Integration testing for Locality Load Balancing  (#13084)

* Initial testing functionality

Signed-off-by: Liam White <liam@tetrate.io>

* appease the linting gods

Signed-off-by: Liam White <liam@tetrate.io>

* Fall back to bootstrap locality as a last resort

Signed-off-by: Liam White <liam@tetrate.io>

* Move service instance check after we set them...

Signed-off-by: Liam White <liam@tetr…
lei-tang added a commit that referenced this issue Apr 16, 2019
@lei-tang
Merge latest master branch into collab-authn (#13357)
5009f4d 
* add istio-init.yaml to .gitignore (#12542)

* authz: add authorization policy CRD to helm-init (#12541)

* Fix bug in locality LB normalization (#12532) (#12579)

The priority needs to be normalized (so it is always has no gaps), so
priorities [0,2] should be changed to [0,1]. However, we were changing
the wrong endpoint's priorities.

* Apply locality weighted lb config correctly (#12588)

Previously, this value was not set if the load balancer config was nil.
However, it should actually set anytime outlier detection is enabled, so
that locality lb can behave correctly.

* Fix bug causing empty endpoints per locality (#12615)

* Fix bug causing empty endpoints per locality

Before, we were allocating the array then appending to it, creating
empty endpoints at the start of the array.

* Predefine slice size

* Fix the MCP Client ConfigZ page (#12626)

* Fix the MCP Client ConfigZ page.

* Fix the tests

* Update test name to clear confusion.

* Add threshold for rds.go codecov (#12499)

Test is flakey, saying it has droppped coverage when it has not due to
it being nondeterministic.

* Drop log level for missing service account for spiffe uri (#12239)

* Don't require service account for spiffe

Some kubernetes pods don't have a service account. This causes a log
flood that the spiffe url is invalid, but this doesn't actually have any
negative impact. We can just make it not an error to have no service
account.

* Revert "Don't require service account for spiffe"

This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f.

* Just drop error -> warn

* Fix tests

* Drop log level

* [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460)

* Adding additional fields for bindings and validation. (#11800)

* Implement namespaces for ServiceRoleBindings

* Implement not_namespaces and refactor

* Implement not_ips

* Implement ips (no unit tests)

* Add a unit tests for ips for ServiceRoleBinding

* Implement groups and not_groups for ServiceRoleBinding

* Implement names and not_names

* Check for duplicated definition in constraints/properties and first-class fields

* Disallow using * in names or not_names to prevent ambiguity

* Disallow using * in names or not_names to prevent ambiguity

* Refactor additional fields for bindings

* Update validation.go

* Update validation.go

* enhance verify install command (#12174)

* enhance verify install command

* fix lint

* fix lint

* configure prometheus to monitor citadel. (#12175)

* Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556)

* Add namespace scoping to the Gateway 'port' names (#12500) (#12500)

Currently in order to configure ingressgateway to do TLS termination
using multiple secure virtual hosts with different certificates Istio
requires Gateway 'port' names to be globally unique (i.e. distinct).
I.e. two gateways cannot have secure port named 'https' even if they
reside in different namespaces. Behavior in such case is undefined.

This breaks namespace isolation as a user creating a Gateway in one
namespace might not have access to other namespaces hence can't
if the port name is already 'taken'. Behavior in such case is undefined
and likely to render other virtual hosts unavailable.

This change adds namespace scoping to Gateway port names by appending
namespace suffix to the HTTPS RDS routes. Port names still have to be
unique within the namespace boundaries, but this change makes adding
more specific scoping rather trivial.

* Increase Gateway 'port' names scoping granularity

* Minimal changes to make locality lb not sigsegv (#12649)

* Locality label istio-locality in k8s should not contain `/`, use `.` (#12592)

* Locality label istio-locality in k8s should not contain `/`, use `.` instead

* fix comments

* Only use gateways for servers being processed (#12663)

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* Propagate Envoy Metrics Service Config (#12569)

The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer.

* mixer: add directive demo adapter (#12505)

* finish demo

Signed-off-by: Kuat Yessenov <kuat@google.com>

* printf

Signed-off-by: Kuat Yessenov <kuat@google.com>

* publish keyval

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding sidecars to validating webhook configuration (#12233) (#12643)

Addresses issue #12193

* Cleaning up Unit tests for RDS (#12581)

Added a new case and cleaned up the existing test cases.

* switching deployment to v1 api (#10578)

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Cleanup Galley OWNERS file. (#12676)

* fix uds socket (#12688)

* uds fix

* readonly

* Add unit test to cover multiple different locality case (#12388)

This PR only increases test coverage. Does not impact functionality.

Signed-off-by: Liam White <liam@tetrate.io>

* Build 1.1.1 (#12690)

* Fix LB weight setting for split horizon eds (#12560)

* lb weight for split-horizon-eds shoulb be set correctly

* fix ut

* rename

* fix ut

* fix lint

* fix lint

* fix typo in default envoy JSON log format (#12473)

* Make release-1.1 changes compatible with master

* Remove extra ingress template
* cherry pick 10578
* reformat
* Update rbac.go to use httpfilter when needed
* Integration framework ensure apiVersion is top level
* Update yaml make target
* Disable setup on sidecar_api_test

* clarified mesh connect timeout fields based on code impl (#12089)

* Testing: configurable ports for Echo (#12681)

The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance.

* add image pull secrets for zipkin. (#12327)

* Refresh oop handler with connection config update (#12575)

* refresh handler with connection update

* sanitize test error message

* Fixing coping of the data to the bucket during release (#12585)

* Fixing coping of the data to the bucket.

* Small fix

* RM folder in any case

* 'istioctl proxy-config clusters' cluster type column rendering (#12458)

* Make error message explicit (#12675)

* E2E test for health check under mtls using app prober rewrite. (#11531)

* injector changes for health check, pilot agent take over app readiness check. (#9266)

* WIP injector change to modify istio-proxy.

* move out to app_probe.go

* Iterating sidecartmpl to find the statusPort.

* use the same name for ready path.

* Get rewrite work, almost.

* Some clean up on test and check one container criteria.

* fix the injected test file.

* Add inject test for readiness probe itself.

* Add missing added test file.

* fix helm test.

* fix lint.

* update header based finding the port.

* return to previous injected file status.

* fixing TestIntoResource test.

* sed fixing all remaining injecting files.

* handling named port.

* fixing merginge failure.

* remove the debug print.

* lint fixing.

* Apply the suggestions for finding statusPort arg.

* Address comments, regex support more port value format.

* add app_probe_test.go

* add more test.

* merge fix the test.

* webhook autoinject is ready for review.

* Squashed commit of the following:

commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 18:13:30 2019 -0800

    renaming env var.

commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 17:59:25 2019 -0800

    finish migrating test to yaml file based.

commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:55:00 2019 -0800

    get test working.

commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:49:58 2019 -0800

    WIP add some test files.

commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:13:06 2019 -0800

    WIP changing to using the environment var.

commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:52:47 2019 -0800

    add todo for the tests.

commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277d7 4b7b13aef
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:47:17 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861
Merge: 98fd48f59 744b07ad2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:34 2019 -0800

    Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip

commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:00 2019 -0800

    findsidecar.

commit 744b07ad2406d1eb94bcf5492125f91486ad6b10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 22:29:28 2019 -0800

    add FindSidecar.

commit 40ed002ff6f5dd4afe22afa984384addc1be1104
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 21:55:51 2019 -0800

    refactor some code.

commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 18:19:32 2019 -0800

    Integration test works and fixing a bug.

commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 16:09:13 2019 -0800

    all inject tests pass.

commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5
Merge: a2a774498 010d5c266
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:22:18 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit a2a774498e1021c1ca01c021c071e225fa330407
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:16:04 2019 -0800

    update the TestWebhookInject.

commit 36fd45c074bcc787702a5a9257d23103521f525c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 12:13:21 2019 -0800

    some document

commit 88dc922719e2c4723a334d1d8d959cac361b1ecb
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 11:43:44 2019 -0800

    new version works for kubeinject, webhook unit test.

commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 18:17:38 2019 -0800

    WIP working on modifying sidecar.Args first, then modify app container patch.

commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 15:20:36 2019 -0800

    WIP add what's missing to get e2e test working.

commit 1595e871c640cdabead372eada2b17d717fa707f
Merge: 256d9635f ac78a552a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 13:26:05 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 256d9635f4d590936c473bf3be0299064cb9c716
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 12:14:04 2019 -0800

    add some debugging log.

commit f70096334464fd1d59a0e81997e8f0fd6623a564
Merge: bdce72119 c7eb603ee
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 10:57:43 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit bdce72119ef78dab40b750861768c332811b9ee2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 18:04:37 2019 -0800

    refactor to host something up to caller.

commit b51763c21000ba2b7fe9e2bc728783ce530cfe87
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 16:31:32 2019 -0800

    get everything works.

commit 0815695a2fea828f06a31f14ed7795a3b3716111
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:48:27 2019 -0800

    kubeinject test is working.

commit 14c99b58f0212972d42e298fa4185275642d672c
Merge: d626bb85d 5ea79622c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:30 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit d626bb85dee628771f8f41fc90335ac608dea923
Merge: 3561ae0a6 66153da4d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:23 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3561ae0a69350730834e625c0710394968f9fcde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:49:44 2019 -0800

    WIP, policy is not taking effect, test passing without rewrite.

commit a9bef0f01964a14f6ace0da6217d7a36f364b661
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:31:08 2019 -0800

    fix the json path in the patch.

commit f1aee91189e16beb0dadee6c612464b1aa9bad21
Merge: 3a7eb48e6 abc53e120
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 14:03:49 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 13:57:55 2019 -0800

    fix it, removing namespace since metadata not matching will fail for kubeapply

commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 11:58:39 2019 -0800

    WIP, debuggin why mtls policy is not showed up.

commit 72e9c4e488f875ffea0c3a279403277010160ee1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:24:16 2019 -0800

    working on integration2 test framework.

commit 90c1cce9ddc55ce339aa65eac06602591d3113c9
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:04:38 2019 -0800

    add small comments.

commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676
Merge: 7f5c8cbd8 e45242c0d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 16:43:47 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:37:53 2018 -0800

    check rewriteAppProbe separately.

commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479
Merge: 20f02c045 1ae6b4fde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:01:37 2018 -0800

    Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject

commit 20f02c04563fab9b81b418c00a5455994fda5148
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:59:57 2018 -0800

    duplicate the rewrite logic.

commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64
Merge: 3b3bcbff8 d8c4579fa
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:53:44 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Dec 17 21:56:51 2018 -0800

    address comments.

commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:24:33 2018 -0800

    massage comments.

commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:15:50 2018 -0800

    helm flag is off, so change the expected outoupt.

commit 43522c15d06054e4bb173ab2c37333a4de647c2d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:09:46 2018 -0800

    make webhook support rewriteAppHTTPProbe flag.

commit f60f18f4144482874c1219c7da90e97f19f1172f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 12:03:04 2018 -0800

    fixing the merge typo.

commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:56:38 2018 -0800

    remove unnecessary changes in test for debugging.

commit a81eacb6892509d8938be8d64f1435cf64e22317
Merge: af1a67989 f6b0ddc30
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:53:07 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit af1a6798988f9fe70e40add2a6d4971efa9b50ed
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 18:07:19 2018 -0800

    fixing all the test.

commit 58d0bef3520037a81db8baa34d6e13849d20af10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:51:34 2018 -0800

    Get TestInject happy.

commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:49:42 2018 -0800

    make TestHelmInject happy.

commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0
Merge: fcca1f89a bd1631be3
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:53:01 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:18:20 2018 -0800

    get webhook_test.TestInject working.

commit 06f517cfc4214994be1be848d40b12f09ba8a4b8
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:10:55 2018 -0800

    restructure app_probe_test working for both.

commit 7142e96ed8a3200fc91bc73aee86d471117232fc
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 13:19:41 2018 -0800

    starting to work on serious test

commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:50:19 2018 -0800

    prototyping get familar with the test.

commit 51659dacbc569f4532dc6a37b2091f39c7cf115b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:05:51 2018 -0800

    wip for adding test.

* resolve appprobetest.

* update the golden due to another injector change.

* remove unnecessary files in this pr.

* remove the test framework change.

* remove unnecessary testdata file.

* wip for adding health check test app.

* wip very hack working solution app deployed

* finally test starts working

* make sure the test works if and only if the helm flag is turned on.

* refactoring

* small adjustment.

* DeepCopy used.

* working test only healthcheck test.

* remove inline policy

* change RegisterHelmValueOverrides.

* unnecessary change.

* Finish HelmValueMap refactor.

* some cleanup.

* clean up.

* flags helm values takes higher priority.

* fix the lint.

* address comments.

* revert chagnes on HelmValuesMap.

* wip getting helm customizable with new configuration api.

TODO: testing by rebuild image.

* fix the helm value passing overrides.

* wip the app is deployed but not ready and still finishes...

* wip apps configuration not take effect.

* working version of apps configuration.

* clean up some debugging log.

* test documentation.

* WIP changing deploymentFactory to KubeApp.

* verify test works.

* clarify kubeappsconfig doc.

* get the test pass, no apps configuration yet.

* get test working.

* clean up on apps/kube.go

* few clean and update readme doc.

* change the overrides by func callback.

* fix the typo.

* fix the comments.

* Hide ServiceAccounts from PushContext log (#12702)

* Configure localityLbSetting in values.yaml (#12683)

* Configure localityLbSetting in values.yaml

* Update docs

* Fix concurrent map access (#12706)

* Remove when: always from CircleCI configuration for integration tests. (#12679)

This causes the integration tests to run, even if the previous steps fail.

* Removed unused code from EDS (#12221)

* Should not add a worker in GoroutinePool construction func (#12619)

* GoroutinePool does not add a worker in construction func

* fix ut

* remove redundant code (#12656)

* remove redundant k8s discovery code

* remove redundant

* Configure logging level in proxy and control plane (#12639)

* configure proxy log level via helm values for sidecar and gateways

* configure istio control plane log level via helm

* Put back a couple settings for Kiali that were accidentally deleted. (#12472)

Some Kiali settings were accidently deleted when the new installation options for
release-1.1 was published. This is because these settings were commented out in
the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali.

Bug:#3660

* remove to be deprecated critical pod annotation. (#12657)

* remove to be deprecated critical pod annotation.

* fix ci.

* Adding timeouts in Galley processor tests (#12701)

* Adding timeouts in Galley processor tests

This is to help in debugging #12628.

* making await method private

* add pod antiaffinity. (#12691)

* add pod antiaffinity.

* fix gateways issue.

* add pod antiaffnity to helm test pod.

* remove local test file.

* apply comments.

* Adding galley test for sidecar config validation (#12247)

* Adding galley test for sidecar config validation

Test cases related to PR #12233

* Using istio-system as namespace for resource

* Collect details/artifacts for failed tests in Prow. (#12753)

* Add infrastructure to document env var usage. (#12727)

- Introduce the pkg/env package containing a few functions to query environment
variable values. It keeps track of the variables requested so they can be documented.

- Extend pkg/collateral to recognize and output the environment variables used in the
process. This is what is needed to make this stuff show up on istio.io.

- Update all relevant call sites to use the new infrsstructure. It's still missing
descriptions for all the variables, that'll be up to component authors. I'll file
issues to get that work done.

- Fixed bugs in the node_agent_k8s code that was using env vars as the default for
Cobra command-line arguments, resulting in potentially variable default values
produced in the generated docs. Default values need to be static.

* Enable more linters. (#12751)

- Flip on a couple more linters

- Fix a bazzilion warnings produced by these linters,
along with many warnings produced by other not-yet-enabled
linters.

- Fix pkg/version so the tests compile on Mac. This broke a while
back, preventing the linter from running to completion on the Mac.

* Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617)

* Convert galley to reload files via SIGUSR1 or a ctrlz handler

* Fix ctrlz shutdown not to block

* Disable the mtls_healthcheck test until it can be fixed. (#12775)

* Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502)

Change IP addresses to show up as strings in http req  in accesslog

Fix lint errors

Fix lint errors

Use stringify function

Updated based on feedback

* upgrade prometheus version. (#12781)

* Wait for endpoints of policy backend, before trying to use it. (#12763)

* Wait for endpoints of policy backend, before trying to use it.

* Minor fix to the structure.

* Add wait logic for waiting Galley to come online.

* Fix minor bug.

* Rename the method so that it is clear what it is doing.

* Add additional constraint check.

* Remove redundant write header (#12731)

Write already writes 200 status code, so this wasn't needed. This caused
unneeded logging every time it was called.

* Tell Kubernetes that Istio validation has no side effects (#12670)

* Tell Kubernetes that Istio validation has no side effects

* Add integration tests for --server-dry-run

* Report version of kubectl and server

* Version check error

* Undo --server-dry-run tests which require K8s 1.12 or higher

* fix uds socket (#12688) (#12802)

* uds fix

* readonly

* mixer: switch to simplified config model (#12689)

* take 2 compiled instances

Signed-off-by: Kuat Yessenov <kuat@google.com>

* try with apa

Signed-off-by: Kuat Yessenov <kuat@google.com>

* quota failure

Signed-off-by: Kuat Yessenov <kuat@google.com>

* false signal?

Signed-off-by: Kuat Yessenov <kuat@google.com>

* more crds

Signed-off-by: Kuat Yessenov <kuat@google.com>

* nil params

Signed-off-by: Kuat Yessenov <kuat@google.com>

* patching config

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove stale command

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix destination host validataion (#12804)

* Implement AuthorizationPolicy with workload selector. (#12050) (#12667)

* WIP AuthorizationPolicy with selector

* WIP AuthorizationPolicy with selector

* Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode

* Support TCP

* Move new functions for RBAC v2 to rbac_v2.go

* Change the structure and refactor tests

* Put services field check back

* Remove services field validation

* Remove optimization

* Add selector no match test

* [Galley] Adding ServiceEntry synthesis (#12409)

Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot.

Partially addresses #10497 and #10589

* Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778)

- Add more unit tests to pkg/env to bring coverage to 100%

- Move existing linter sources from test/util/checker to tools/checker

* Specify istio-init user explicitly (#5453) (#12708)

Istio-init is supposed to be run as a superuser so it can configure
iptables and this is the current default. However many popular Helm
charts typically define a single container pod and specify
`securityContext.runAsUser` on a pod level (rather than the container
level) and that is what istio-init inherits. As the result many Helm
charts aren't working with Istio auto-injection out of the box.

A simple fix would be explicitly setting `securityContext.runAsUser`
for istio-init on the container-level so it takes precedence.

* Removing depencency on the order of returned IP addresses (#12812)

* Removing depencency on the order of returned IP addresses

Allows returned addresses by the default resolver to be in any
order. The first IPv4 address returned by the resolver is used. If
there are no IPv4 address is found, an IPv6 address is used.

Added more unit tests.

* Making logic for local IP the same as the rest

* Disabling flaky parts of Galley integ test (#12837)

This should deflake the test in #12820. Real fix is coming soon.

* Set SAN as critical for workload certs. (#12838)

* inject sds related param in pilot/mixer deployment (#12809)

* inject sds related param in pilot/mixer deployment

* remove args

* Disabling Mixer tests using the new TF in K8s. (#12848)

* Disabling Mixer tests using the new TF in K8s.

* Make linter happy.

* accommodate PR review comments.

* galley: support optional crds (#12822)

* optional galley crds

Signed-off-by: Kuat Yessenov <kuat@google.com>

* review

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Removing a "TODO" that is not necessary any more (#12841)

Cleaning up the comments.

* mixer: add template CRD flag and set it to false (#12851)

* template CRD flag

Signed-off-by: Kuat Yessenov <kuat@google.com>

* missed a flag

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Zombie cleanup. (#12878)

- Delete a bunch of dead code, dead variables, unused parameters, and
superfluous type declarations.

* Refactor Istio deployment code for clarity and add wait for webhook. (#12888)

* Refactor Istio deployment code for clarity and add wait for webhook
to come online.

* Make linter happy.

* Fix stupid bug.

* Remove accidental file add (#12895)

* Re-enable sidecar_api_test (#12887)

* Re-enable sidecar_api_test

* Remove kube setup

* Fix race condition

* Make Mixer readiness timeout configurable. (#12640)

- Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes.
- The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on.

* Minor improvements to the test framework. (#12858)

* Add dump support to policy backend.

* Add a suitecontext dir.

* test: add dump pod events function (#12821)

* Fix flush behavior in Stackdriver adapter. (#12853)

* Fix prometheus and citadel connection tests (#12747)

* Fix test-prometheus-connection.yaml: test never failed

Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>

* Fix test-citadel-connection.yaml: test never failed

Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>

* Fix a bunch more linter items. (#12897)

* delete stale file (#12898)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Run dep ensure

* Implement EnvoyXdsServer graceful shutdown (#12826)

* update api sha (#12862)

* update api sha

* api files

* Add two sample deployments for user guide of Istio Vault integration (#12917)

* Rename types.go to types.gen.go. (#12921)

* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850)

* Change Ip Address to readable format in accesslog from stdio adapter

* Add a check to validate it's an IP Address before calling ip.string function

* Fix formatting error

* Fix test

* Correct stringify function in instanceUtil.go too for IP address

* Fix based on review

* Fix based on review

* Fix based on review

* Update to latest doc gen tool. (#12932)

* Fix the regular expression that splits the deployment scripts. (#12931)

The script was fixed with a start-line anchor during the merge of 1.1.
However the regular expressions in Go is not multi-line.

* Add labels to the test framework. (#12819)

* Add basic label support to the test framework.

* Refactor test framework surface area to use fluent-style.

* Apply labels to CircleCI tests & stable integration tests.

* Add early exit support to avoid running setup functions when the label
set can never match.

* Add Citadel tests as presubmit tests.

* Remove environments from label usage.

* Fixup some of the label usages, and convert some of the test entry points.

* Fixup label usage.

* Redisable sidecar tests.

* Accommodate PR feedback.

* Accommodate CR feedback.

* Add more CR fixup.

* Introduce pkg/annotations (#12909)

- pkg/annotations lets us track the annotations used by the calling process.

- pkg/collateral now outputs annotations if there are any. This will make annotations
show up on istio.io

- Adjusted how pkg/collateral handles deprecated environment variabes to match how we
handle deprecated fields in protos (by coloring them differently on istio.io)

- Added another test to pkg/env to cover a case I missed originally.

- Updated the sidecar injector and pilot to use pkg/annotations.

- Fixed some invalid HTML generated by pkg/collateral.

I'll file an issue to get descriptions added for the annotations.

* remove unused pdb in remote values. (#12943)

* prevent duplicate inbound listeners (#12937)

* [Galley] Fix race in runtime strategy (#12927)

This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value.

This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race.

Fixes #12628

* Adding unit tests for sidecar scope (#12184)

* Adding unit tests for sidecar scope

* Removing unused variable

* linters: enable errcheck (#12933)

* enable errcheck

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add maligned to exceptions

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905)

* Istio does not use Cluster_LOGICAL_DNS, so remove it

* clean up LOGICAL_DNS in comments

* Clean up Helm README (#12914)

The README has outdated information on the values, we should just defer
to istio.io which is up to date. Additionally, we should point users to
istio.io which has up to date install instructions.

* 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627)

* 'istioctl experimental dashboard' command to show add-ons and sidecars

* Test cases, output of URL, use of Cobra output stream

* Refactor code into istioctl/pkg/kubernetes

* Refactor to expose PortForward stop channel

* Validate new mixer CRDs (#12918)

* Validate new mixer CRDs

* Add templates and adapters

* Test cases for new mixer CRDs

* Add environment variables to allow configuring bookinfo hostnames (#12646)

* Allow bookinfo hostnames to be configurable

- add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment
variables to configure hostnames. Defaults to details, ratings, reviews
respectively

* Bump bookinfo sample to 1.11.0

* Update expected outputs for bookinfo tests

- this is not related to our PR, but the tests were failing
- the apps were changed, but images were not rebuilt

* Add edsClusters should be atomic (#12942)

* Add edsClusters should be atomic

* fix lint

* properly report errors on failure (#12945)

The CI Infrastructure times out after 10 minutes of no activity.  In
one of the test case runners, 10 miniutes is specified causing the CI
timeout to flush any debuggable output from the checks.  This results
in an in-exact error result to be returned.

Instead a vague reponse about the test case timing out is reported,
resulting in confusion for the PR authors.

The typical max I was able to achieve was ~230 seconds, but I trimmed
to 3 minutes so the test case fails in all conditions and properly
reports the errors.

* Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902)

* [mixer-e2e-test] add retry to prometheus query in check cache test (#12680)

* check cache test sleep longer

* use retry instead of longer waiting

* reword error message

* Fixing typos in unit tests (#12661)

Redoing PR #12035

* respect locality weight set from ServiceEntry (#12714)

* respect the lb weight setting from users

* add ut

* fix golint

* add locality lb setting test

* fix lint

* update test case

* update test case

* lint

* sidecars with workload selector takes precedence over namespace wide one (#12831)

* Auto bind to services for Sidecar listeners with specific ports (#12724)

* auto bind to TCP services for egress ports in Sidecar

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* fix test

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* minor patch (#12963)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Cleanup gateway vhost config gen (#12847)

* check match direction

* Cleanup http route generation

* undo pickMatching change

* golangbot comments

* address review comments

* fix validation bug

* gofmt

* check for intersection duplicates

* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)

* Add wildcard route fallthrough

Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.

Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.

* add unit tests

* Remove node-level flag

* Fix tests

* Support PKCS#8 private keys. (#12972)

* Support PKCS#8 private keys.

* Small fix.

* Fix LB weight setting for split horizon eds (#12560) (#12827)

* lb weight for split-horizon-eds shoulb be set correctly

* fix ut

* rename

* fix ut

* fix lint

* fix lint

* Restore dump_kubernetes.sh function on OSX (#12159)

* Fixes for Bash 3.x and detecting non-running pods

* Address shellcheck warnings

* Remove Robert Li from tests OWNERS file (#12946)

Robert has had a change in employment and can no longer contribute to
Istio.

* remove unnecessary namespace for webhook configuration (#12981)

* remove deprecated mcpServerAddrs flag (#12954)

* remove deprecated mcpServerAddrs

* fix ut

* support ip:port format configSource

* fix ut

* fix ut

* supprt proxy https app probe (#12872)

* supprt proxy https app probe

* add ut

* fix ut

* add webhook inject test

* fix test

* fix comments by incfly

* Allow some time for the configuration propagation (#12865)

* Allow some time for the listeners config propogation

* change to use watchDiscovery

* samples/bookinfo: easier access to logs (#12584)

* Use shorter namespace prefixes. (#13001)

* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936)

* Change Ip Address to readable format in accesslog from stdio adapter

* Add a check to validate it's an IP Address before calling ip.string function

* Fix formatting error

* Fix test

* Correct stringify function in instanceUtil.go too for IP address

* Fix based on review

* Fix based on review

* Fix based on review

* Update integration test env flag (#12977)

The flag should be "kube" not "kubernetes" but it was not updated in
some places before.

* Support inline role definition in AuthorizationPolicy (#12849)

* Don't fill test logs with "no provious log" (#12857)

This isn't a real error, but it is misleading in the test output. We
have no reason to output all of these errors that there is no previous
container to get logs from.

* mixer: delete old style CRDs from installation (#12710)

* delete old style CRD from installation

Signed-off-by: Kuat Yessenov <kuat@google.com>

* disable galley from listening to old style CRDs

Signed-off-by: Kuat Yessenov <kuat@google.com>

* more hardcoded yamls

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debuggin default install

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix fmt

Signed-off-by: Kuat Yessenov <kuat@google.com>

* keep galley pipeline

Signed-off-by: Kuat Yessenov <kuat@google.com>

* disable resource ready

Signed-off-by: Kuat Yessenov <kuat@google.com>

* delete debugging line

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fixing testdata

Signed-off-by: Kuat Yessenov <kuat@google.com>

* delete deprecated configs

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove declarations

Signed-off-by: Kuat Yessenov <kuat@google.com>

* delete more yaml

Signed-off-by: Kuat Yessenov <kuat@google.com>

* merge fix

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Add tests for the effect of mTLS setting to reachability (#11624)

* Reachability test in new ingegration test framework

* Add test for port specific policy

* Expose KubeApp interface and move EndpointForPort to that instead

* Use the retry.UntilSuccess from framework

* Change to UntilSuccessOrFail instead of UntilSucces

* remove deprecated code (#13005)

* remove deprecated code

* remove dep

* Add examples/documentation for the test framework. (#13000)

* Add examples/documentation for the test framework.

* Add more prose about test lifecycle.

* Fix typo.

* Fix typos.

* fix retry loop in mixer crd watch (#13003)

* first change to apps/v1 for Install (#13015)

* first change for install

* appsv1

* indention

* use only ipv4 for pilot and zipkin (#12997)

* do ipv4 lookups for pilot and zipkin

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* update goldens

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* small fix for imports (#13013)

* remove old mcp stack (#12092)

* remove old mcp stack

* remove legacy mcp server from galley

* fix server build

* fix linter

* remove unused code in journal.go

* fix build

* s/server/source

* fix linter errors

* Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251)

* [Galley] Fix race in strategy shutdown. (#13004)

* [Galley] Fix race in strategy shutdown.

The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close.

* cleaning up reset logic to avoid holding on the stateLock

* Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641)

* Adding check/install go in both macOS and Linux.

* Install go if not installed.

* Adding support to run e2e test on KinD locally.

* Adding the ability to run e2e tests locally on KinD.

* Update install_prereqs_debian.sh

* Update setup_test.sh

* Adding the ability to run e2e test on KinD
for presubmit test.

* Presubmit e2e test on KinD.

* Adding the ability to run e2e_simple presubmit on KinD

* Adding README file for testing on KinD locally.

* Revert the changes on adding install_go function.

* Revert install_go in common_macos.sh

* Revert the file changes of deleting newline.

* Reverting the changes.

* Addressing reviews.

* Fixing shellcheck

* respect locality weight set from ServiceEntry (#12714) (#13012)

* respect the lb weight setting from users

* add ut

* fix golint

* add locality lb setting test

* fix lint

* update test case

* update test case

* lint

* Add documentation about -p 1 for integration test framework. (#13032)

* Reduce logs in security/pkg/nodeagent/sds/ (#13035)

* Reduce logs in security/pkg/nodeagent/sds/

https://github.com/istio/istio/issues/13033

* Count the log output times

* Revise the PR based on review comments

* move pkg/mcp/configz to pkg/mcp/configz/client (#12982)

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Restore TestMtlsHealthCheck in postsubmit, prow. (#12969)

* restore test to debug.

* add presubmit label to the test for triggering.

* change to only run in postsubmit.

* remove postsubmit label just comment.

* Enable more linters and fix warnings/errors (#12993)

* Cherry pick cert file config from master to release-1.1 (#12707)

* Cherry pick from master: Configuration:  no longer hardcode mesh certs (#12189)

* Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths.

* Address demands of golangcibot overlord

* Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert

* Address code style violation

* Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners

* Use envoy node metadata cert paths (if available) when constructing clusters

* Rename constants to make golint happy

* Fix imports

* Ignore ordering in test

* Pass around proxy instead of proxy.Metadata

(cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da)

* goimports file

* Allow limiting Citadel to marked namespaces only (#12289)

* Allow limiting Citadel to marked namespaces only

- add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create)
- extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled')
- modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access

* removed left-over debug print, check enable only when explicit opt-in is required

* reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false

* unit tests for checking labels and behavior

* Namespace specified in command line is explicitly enabled

- save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1)
- check SA namespace against explicit namespaces

* use dedicated label name to avoid overloading the injection label

* use istio-managed label in tests

* clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount

* refactor istio managed object test to a function so it can be called from secret deletion handler as well

* fix left over istio-injection label in tests

* manual merge fix

* appsv1 galley (#13047)

* Add support for datadog tracing (on release-1.1 branch) (#12687)

* Add support for datadog tracing.

Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>

* Use $(HOST_IP) instead of special-casing empty address value

Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>

* add param to sidecar to ignore iptables changes (#12829)

* add param to sidecar to ignore iptables changes

* rephrase description

* samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030)

* fix validation logic so that port.name is no longer a valid PortSelector (#13054)

* [Test Framework]: Galley support for deleting config (#13037)

In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well.  Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace.

This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource.  Once identified, the code now properly updates resources by writing back to the file where the resource was found.  Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed).

* Support controlz for mcp server (#12980)

* Support controlz for mcp server

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* fix lint error

* Address review comments

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* generalize artifact injection into Docker images (#12203)

Instead of just adding LICENSES.txt only, also optionally add in the
source code as well, gating on the new EXTRA_ARTIFACTS and
EXTRA_ARTIFACTS_CNI environment variables.

Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e

* Keep going when problem happens checking remote version (#13060)

* remove deprecated show-all flag (#13053)

* Add x alias to experimental istioctl command (#11801)

* Add x alias to experimental istioctl command

I'm super lazy and experimental is far too much effort to type

Signed-off-by: Liam White <liam@tetrate.io>

* Add exp as an additional alias

Signed-off-by: Liam White <liam@tetrate.io>

* Correct the app label for Gateway (#12693)

* update selector for gateway

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* fix build fail

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* Update tracing_datadog_golden.json (#13082)

* Fix small typo (#13089)

can useful -> can be useful

* Add jitter in CSR request (#12805)

* Add jitter in CSR request

* Add log

* Fix comments

* Fix test

* Fix test

* Fix comment

* Allows cleanup.sh to run non-interactively when in terminal (#12635)

This change allows cleanup.sh to run non-interactively in standard terminals.
For example: NAMESPACE="test123" ./cleanup.sh

* 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730)

* update sds secret mount. (#12733)

* Copy data from right place (#12762)

* Fix updateClusterInc for overlapping ports (#12766)

* Fix updateClusterInc for overlapping ports

It is possible that a service will have multiple ports, with the same
port number. The typical example here is kube-dns, which uses port 53
for UDP and TCP. When we do an incremental push, we would select the
first port to match the port number, which would sometimes causes us to
ignore the correct port. This fix searches through all matching ports.

* Ensure port number matches as well

* Add unit tests

* remove dead code

* enable default sidecarscope (#12832)

* [Galley] Fix for ServiceEntry event ordering (#12890)

The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality).

Fixes #12820

* Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706)

* Copy helm data from the right place (#12808)

* Refactor solution based on Costin's feedback (#13027)

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Enable more linters and fix warnings/errors (#13061)

* Making tags requirement same as those in Kubernetes (#12852)

* Making tags requirement same as those in Kubernetes

Changing validation check to make sure non-empty tags start with an
alphanumeric character

* Validating label keys are not empty strings

Allow empty string for label values
Do not allow empty string for label keys

* Added certmanager flag into helm chart values.yaml (#12953)

* Added certmanager flag into helm chart values.yaml

* Moved certmanager configuration

* Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066)

* adding upstream idle_timeout to cluster definition.

* reverting vendor changes before running dep ensure again.

* running dep ensure update on api from master.

* controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141)

* Patch #12805 to master (#13104)

* Patch #12805 to master

* Fix lint

* Fix HelmDelete command (#12515)

* Fix HelmDelete command

HelmDelete was called with the namespace it needs to be called
with a chartname.  Also created a constant to make it more
obvious when called by the other Helm related commands.

* Fix typo

* Goimports fix

* ight modification path (#13148)

* Allow overriding of registry locality (#13077)

Also fixes bug where non-kube envs could override to something that parsed incorrectly

Signed-off-by: Liam White <liam@tetrate.io>

* mixer: add support for standard CRDs for compiled-in adapters (#12815)

* cherry pick subset of https://github.com/istio/istio/pull/12689/

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add support for compiled in adapters

Signed-off-by: Kuat Yessenov <kuat@google.com>

* patch log line

Signed-off-by: Kuat Yessenov <kuat@google.com>

* parse cert to get expire time  (#13145)

* parse cert

* cleanup

* unit test coverage

* missing file

* address comments

* rebase and address comment

* Installing istio for perf testing (#13159)

* Perf scripts

* gsutil

* WD

* perf running and geting metrics

* Perf

* perf

* perf

* Perf

* remove

* qq

* Appsv1 pilot (#13050)

* appsv1 for Pilot

* appsv1 for Pilot

* appsv1 for Pilot

* dep update

* fix test

* fix test

* fix test

* fix test

* fix test

* typo

* typo

* typo

* typo

* typo

* update go-control-plane (#13154)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* added sidecar.istio.io/rewriteAppProbers annotation (#13112)

* pilot: registered sidecar.istio.io/rewriteAppProbers annotation

* pilot: checked from sidecar.istio.io/rewriteAppProbers too

* pilot: added webhook inject tests

TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case.
The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation.

TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case.
The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation.

* fixed linter issue in test

* added http probe test for kubeinject case

* added tests and fixed login upon checking RewriteAppHTTPProbe setting

* Add more tests in app_probe_test.go

* renamed RewriteAppProbers to RewriteAppHTTPProbers

* fixed test case for webhook injection

* add description to rewriteAppHTTPProbers annotation

* updated tests in app probe to sync with recent master change

* change validateBool to alwaysValidFunc as per review

* Export inject.injectionData() (#12426)

* Registrator should use master version (#13083)

* dependencies: update cel-go and remove protoc-gen-docs (#12711)

* experiment with COMPAT

Signed-off-by: Kuat Yessenov <kuat@google.com>

* get errors

Signed-off-by: Kuat Yessenov <kuat@google.com>

* get errors

Signed-off-by: Kuat Yessenov <kuat@google.com>

* stop validation

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove hack

Signed-off-by: Kuat Yessenov <kuat@google.com>

* testing

Signed-off-by: Kuat Yessenov <kuat@google.com>

* only access log

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add runtimeconfig

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add a benchmark

Signed-off-by: Kuat Yessenov <kuat@google.com>

* cel_perf

Signed-off-by: Kuat Yessenov <kuat@google.com>

* update cel

Signed-off-by: Kuat Yessenov <kuat@google.com>

* update examples

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove unnecessary dependencies

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fixing copy for helm, one more time. (#13186)

* Run goimports on generated file (#13195)

* Enable disabled mixer tests in New Test Framework (#13151)

* Enable disabled mixer tests in NF

* Change tests config to new style

* Change tests config to new style

* Change tests config to new style

* Fix config for native policybackend

* Fix report test

* Reduce Pilot resource requests for demo (#12477)

* Reduce Pilot resource requests for demo

* Add limits as well

* Added data source for Galley dashboard (#13041)

Fixes: #13040

* fix values for pod anti-affinity. (#12798)

* Add sensible defaults to istio-gateways (#12315)

* report succeed after validation (#13165)

* report succeed after validation

* review comments

* Change exposed port of istio-pilot in consul (#13170)

`15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, 
```
   --grpcAddr string                     Discovery service grpc address (default ":15010")
   --secureGrpcAddr string               Discovery service grpc address, with https (default ":15012")
```
we know `15010` and `15012` are still using.

* Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973)

* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)

* Add wildcard route fallthrough

Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.

Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.

* add unit tests

* Remove node-level flag

* Fix tests

* Use new env var framework

* Fix long line

* Run format and linter

* CEL checker mutex (#13192)

* checker mutex

Signed-off-by: Kuat Yessenov <kuat@google.com>

* deadlock

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Integration testing for Locality Load Balancing  (#13084)

* Initial testing functionality

Signed-off-by: Liam White <liam@tetrate.io>

* appease the linting gods

Signed-off-by: Liam White <liam@tetrate.io>

* Fall back to bootstrap locality as a last resort

Signed-off-by: Liam White <liam@tetrate.io>

* Move service instance check after we set them...

Signed-off-by: Liam White <liam@tetrate.io>

* Add EDS test

Signed-off-by: Liam White <liam@tetrate.io>

* Reorganise tests to run in parallel

Signed-off-by: Liam White <liam@tetrate.io>

* Move to pilot directory

Signed-off-by: Liam White <liam@tetrate.io>

* minor Infof fixes

Signed-off-by: Liam White <liam@tetrate.io>

* fix package name

Signed-off-by: Liam White <liam@tetrate.io>

* Increase propagation sleep and add warning

Signed-off-by: Liam White <liam@tetrate.io>

* [test-framework] Support helm values containing spaces (#13127)

* Support helm values containing spaces in integration test framework

For a helm template command,
e.g., "helm template --set key1=value1 --set key2=value2",
the existing integration test framework assumes the values do not
contain spaces and splits the command argument using the
space character before executing the helm command.
Thus, the existing implementation does not support
helm values (e.g., certificates) containing spaces.
This PR adds the support of helm values that contain spaces.

* Revised to use array based on review comments

* Adding servicegraph testing to postsubmit (#13190)

* Adding servicegraph testing to postsubmit

* m

* perf

* change

* pod

* fix

* Adding E2E Test for kiali (#11448)

* Add Kiali E2E Test

* Minor Fixings on Kiali E2E Test

* Remove unused mixer.enabled value (#13214)

This is not a functional change; this value is never used so it is
misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled
are used.

* Adding aliases for OWNERS (#13194)

* Fixing copy for helm, one more time.

* Adding aliases for test group. Setting up labels and no parent_owners

* prow

* owners

* Fixing helm order (#13224)

* Fixing copy for helm, one more time.

* Fix order of the helm command

* fix lint (#12988)

* update certificates with expiration time 100 years (#13233)

* update certificates with expiration time 100 years

* update testdata/local/etc/certs

* fix original destination bug (#13011)

* fix original destination bug

* add ut

* align init role label. (#13172)

* Remove --platform option (#13187)

* Fix #10380: Remove hardcoded sidecar template for istioctl kube-inject (#10830)

* Remove the hardcoded sidecar template for

* Remove deprecated flags in istioctl kube-inject

* update testdata after rebase

* add rule for kubeinject.go in codecov.threshold

* push client the new root cert when it's changed (#13163)

* refresh root

* refresh root

* unit test

* add logs

* address comment

* more comment

* address comment

* Implement `role` field in AuthorizationPolicy  (#13181)

* Add check for role in ServiceRoleBinding

* Implement global role

* Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow (#13199)

* Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow

Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow.
The mutual TLS connection uses the certificates issued by SDS-Vault CA flow
and SDS-Citadel CA flow.

* Use the flag EnableCDSPrecomputation()

* Address review comments

* Ignore missing resources on kubectl delete (#13225)

This makes it so tests won't fail on cleanup for resources that are
already deleted.

* [Testing] Cleanup PortForwarder (#13250)

* Add generated LICENSES.txt to gitignore (#13209)

* remove myself from owners (#13231)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add upstream_transport_failure_reason to access log (#12434)

* add upstream_transport_failure_reason to access log

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* update proxy to latest

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fix

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fix format

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* Fix integration test errors and refactor security integration tests (#13253)

* Fix integration test errors and refactor security integration tests

- Fix the failure of integration tests when --istio.test.nocleanup=false,
which is the default test setting. The failures of integration tests when
--istio.test.nocleanup=false are caused by that the errors during
cleaning up tests are treated as test failures while the actual tests
have succeeded when --istio.test.nocleanup=true.
- Organize security integration tests under testss/integration/security.
- Refactor the code to share common utility functions and remove
duplicate code.
- Misc fixes.

* Address review comments

* Use a const to represent the test policy directory

* Address review comments

* Fixes the multicluster e2e test (#13246)

The secret was being created after the apps where
deployed on the remote.  This was causes the test
to never think the apps successfully deployed since
the envoy sidecar was continually restarting.

* pre-check: fix a logic error (#13278)

`getNameSpace()` always returns an object, even if namespace does
not exist. Checking the error status is safer.

* Remove kubectl from dockerfile prereqs since it pulls it (#13256)

* Fixing EDS unit tests (#12995)

The current EDS test is incorrect and passes because the check calls time
out rather than sucessfully completing. This PR fixes the problem and
add one more test.

fixes issue #12994

* rbac: fix a data race in listener generation (#13308)

* Include js/css files into static folder (#12983)

* Include js/css files

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Append version to file

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* ignore assets.gen.go in code coverage

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* remove assets.gen.go from codecov test

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* remove skipped test from .cov file

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* fix check chell issue

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* fix shell check issue

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Fix galley integration test race (#13303)

* [Test Framework] Integrate apps with Galley (#13115)

The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot.

- Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion.

- Removed the ServiceManager altogether - Galley is used for service registration.

Fixes #13090

* Fix again helm copy, was reverted during merge from release 1.1 (#13337)

* Fixing copy for helm, one more time.

* Fixing copy again for master

* Update OpenShift dependencies; Drop [deprecated] legacy schema (#13160)

* Extend istioctl mocking library to allow mocking of authn etc (#13118)

* Fixing iptabes ranges (#13291)

* Fixing iptabes ranges

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* fix shellcheck errors

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* fixing ci failures #1

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* fixing ci failures #2

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com…
lei-tang added a commit that referenced this issue Apr 23, 2019
@lei-tang
Merge master branch 2619197 to collab authn (#13539)
50cd96f 
* Drop log level for missing service account for spiffe uri (#12239)

* Don't require service account for spiffe

Some kubernetes pods don't have a service account. This causes a log
flood that the spiffe url is invalid, but this doesn't actually have any
negative impact. We can just make it not an error to have no service
account.

* Revert "Don't require service account for spiffe"

This reverts commit e88ff187963e97949d3b81c3575b997ddd7e7a6f.

* Just drop error -> warn

* Fix tests

* Drop log level

* [Authz v2] Add additional fields for bindings and validation. (#11800) (#12460)

* Adding additional fields for bindings and validation. (#11800)

* Implement namespaces for ServiceRoleBindings

* Implement not_namespaces and refactor

* Implement not_ips

* Implement ips (no unit tests)

* Add a unit tests for ips for ServiceRoleBinding

* Implement groups and not_groups for ServiceRoleBinding

* Implement names and not_names

* Check for duplicated definition in constraints/properties and first-class fields

* Disallow using * in names or not_names to prevent ambiguity

* Disallow using * in names or not_names to prevent ambiguity

* Refactor additional fields for bindings

* Update validation.go

* Update validation.go

* enhance verify install command (#12174)

* enhance verify install command

* fix lint

* fix lint

* configure prometheus to monitor citadel. (#12175)

* Add namespace scoping to the Gateway 'port' names (#11509) (#12500) (#12556)

* Add namespace scoping to the Gateway 'port' names (#12500) (#12500)

Currently in order to configure ingressgateway to do TLS termination
using multiple secure virtual hosts with different certificates Istio
requires Gateway 'port' names to be globally unique (i.e. distinct).
I.e. two gateways cannot have secure port named 'https' even if they
reside in different namespaces. Behavior in such case is undefined.

This breaks namespace isolation as a user creating a Gateway in one
namespace might not have access to other namespaces hence can't
if the port name is already 'taken'. Behavior in such case is undefined
and likely to render other virtual hosts unavailable.

This change adds namespace scoping to Gateway port names by appending
namespace suffix to the HTTPS RDS routes. Port names still have to be
unique within the namespace boundaries, but this change makes adding
more specific scoping rather trivial.

* Increase Gateway 'port' names scoping granularity

* Minimal changes to make locality lb not sigsegv (#12649)

* Locality label istio-locality in k8s should not contain `/`, use `.` (#12592)

* Locality label istio-locality in k8s should not contain `/`, use `.` instead

* fix comments

* Only use gateways for servers being processed (#12663)

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* Propagate Envoy Metrics Service Config (#12569)

The plumbing for propagating the envoy metrics service address config is missing a step to copy the given address to the config object that is passed on to the template renderer.

* mixer: add directive demo adapter (#12505)

* finish demo

Signed-off-by: Kuat Yessenov <kuat@google.com>

* printf

Signed-off-by: Kuat Yessenov <kuat@google.com>

* publish keyval

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding sidecars to validating webhook configuration (#12233) (#12643)

Addresses issue #12193

* Cleaning up Unit tests for RDS (#12581)

Added a new case and cleaned up the existing test cases.

* switching deployment to v1 api (#10578)

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Cleanup Galley OWNERS file. (#12676)

* fix uds socket (#12688)

* uds fix

* readonly

* Add unit test to cover multiple different locality case (#12388)

This PR only increases test coverage. Does not impact functionality.

Signed-off-by: Liam White <liam@tetrate.io>

* Build 1.1.1 (#12690)

* Fix LB weight setting for split horizon eds (#12560)

* lb weight for split-horizon-eds shoulb be set correctly

* fix ut

* rename

* fix ut

* fix lint

* fix lint

* fix typo in default envoy JSON log format (#12473)

* Make release-1.1 changes compatible with master

* Remove extra ingress template
* cherry pick 10578
* reformat
* Update rbac.go to use httpfilter when needed
* Integration framework ensure apiVersion is top level
* Update yaml make target
* Disable setup on sidecar_api_test

* clarified mesh connect timeout fields based on code impl (#12089)

* Testing: configurable ports for Echo (#12681)

The echo component currently assumes a hard-coded list of ports. We eventually want to replace the "apps" component with echo, but in order to do that we'll need to be able to tailor the port configuration for each instance.

* add image pull secrets for zipkin. (#12327)

* Refresh oop handler with connection config update (#12575)

* refresh handler with connection update

* sanitize test error message

* Fixing coping of the data to the bucket during release (#12585)

* Fixing coping of the data to the bucket.

* Small fix

* RM folder in any case

* 'istioctl proxy-config clusters' cluster type column rendering (#12458)

* Make error message explicit (#12675)

* E2E test for health check under mtls using app prober rewrite. (#11531)

* injector changes for health check, pilot agent take over app readiness check. (#9266)

* WIP injector change to modify istio-proxy.

* move out to app_probe.go

* Iterating sidecartmpl to find the statusPort.

* use the same name for ready path.

* Get rewrite work, almost.

* Some clean up on test and check one container criteria.

* fix the injected test file.

* Add inject test for readiness probe itself.

* Add missing added test file.

* fix helm test.

* fix lint.

* update header based finding the port.

* return to previous injected file status.

* fixing TestIntoResource test.

* sed fixing all remaining injecting files.

* handling named port.

* fixing merginge failure.

* remove the debug print.

* lint fixing.

* Apply the suggestions for finding statusPort arg.

* Address comments, regex support more port value format.

* add app_probe_test.go

* add more test.

* merge fix the test.

* webhook autoinject is ready for review.

* Squashed commit of the following:

commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 18:13:30 2019 -0800

    renaming env var.

commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 17:59:25 2019 -0800

    finish migrating test to yaml file based.

commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:55:00 2019 -0800

    get test working.

commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:49:58 2019 -0800

    WIP add some test files.

commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:13:06 2019 -0800

    WIP changing to using the environment var.

commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:52:47 2019 -0800

    add todo for the tests.

commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277d7 4b7b13aef
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:47:17 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861
Merge: 98fd48f59 744b07ad2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:34 2019 -0800

    Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip

commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:00 2019 -0800

    findsidecar.

commit 744b07ad2406d1eb94bcf5492125f91486ad6b10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 22:29:28 2019 -0800

    add FindSidecar.

commit 40ed002ff6f5dd4afe22afa984384addc1be1104
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 21:55:51 2019 -0800

    refactor some code.

commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 18:19:32 2019 -0800

    Integration test works and fixing a bug.

commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 16:09:13 2019 -0800

    all inject tests pass.

commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5
Merge: a2a774498 010d5c266
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:22:18 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit a2a774498e1021c1ca01c021c071e225fa330407
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:16:04 2019 -0800

    update the TestWebhookInject.

commit 36fd45c074bcc787702a5a9257d23103521f525c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 12:13:21 2019 -0800

    some document

commit 88dc922719e2c4723a334d1d8d959cac361b1ecb
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 11:43:44 2019 -0800

    new version works for kubeinject, webhook unit test.

commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 18:17:38 2019 -0800

    WIP working on modifying sidecar.Args first, then modify app container patch.

commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 15:20:36 2019 -0800

    WIP add what's missing to get e2e test working.

commit 1595e871c640cdabead372eada2b17d717fa707f
Merge: 256d9635f ac78a552a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 13:26:05 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 256d9635f4d590936c473bf3be0299064cb9c716
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 12:14:04 2019 -0800

    add some debugging log.

commit f70096334464fd1d59a0e81997e8f0fd6623a564
Merge: bdce72119 c7eb603ee
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 10:57:43 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit bdce72119ef78dab40b750861768c332811b9ee2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 18:04:37 2019 -0800

    refactor to host something up to caller.

commit b51763c21000ba2b7fe9e2bc728783ce530cfe87
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 16:31:32 2019 -0800

    get everything works.

commit 0815695a2fea828f06a31f14ed7795a3b3716111
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:48:27 2019 -0800

    kubeinject test is working.

commit 14c99b58f0212972d42e298fa4185275642d672c
Merge: d626bb85d 5ea79622c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:30 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit d626bb85dee628771f8f41fc90335ac608dea923
Merge: 3561ae0a6 66153da4d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:23 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3561ae0a69350730834e625c0710394968f9fcde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:49:44 2019 -0800

    WIP, policy is not taking effect, test passing without rewrite.

commit a9bef0f01964a14f6ace0da6217d7a36f364b661
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:31:08 2019 -0800

    fix the json path in the patch.

commit f1aee91189e16beb0dadee6c612464b1aa9bad21
Merge: 3a7eb48e6 abc53e120
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 14:03:49 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 13:57:55 2019 -0800

    fix it, removing namespace since metadata not matching will fail for kubeapply

commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 11:58:39 2019 -0800

    WIP, debuggin why mtls policy is not showed up.

commit 72e9c4e488f875ffea0c3a279403277010160ee1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:24:16 2019 -0800

    working on integration2 test framework.

commit 90c1cce9ddc55ce339aa65eac06602591d3113c9
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:04:38 2019 -0800

    add small comments.

commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676
Merge: 7f5c8cbd8 e45242c0d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 16:43:47 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:37:53 2018 -0800

    check rewriteAppProbe separately.

commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479
Merge: 20f02c045 1ae6b4fde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:01:37 2018 -0800

    Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject

commit 20f02c04563fab9b81b418c00a5455994fda5148
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:59:57 2018 -0800

    duplicate the rewrite logic.

commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64
Merge: 3b3bcbff8 d8c4579fa
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:53:44 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Dec 17 21:56:51 2018 -0800

    address comments.

commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:24:33 2018 -0800

    massage comments.

commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:15:50 2018 -0800

    helm flag is off, so change the expected outoupt.

commit 43522c15d06054e4bb173ab2c37333a4de647c2d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:09:46 2018 -0800

    make webhook support rewriteAppHTTPProbe flag.

commit f60f18f4144482874c1219c7da90e97f19f1172f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 12:03:04 2018 -0800

    fixing the merge typo.

commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:56:38 2018 -0800

    remove unnecessary changes in test for debugging.

commit a81eacb6892509d8938be8d64f1435cf64e22317
Merge: af1a67989 f6b0ddc30
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:53:07 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit af1a6798988f9fe70e40add2a6d4971efa9b50ed
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 18:07:19 2018 -0800

    fixing all the test.

commit 58d0bef3520037a81db8baa34d6e13849d20af10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:51:34 2018 -0800

    Get TestInject happy.

commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:49:42 2018 -0800

    make TestHelmInject happy.

commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0
Merge: fcca1f89a bd1631be3
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:53:01 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:18:20 2018 -0800

    get webhook_test.TestInject working.

commit 06f517cfc4214994be1be848d40b12f09ba8a4b8
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:10:55 2018 -0800

    restructure app_probe_test working for both.

commit 7142e96ed8a3200fc91bc73aee86d471117232fc
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 13:19:41 2018 -0800

    starting to work on serious test

commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:50:19 2018 -0800

    prototyping get familar with the test.

commit 51659dacbc569f4532dc6a37b2091f39c7cf115b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:05:51 2018 -0800

    wip for adding test.

* resolve appprobetest.

* update the golden due to another injector change.

* remove unnecessary files in this pr.

* remove the test framework change.

* remove unnecessary testdata file.

* wip for adding health check test app.

* wip very hack working solution app deployed

* finally test starts working

* make sure the test works if and only if the helm flag is turned on.

* refactoring

* small adjustment.

* DeepCopy used.

* working test only healthcheck test.

* remove inline policy

* change RegisterHelmValueOverrides.

* unnecessary change.

* Finish HelmValueMap refactor.

* some cleanup.

* clean up.

* flags helm values takes higher priority.

* fix the lint.

* address comments.

* revert chagnes on HelmValuesMap.

* wip getting helm customizable with new configuration api.

TODO: testing by rebuild image.

* fix the helm value passing overrides.

* wip the app is deployed but not ready and still finishes...

* wip apps configuration not take effect.

* working version of apps configuration.

* clean up some debugging log.

* test documentation.

* WIP changing deploymentFactory to KubeApp.

* verify test works.

* clarify kubeappsconfig doc.

* get the test pass, no apps configuration yet.

* get test working.

* clean up on apps/kube.go

* few clean and update readme doc.

* change the overrides by func callback.

* fix the typo.

* fix the comments.

* Hide ServiceAccounts from PushContext log (#12702)

* Configure localityLbSetting in values.yaml (#12683)

* Configure localityLbSetting in values.yaml

* Update docs

* Fix concurrent map access (#12706)

* Remove when: always from CircleCI configuration for integration tests. (#12679)

This causes the integration tests to run, even if the previous steps fail.

* Removed unused code from EDS (#12221)

* Should not add a worker in GoroutinePool construction func (#12619)

* GoroutinePool does not add a worker in construction func

* fix ut

* remove redundant code (#12656)

* remove redundant k8s discovery code

* remove redundant

* Configure logging level in proxy and control plane (#12639)

* configure proxy log level via helm values for sidecar and gateways

* configure istio control plane log level via helm

* Put back a couple settings for Kiali that were accidentally deleted. (#12472)

Some Kiali settings were accidently deleted when the new installation options for
release-1.1 was published. This is because these settings were commented out in
the values.yaml file for kiali under istio/kubernetes/helm/istio/charts/kiali.

Bug:#3660

* remove to be deprecated critical pod annotation. (#12657)

* remove to be deprecated critical pod annotation.

* fix ci.

* Adding timeouts in Galley processor tests (#12701)

* Adding timeouts in Galley processor tests

This is to help in debugging #12628.

* making await method private

* add pod antiaffinity. (#12691)

* add pod antiaffinity.

* fix gateways issue.

* add pod antiaffnity to helm test pod.

* remove local test file.

* apply comments.

* Adding galley test for sidecar config validation (#12247)

* Adding galley test for sidecar config validation

Test cases related to PR #12233

* Using istio-system as namespace for resource

* Collect details/artifacts for failed tests in Prow. (#12753)

* Add infrastructure to document env var usage. (#12727)

- Introduce the pkg/env package containing a few functions to query environment
variable values. It keeps track of the variables requested so they can be documented.

- Extend pkg/collateral to recognize and output the environment variables used in the
process. This is what is needed to make this stuff show up on istio.io.

- Update all relevant call sites to use the new infrsstructure. It's still missing
descriptions for all the variables, that'll be up to component authors. I'll file
issues to get that work done.

- Fixed bugs in the node_agent_k8s code that was using env vars as the default for
Cobra command-line arguments, resulting in potentially variable default values
produced in the generated docs. Default values need to be static.

* Enable more linters. (#12751)

- Flip on a couple more linters

- Fix a bazzilion warnings produced by these linters,
along with many warnings produced by other not-yet-enabled
linters.

- Fix pkg/version so the tests compile on Mac. This broke a while
back, preventing the linter from running to completion on the Mac.

* Convert galley to reload files via SIGUSR1 or a ctrlz handler (#11617)

* Convert galley to reload files via SIGUSR1 or a ctrlz handler

* Fix ctrlz shutdown not to block

* Disable the mtls_healthcheck test until it can be fixed. (#12775)

* Change IP addresses to show up as strings in label maps in accesslog (#11740) (#12502)

Change IP addresses to show up as strings in http req  in accesslog

Fix lint errors

Fix lint errors

Use stringify function

Updated based on feedback

* upgrade prometheus version. (#12781)

* Wait for endpoints of policy backend, before trying to use it. (#12763)

* Wait for endpoints of policy backend, before trying to use it.

* Minor fix to the structure.

* Add wait logic for waiting Galley to come online.

* Fix minor bug.

* Rename the method so that it is clear what it is doing.

* Add additional constraint check.

* Remove redundant write header (#12731)

Write already writes 200 status code, so this wasn't needed. This caused
unneeded logging every time it was called.

* Tell Kubernetes that Istio validation has no side effects (#12670)

* Tell Kubernetes that Istio validation has no side effects

* Add integration tests for --server-dry-run

* Report version of kubectl and server

* Version check error

* Undo --server-dry-run tests which require K8s 1.12 or higher

* fix uds socket (#12688) (#12802)

* uds fix

* readonly

* mixer: switch to simplified config model (#12689)

* take 2 compiled instances

Signed-off-by: Kuat Yessenov <kuat@google.com>

* try with apa

Signed-off-by: Kuat Yessenov <kuat@google.com>

* quota failure

Signed-off-by: Kuat Yessenov <kuat@google.com>

* false signal?

Signed-off-by: Kuat Yessenov <kuat@google.com>

* more crds

Signed-off-by: Kuat Yessenov <kuat@google.com>

* nil params

Signed-off-by: Kuat Yessenov <kuat@google.com>

* patching config

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove stale command

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix destination host validataion (#12804)

* Implement AuthorizationPolicy with workload selector. (#12050) (#12667)

* WIP AuthorizationPolicy with selector

* WIP AuthorizationPolicy with selector

* Check if need to use convertRbacRulesToFilterConfig and ignore permissive mode

* Support TCP

* Move new functions for RBAC v2 to rbac_v2.go

* Change the structure and refactor tests

* Put services field check back

* Remove services field validation

* Remove optimization

* Add selector no match test

* [Galley] Adding ServiceEntry synthesis (#12409)

Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot.

Partially addresses #10497 and #10589

* Add a linter to prevent use of os.Getenv and os.LookupEnv (#12778)

- Add more unit tests to pkg/env to bring coverage to 100%

- Move existing linter sources from test/util/checker to tools/checker

* Specify istio-init user explicitly (#5453) (#12708)

Istio-init is supposed to be run as a superuser so it can configure
iptables and this is the current default. However many popular Helm
charts typically define a single container pod and specify
`securityContext.runAsUser` on a pod level (rather than the container
level) and that is what istio-init inherits. As the result many Helm
charts aren't working with Istio auto-injection out of the box.

A simple fix would be explicitly setting `securityContext.runAsUser`
for istio-init on the container-level so it takes precedence.

* Removing depencency on the order of returned IP addresses (#12812)

* Removing depencency on the order of returned IP addresses

Allows returned addresses by the default resolver to be in any
order. The first IPv4 address returned by the resolver is used. If
there are no IPv4 address is found, an IPv6 address is used.

Added more unit tests.

* Making logic for local IP the same as the rest

* Disabling flaky parts of Galley integ test (#12837)

This should deflake the test in #12820. Real fix is coming soon.

* Set SAN as critical for workload certs. (#12838)

* inject sds related param in pilot/mixer deployment (#12809)

* inject sds related param in pilot/mixer deployment

* remove args

* Disabling Mixer tests using the new TF in K8s. (#12848)

* Disabling Mixer tests using the new TF in K8s.

* Make linter happy.

* accommodate PR review comments.

* galley: support optional crds (#12822)

* optional galley crds

Signed-off-by: Kuat Yessenov <kuat@google.com>

* review

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Removing a "TODO" that is not necessary any more (#12841)

Cleaning up the comments.

* mixer: add template CRD flag and set it to false (#12851)

* template CRD flag

Signed-off-by: Kuat Yessenov <kuat@google.com>

* missed a flag

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Zombie cleanup. (#12878)

- Delete a bunch of dead code, dead variables, unused parameters, and
superfluous type declarations.

* Refactor Istio deployment code for clarity and add wait for webhook. (#12888)

* Refactor Istio deployment code for clarity and add wait for webhook
to come online.

* Make linter happy.

* Fix stupid bug.

* Remove accidental file add (#12895)

* Re-enable sidecar_api_test (#12887)

* Re-enable sidecar_api_test

* Remove kube setup

* Fix race condition

* Make Mixer readiness timeout configurable. (#12640)

- Mixer waits for readiness of the config backend. It is currently hard-wired at 30 seconds. This change makes this configurable and sets the default as 2 minutes.
- The pod was being killed because the liveness probe was not starting on time. It is blocked behind other readiness checks. This change enables readiness early on.

* Minor improvements to the test framework. (#12858)

* Add dump support to policy backend.

* Add a suitecontext dir.

* test: add dump pod events function (#12821)

* Fix flush behavior in Stackdriver adapter. (#12853)

* Fix prometheus and citadel connection tests (#12747)

* Fix test-prometheus-connection.yaml: test never failed

Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>

* Fix test-citadel-connection.yaml: test never failed

Co-authored-by: Ralf Pannemans <ralf.pannemans@sap.com>

* Fix a bunch more linter items. (#12897)

* delete stale file (#12898)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Run dep ensure

* Implement EnvoyXdsServer graceful shutdown (#12826)

* update api sha (#12862)

* update api sha

* api files

* Add two sample deployments for user guide of Istio Vault integration (#12917)

* Rename types.go to types.gen.go. (#12921)

* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850)

* Change Ip Address to readable format in accesslog from stdio adapter

* Add a check to validate it's an IP Address before calling ip.string function

* Fix formatting error

* Fix test

* Correct stringify function in instanceUtil.go too for IP address

* Fix based on review

* Fix based on review

* Fix based on review

* Update to latest doc gen tool. (#12932)

* Fix the regular expression that splits the deployment scripts. (#12931)

The script was fixed with a start-line anchor during the merge of 1.1.
However the regular expressions in Go is not multi-line.

* Add labels to the test framework. (#12819)

* Add basic label support to the test framework.

* Refactor test framework surface area to use fluent-style.

* Apply labels to CircleCI tests & stable integration tests.

* Add early exit support to avoid running setup functions when the label
set can never match.

* Add Citadel tests as presubmit tests.

* Remove environments from label usage.

* Fixup some of the label usages, and convert some of the test entry points.

* Fixup label usage.

* Redisable sidecar tests.

* Accommodate PR feedback.

* Accommodate CR feedback.

* Add more CR fixup.

* Introduce pkg/annotations (#12909)

- pkg/annotations lets us track the annotations used by the calling process.

- pkg/collateral now outputs annotations if there are any. This will make annotations
show up on istio.io

- Adjusted how pkg/collateral handles deprecated environment variabes to match how we
handle deprecated fields in protos (by coloring them differently on istio.io)

- Added another test to pkg/env to cover a case I missed originally.

- Updated the sidecar injector and pilot to use pkg/annotations.

- Fixed some invalid HTML generated by pkg/collateral.

I'll file an issue to get descriptions added for the annotations.

* remove unused pdb in remote values. (#12943)

* prevent duplicate inbound listeners (#12937)

* [Galley] Fix race in runtime strategy (#12927)

This address a race condition that seems to only occur when using a very low timerFrequency (e.g. 1 microsecond) on a slow machine (e.g. prow). Under these conditions, the strategy can encounter a race condition when creating the timer. The code was setting the `timer` variable to the result of time.AfterFunc. However, due to the extremely low frequency used, the AfterFunc was invoking its handler, `onTimer` before returning. This led to accessing an uninitilized `timer` value.

This PR swaps out AfterFunc for NewTimer. The use of time.Timer is now abstracted behind the `asyncTimer` object, which provides the semantics needed by the strategy. Now strategy.timer is set before it is started, avoiding the race.

Fixes #12628

* Adding unit tests for sidecar scope (#12184)

* Adding unit tests for sidecar scope

* Removing unused variable

* linters: enable errcheck (#12933)

* enable errcheck

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add maligned to exceptions

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Istio does not use Cluster_LOGICAL_DNS, so remove it (#12905)

* Istio does not use Cluster_LOGICAL_DNS, so remove it

* clean up LOGICAL_DNS in comments

* Clean up Helm README (#12914)

The README has outdated information on the values, we should just defer
to istio.io which is up to date. Additionally, we should point users to
istio.io which has up to date install instructions.

* 'istioctl experimental dashboard' command to show add-ons and sidecars (#12627)

* 'istioctl experimental dashboard' command to show add-ons and sidecars

* Test cases, output of URL, use of Cobra output stream

* Refactor code into istioctl/pkg/kubernetes

* Refactor to expose PortForward stop channel

* Validate new mixer CRDs (#12918)

* Validate new mixer CRDs

* Add templates and adapters

* Test cases for new mixer CRDs

* Add environment variables to allow configuring bookinfo hostnames (#12646)

* Allow bookinfo hostnames to be configurable

- add DETAILS_HOSTNAME, RATINGS_HOSTNAME, REVIEWS_HOSTNAME environment
variables to configure hostnames. Defaults to details, ratings, reviews
respectively

* Bump bookinfo sample to 1.11.0

* Update expected outputs for bookinfo tests

- this is not related to our PR, but the tests were failing
- the apps were changed, but images were not rebuilt

* Add edsClusters should be atomic (#12942)

* Add edsClusters should be atomic

* fix lint

* properly report errors on failure (#12945)

The CI Infrastructure times out after 10 minutes of no activity.  In
one of the test case runners, 10 miniutes is specified causing the CI
timeout to flush any debuggable output from the checks.  This results
in an in-exact error result to be returned.

Instead a vague reponse about the test case timing out is reported,
resulting in confusion for the PR authors.

The typical max I was able to achieve was ~230 seconds, but I trimmed
to 3 minutes so the test case fails in all conditions and properly
reports the errors.

* Hoist exemptLabels to top-level, so that they can apply to prs as well. (#12902)

* [mixer-e2e-test] add retry to prometheus query in check cache test (#12680)

* check cache test sleep longer

* use retry instead of longer waiting

* reword error message

* Fixing typos in unit tests (#12661)

Redoing PR #12035

* respect locality weight set from ServiceEntry (#12714)

* respect the lb weight setting from users

* add ut

* fix golint

* add locality lb setting test

* fix lint

* update test case

* update test case

* lint

* sidecars with workload selector takes precedence over namespace wide one (#12831)

* Auto bind to services for Sidecar listeners with specific ports (#12724)

* auto bind to TCP services for egress ports in Sidecar

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* fix test

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* minor patch (#12963)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Cleanup gateway vhost config gen (#12847)

* check match direction

* Cleanup http route generation

* undo pickMatching change

* golangbot comments

* address review comments

* fix validation bug

* gofmt

* check for intersection duplicates

* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)

* Add wildcard route fallthrough

Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.

Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.

* add unit tests

* Remove node-level flag

* Fix tests

* Support PKCS#8 private keys. (#12972)

* Support PKCS#8 private keys.

* Small fix.

* Fix LB weight setting for split horizon eds (#12560) (#12827)

* lb weight for split-horizon-eds shoulb be set correctly

* fix ut

* rename

* fix ut

* fix lint

* fix lint

* Restore dump_kubernetes.sh function on OSX (#12159)

* Fixes for Bash 3.x and detecting non-running pods

* Address shellcheck warnings

* Remove Robert Li from tests OWNERS file (#12946)

Robert has had a change in employment and can no longer contribute to
Istio.

* remove unnecessary namespace for webhook configuration (#12981)

* remove deprecated mcpServerAddrs flag (#12954)

* remove deprecated mcpServerAddrs

* fix ut

* support ip:port format configSource

* fix ut

* fix ut

* supprt proxy https app probe (#12872)

* supprt proxy https app probe

* add ut

* fix ut

* add webhook inject test

* fix test

* fix comments by incfly

* Allow some time for the configuration propagation (#12865)

* Allow some time for the listeners config propogation

* change to use watchDiscovery

* samples/bookinfo: easier access to logs (#12584)

* Use shorter namespace prefixes. (#13001)

* Change Ip Address to readable format in accesslog from stdio/stackdriver adapter (#12850) (#12936)

* Change Ip Address to readable format in accesslog from stdio adapter

* Add a check to validate it's an IP Address before calling ip.string function

* Fix formatting error

* Fix test

* Correct stringify function in instanceUtil.go too for IP address

* Fix based on review

* Fix based on review

* Fix based on review

* Update integration test env flag (#12977)

The flag should be "kube" not "kubernetes" but it was not updated in
some places before.

* Support inline role definition in AuthorizationPolicy (#12849)

* Don't fill test logs with "no provious log" (#12857)

This isn't a real error, but it is misleading in the test output. We
have no reason to output all of these errors that there is no previous
container to get logs from.

* mixer: delete old style CRDs from installation (#12710)

* delete old style CRD from installation

Signed-off-by: Kuat Yessenov <kuat@google.com>

* disable galley from listening to old style CRDs

Signed-off-by: Kuat Yessenov <kuat@google.com>

* more hardcoded yamls

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debuggin default install

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix fmt

Signed-off-by: Kuat Yessenov <kuat@google.com>

* keep galley pipeline

Signed-off-by: Kuat Yessenov <kuat@google.com>

* disable resource ready

Signed-off-by: Kuat Yessenov <kuat@google.com>

* delete debugging line

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fixing testdata

Signed-off-by: Kuat Yessenov <kuat@google.com>

* delete deprecated configs

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove declarations

Signed-off-by: Kuat Yessenov <kuat@google.com>

* delete more yaml

Signed-off-by: Kuat Yessenov <kuat@google.com>

* merge fix

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Add tests for the effect of mTLS setting to reachability (#11624)

* Reachability test in new ingegration test framework

* Add test for port specific policy

* Expose KubeApp interface and move EndpointForPort to that instead

* Use the retry.UntilSuccess from framework

* Change to UntilSuccessOrFail instead of UntilSucces

* remove deprecated code (#13005)

* remove deprecated code

* remove dep

* Add examples/documentation for the test framework. (#13000)

* Add examples/documentation for the test framework.

* Add more prose about test lifecycle.

* Fix typo.

* Fix typos.

* fix retry loop in mixer crd watch (#13003)

* first change to apps/v1 for Install (#13015)

* first change for install

* appsv1

* indention

* use only ipv4 for pilot and zipkin (#12997)

* do ipv4 lookups for pilot and zipkin

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* update goldens

Signed-off-by: Shriram Rajagopalan <rshriram@gmail.com>

* small fix for imports (#13013)

* remove old mcp stack (#12092)

* remove old mcp stack

* remove legacy mcp server from galley

* fix server build

* fix linter

* remove unused code in journal.go

* fix build

* s/server/source

* fix linter errors

* Exclude Prometheus traffic in rule so that Kiali does not show it. (#12251)

* [Galley] Fix race in strategy shutdown. (#13004)

* [Galley] Fix race in strategy shutdown.

The Close() logic was holding onto the state lock, which can race with worker thread. Specifically, the worker thread could be in a call to onTimer awaiting the lock, which would never be acquired since the Close() method is stuck waiting for the stopped channel to close.

* cleaning up reset logic to avoid holding on the stateLock

* Add instructions and scripts to facilitate running E2E tests locally using KinD (#12641)

* Adding check/install go in both macOS and Linux.

* Install go if not installed.

* Adding support to run e2e test on KinD locally.

* Adding the ability to run e2e tests locally on KinD.

* Update install_prereqs_debian.sh

* Update setup_test.sh

* Adding the ability to run e2e test on KinD
for presubmit test.

* Presubmit e2e test on KinD.

* Adding the ability to run e2e_simple presubmit on KinD

* Adding README file for testing on KinD locally.

* Revert the changes on adding install_go function.

* Revert install_go in common_macos.sh

* Revert the file changes of deleting newline.

* Reverting the changes.

* Addressing reviews.

* Fixing shellcheck

* respect locality weight set from ServiceEntry (#12714) (#13012)

* respect the lb weight setting from users

* add ut

* fix golint

* add locality lb setting test

* fix lint

* update test case

* update test case

* lint

* Add documentation about -p 1 for integration test framework. (#13032)

* Reduce logs in security/pkg/nodeagent/sds/ (#13035)

* Reduce logs in security/pkg/nodeagent/sds/

https://github.com/istio/istio/issues/13033

* Count the log output times

* Revise the PR based on review comments

* move pkg/mcp/configz to pkg/mcp/configz/client (#12982)

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Restore TestMtlsHealthCheck in postsubmit, prow. (#12969)

* restore test to debug.

* add presubmit label to the test for triggering.

* change to only run in postsubmit.

* remove postsubmit label just comment.

* Enable more linters and fix warnings/errors (#12993)

* Cherry pick cert file config from master to release-1.1 (#12707)

* Cherry pick from master: Configuration:  no longer hardcode mesh certs (#12189)

* Configuration: Pilot-Agent: no longer hardcode certs to watch. Pilot-Discovery: no longer hardcode Envoy listener cert paths.

* Address demands of golangcibot overlord

* Change usages of github.com/stretchr/testify/require to github.com/stretchr/testify/assert

* Address code style violation

* Revert temporary api changes. Set cert paths in envoy node metadata and use them when setting up listeners

* Use envoy node metadata cert paths (if available) when constructing clusters

* Rename constants to make golint happy

* Fix imports

* Ignore ordering in test

* Pass around proxy instead of proxy.Metadata

(cherry picked from commit 7c342741df9bd4e313420b4d17e279089d8956da)

* goimports file

* Allow limiting Citadel to marked namespaces only (#12289)

* Allow limiting Citadel to marked namespaces only

- add command line flag to require explicit opt-in to secrets (defaults to false to retain current behavior of always create)
- extend secret controller to consider namespace labels (reuses existing 'istio-injected=enabled')
- modify unit tests to retain previous behavior (i.e., always create secrets, explicit opt-in not required) and account for additional namespace access

* removed left-over debug print, check enable only when explicit opt-in is required

* reverting k8s actions in tests: namespaces no longer checked when explicit opt-in is false

* unit tests for checking labels and behavior

* Namespace specified in command line is explicitly enabled

- save namespace specified in the `--listened-namespace` option on the controller (allow multiple to prepare for r1.1)
- check SA namespace against explicit namespaces

* use dedicated label name to avoid overloading the injection label

* use istio-managed label in tests

* clarified explicit-opt-in is relevant for keys and certificates provided via a volume mount

* refactor istio managed object test to a function so it can be called from secret deletion handler as well

* fix left over istio-injection label in tests

* manual merge fix

* appsv1 galley (#13047)

* Add support for datadog tracing (on release-1.1 branch) (#12687)

* Add support for datadog tracing.

Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>

* Use $(HOST_IP) instead of special-casing empty address value

Signed-off-by: Caleb Gilmour <caleb.gilmour@datadoghq.com>

* add param to sidecar to ignore iptables changes (#12829)

* add param to sidecar to ignore iptables changes

* rephrase description

* samples/bookinfo: migrate `apiVersion` of deployments to `apps/v1` (#13030)

* fix validation logic so that port.name is no longer a valid PortSelector (#13054)

* [Test Framework]: Galley support for deleting config (#13037)

In order to properly support deleting resources, it was necessary to revisit how ApplyConfig is done as well.  Previously, apply would just blindly copy the yaml to a new file in the configDir. The assumption was that the resource was always being "added" (rather than updated). I'm not certain what would happen if two resources appeared with the same name/namespace.

This PR generalizes (and fixes) the way resources are handled so that it's not concerned with files, but rather the underlying resources. The code now parses the top-portion of the yaml to properly identify each resource.  Once identified, the code now properly updates resources by writing back to the file where the resource was found.  Deletes are similar, where the original resource in the file is replaced with "" (empty files are removed).

* Support controlz for mcp server (#12980)

* Support controlz for mcp server

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* fix lint error

* Address review comments

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* generalize artifact injection into Docker images (#12203)

Instead of just adding LICENSES.txt only, also optionally add in the
source code as well, gating on the new EXTRA_ARTIFACTS and
EXTRA_ARTIFACTS_CNI environment variables.

Change-Id: Iab8fadfbcbbaa8906491e12324fae20185d9f33e

* Keep going when problem happens checking remote version (#13060)

* remove deprecated show-all flag (#13053)

* Add x alias to experimental istioctl command (#11801)

* Add x alias to experimental istioctl command

I'm super lazy and experimental is far too much effort to type

Signed-off-by: Liam White <liam@tetrate.io>

* Add exp as an additional alias

Signed-off-by: Liam White <liam@tetrate.io>

* Correct the app label for Gateway (#12693)

* update selector for gateway

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* fix build fail

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* Update tracing_datadog_golden.json (#13082)

* Fix small typo (#13089)

can useful -> can be useful

* Add jitter in CSR request (#12805)

* Add jitter in CSR request

* Add log

* Fix comments

* Fix test

* Fix test

* Fix comment

* Allows cleanup.sh to run non-interactively when in terminal (#12635)

This change allows cleanup.sh to run non-interactively in standard terminals.
For example: NAMESPACE="test123" ./cleanup.sh

* 'istioctl proxy-config clusters' cluster type column rendering (#12458) (#12730)

* update sds secret mount. (#12733)

* Copy data from right place (#12762)

* Fix updateClusterInc for overlapping ports (#12766)

* Fix updateClusterInc for overlapping ports

It is possible that a service will have multiple ports, with the same
port number. The typical example here is kube-dns, which uses port 53
for UDP and TCP. When we do an incremental push, we would select the
first port to match the port number, which would sometimes causes us to
ignore the correct port. This fix searches through all matching ports.

* Ensure port number matches as well

* Add unit tests

* remove dead code

* enable default sidecarscope (#12832)

* [Galley] Fix for ServiceEntry event ordering (#12890)

The integration test was encountering this, exposing a real bug. If nodes/pod events occur after service/endpoints (which should generally be unusual) then it is possible to have a ServiceEntry missing pod/node information (e.g. locality).

Fixes #12820

* Adding sha for istio/tools to manifest.txt for future automation of perf tests (#11706)

* Copy helm data from the right place (#12808)

* Refactor solution based on Costin's feedback (#13027)

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Enable more linters and fix warnings/errors (#13061)

* Making tags requirement same as those in Kubernetes (#12852)

* Making tags requirement same as those in Kubernetes

Changing validation check to make sure non-empty tags start with an
alphanumeric character

* Validating label keys are not empty strings

Allow empty string for label values
Do not allow empty string for label keys

* Added certmanager flag into helm chart values.yaml (#12953)

* Added certmanager flag into helm chart values.yaml

* Moved certmanager configuration

* Pilot [networking]: Add upstream idle_timeout to cluster definition (#13066)

* adding upstream idle_timeout to cluster definition.

* reverting vendor changes before running dep ensure again.

* running dep ensure update on api from master.

* controlPlaneMtls renamed to controlPlaneSecurityEnabled (#13141)

* Patch #12805 to master (#13104)

* Patch #12805 to master

* Fix lint

* Fix HelmDelete command (#12515)

* Fix HelmDelete command

HelmDelete was called with the namespace it needs to be called
with a chartname.  Also created a constant to make it more
obvious when called by the other Helm related commands.

* Fix typo

* Goimports fix

* ight modification path (#13148)

* Allow overriding of registry locality (#13077)

Also fixes bug where non-kube envs could override to something that parsed incorrectly

Signed-off-by: Liam White <liam@tetrate.io>

* mixer: add support for standard CRDs for compiled-in adapters (#12815)

* cherry pick subset of https://github.com/istio/istio/pull/12689/

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add support for compiled in adapters

Signed-off-by: Kuat Yessenov <kuat@google.com>

* patch log line

Signed-off-by: Kuat Yessenov <kuat@google.com>

* parse cert to get expire time  (#13145)

* parse cert

* cleanup

* unit test coverage

* missing file

* address comments

* rebase and address comment

* Installing istio for perf testing (#13159)

* Perf scripts

* gsutil

* WD

* perf running and geting metrics

* Perf

* perf

* perf

* Perf

* remove

* qq

* Appsv1 pilot (#13050)

* appsv1 for Pilot

* appsv1 for Pilot

* appsv1 for Pilot

* dep update

* fix test

* fix test

* fix test

* fix test

* fix test

* typo

* typo

* typo

* typo

* typo

* update go-control-plane (#13154)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* added sidecar.istio.io/rewriteAppProbers annotation (#13112)

* pilot: registered sidecar.istio.io/rewriteAppProbers annotation

* pilot: checked from sidecar.istio.io/rewriteAppProbers too

* pilot: added webhook inject tests

TestWebhookInject_http_probe_rewrite_enabled_via_annotation case is a modification of TestWebhookInject_http_probe_rewrite case.
The difference is rewriteAppHTTPProbe is false in template, but set to true in annotation.

TestWebhookInject_http_probe_rewrite_disabled_via_annotation case is a modification of TestWebhookInject case.
The difference is rewriteAppHTTPProbe is true in template, but set to false in annotation.

* fixed linter issue in test

* added http probe test for kubeinject case

* added tests and fixed login upon checking RewriteAppHTTPProbe setting

* Add more tests in app_probe_test.go

* renamed RewriteAppProbers to RewriteAppHTTPProbers

* fixed test case for webhook injection

* add description to rewriteAppHTTPProbers annotation

* updated tests in app probe to sync with recent master change

* change validateBool to alwaysValidFunc as per review

* Export inject.injectionData() (#12426)

* Registrator should use master version (#13083)

* dependencies: update cel-go and remove protoc-gen-docs (#12711)

* experiment with COMPAT

Signed-off-by: Kuat Yessenov <kuat@google.com>

* get errors

Signed-off-by: Kuat Yessenov <kuat@google.com>

* get errors

Signed-off-by: Kuat Yessenov <kuat@google.com>

* stop validation

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove hack

Signed-off-by: Kuat Yessenov <kuat@google.com>

* testing

Signed-off-by: Kuat Yessenov <kuat@google.com>

* only access log

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* debugging

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add runtimeconfig

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add a benchmark

Signed-off-by: Kuat Yessenov <kuat@google.com>

* cel_perf

Signed-off-by: Kuat Yessenov <kuat@google.com>

* update cel

Signed-off-by: Kuat Yessenov <kuat@google.com>

* update examples

Signed-off-by: Kuat Yessenov <kuat@google.com>

* remove unnecessary dependencies

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fixing copy for helm, one more time. (#13186)

* Run goimports on generated file (#13195)

* Enable disabled mixer tests in New Test Framework (#13151)

* Enable disabled mixer tests in NF

* Change tests config to new style

* Change tests config to new style

* Change tests config to new style

* Fix config for native policybackend

* Fix report test

* Reduce Pilot resource requests for demo (#12477)

* Reduce Pilot resource requests for demo

* Add limits as well

* Added data source for Galley dashboard (#13041)

Fixes: #13040

* fix values for pod anti-affinity. (#12798)

* Add sensible defaults to istio-gateways (#12315)

* report succeed after validation (#13165)

* report succeed after validation

* review comments

* Change exposed port of istio-pilot in consul (#13170)

`15003` and `15005` are never used in pilot under consul env. It would be confusing to expose the two ports. Instead, 
```
   --grpcAddr string                     Discovery service grpc address (default ":15010")
   --secureGrpcAddr string               Discovery service grpc address, with https (default ":15012")
```
we know `15010` and `15012` are still using.

* Cherrypick: Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916) (#12973)

* Add wildcard route fallthrough (Fixes ALLOW_ANY, 404s) (#12916)

* Add wildcard route fallthrough

Currently, ALLOW_ANY doesn't actually allow any external traffic if there is an http service already present on a port. This change adds a wildcard PassthroughCluster as the final route, allowing external traffic even if there is already a service on the port.

Additionally, in REGISTRY_ONLY mode, we will return a 404 error if there
is already an http service. This is misleading, as it can be conflated
with a 404 error returned from the actual service. When in REGISTRY_ONLY
mode, we instead return a 502 error to indicate the request is blocked.

* add unit tests

* Remove node-level flag

* Fix tests

* Use new env var framework

* Fix long line

* Run format and linter

* CEL checker mutex (#13192)

* checker mutex

Signed-off-by: Kuat Yessenov <kuat@google.com>

* deadlock

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Integration testing for Locality Load Balancing  (#13084)

* Initial testing functionality

Signed-off-by: Liam White <liam@tetrate.io>

* appease the linting gods

Signed-off-by: Liam White <liam@tetrate.io>

* Fall back to bootstrap locality as a last resort

Signed-off-by: Liam White <liam@tetrate.io>

* Move service instance check after we set them...

Signed-off-by: Liam White <liam@tetrate.io>

* Add EDS test

Signed-off-by: Liam White <liam@tetrate.io>

* Reorganise tests to run in parallel

Signed-off-by: Liam White <liam@tetrate.io>

* Move to pilot directory

Signed-off-by: Liam White <liam@tetrate.io>

* minor Infof fixes

Signed-off-by: Liam White <liam@tetrate.io>

* fix package name

Signed-off-by: Liam White <liam@tetrate.io>

* Increase propagation sleep and add warning

Signed-off-by: Liam White <liam@tetrate.io>

* [test-framework] Support helm values containing spaces (#13127)

* Support helm values containing spaces in integration test framework

For a helm template command,
e.g., "helm template --set key1=value1 --set key2=value2",
the existing integration test framework assumes the values do not
contain spaces and splits the command argument using the
space character before executing the helm command.
Thus, the existing implementation does not support
helm values (e.g., certificates) containing spaces.
This PR adds the support of helm values that contain spaces.

* Revised to use array based on review comments

* Adding servicegraph testing to postsubmit (#13190)

* Adding servicegraph testing to postsubmit

* m

* perf

* change

* pod

* fix

* Adding E2E Test for kiali (#11448)

* Add Kiali E2E Test

* Minor Fixings on Kiali E2E Test

* Remove unused mixer.enabled value (#13214)

This is not a functional change; this value is never used so it is
misleading/confusing. mixer.policy.enabled and mixer.telemetry.enabled
are used.

* Adding aliases for OWNERS (#13194)

* Fixing copy for helm, one more time.

* Adding aliases for test group. Setting up labels and no parent_owners

* prow

* owners

* Fixing helm order (#13224)

* Fixing copy for helm, one more time.

* Fix order of the helm command

* fix lint (#12988)

* update certificates with expiration time 100 years (#13233)

* update certificates with expiration time 100 years

* update testdata/local/etc/certs

* fix original destination bug (#13011)

* fix original destination bug

* add ut

* align init role label. (#13172)

* Remove --platform option (#13187)

* Fix #10380: Remove hardcoded sidecar template for istioctl kube-inject (#10830)

* Remove the hardcoded sidecar template for

* Remove deprecated flags in istioctl kube-inject

* update testdata after rebase

* add rule for kubeinject.go in codecov.threshold

* push client the new root cert when it's changed (#13163)

* refresh root

* refresh root

* unit test

* add logs

* address comment

* more comment

* address comment

* Implement `role` field in AuthorizationPolicy  (#13181)

* Add check for role in ServiceRoleBinding

* Implement global role

* Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow (#13199)

* Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow

Add integration tests for SDS-Vault mTLS flow and SDS-Citadel mTLS flow.
The mutual TLS connection uses the certificates issued by SDS-Vault CA flow
and SDS-Citadel CA flow.

* Use the flag EnableCDSPrecomputation()

* Address review comments

* Ignore missing resources on kubectl delete (#13225)

This makes it so tests won't fail on cleanup for resources that are
already deleted.

* [Testing] Cleanup PortForwarder (#13250)

* Add generated LICENSES.txt to gitignore (#13209)

* remove myself from owners (#13231)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add upstream_transport_failure_reason to access log (#12434)

* add upstream_transport_failure_reason to access log

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* update proxy to latest

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fix

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fix format

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* Fix integration test errors and refactor security integration tests (#13253)

* Fix integration test errors and refactor security integration tests

- Fix the failure of integration tests when --istio.test.nocleanup=false,
which is the default test setting. The failures of integration tests when
--istio.test.nocleanup=false are caused by that the errors during
cleaning up tests are treated as test failures while the actual tests
have succeeded when --istio.test.nocleanup=true.
- Organize security integration tests under testss/integration/security.
- Refactor the code to share common utility functions and remove
duplicate code.
- Misc fixes.

* Address review comments

* Use a const to represent the test policy directory

* Address review comments

* Fixes the multicluster e2e test (#13246)

The secret was being created after the apps where
deployed on the remote.  This was causes the test
to never think the apps successfully deployed since
the envoy sidecar was continually restarting.

* pre-check: fix a logic error (#13278)

`getNameSpace()` always returns an object, even if namespace does
not exist. Checking the error status is safer.

* Remove kubectl from dockerfile prereqs since it pulls it (#13256)

* Fixing EDS unit tests (#12995)

The current EDS test is incorrect and passes because the check calls time
out rather than sucessfully completing. This PR fixes the problem and
add one more test.

fixes issue #12994

* rbac: fix a data race in listener generation (#13308)

* Include js/css files into static folder (#12983)

* Include js/css files

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Append version to file

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* ignore assets.gen.go in code coverage

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* remove assets.gen.go from codecov test

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* remove skipped test from .cov file

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* fix check chell issue

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* fix shell check issue

Signed-off-by: Chun Lin Yang <clyang@cn.ibm.com>

* Fix galley integration test race (#13303)

* [Test Framework] Integrate apps with Galley (#13115)

The most recent refactoring broke the apps component when Pilot is being used with Galley. The apps register their services with the ServiceManager directly. When Pilot is configured with Galley, however, it doesn't use the ServiceManager, which means that the app services are never properly registered with Pilot.

- Changed the Pilot and Apps component to require Galley to be configured, to avoid confusion.

- Removed the ServiceManager altogether - Galley is used for service registration.

Fixes #13090

* Fix again helm copy, was reverted during merge from release 1.1 (#13337)

* Fixing copy for helm, one more time.

* Fixing copy again for master

* Update OpenShift dependencies; Drop [deprecated] legacy schema (#13160)

* Extend istioctl mocking library to allow mocking of authn etc (#13118)

* Fixing iptabes ranges (#13291)

* Fixing iptabes ranges

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* fix shellcheck errors

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* fixing ci failures #1

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* fixing ci failures #2

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* fixing ci failures #3

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Addressing comments

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Don't apply locality label unless provided (#13297)

* Single Template injection spec fully at runtime (#13147)

* Template injection spec fully at runtime

This eliminates the need to have two layers of templates, which adds a
lot of complexity to the template.

* Get tests working and rebase on removal of hardcoded template

* Remove unused vars

* Fix istioctl tests

* Report circleci status to testgrid k8s dump (#13340)

The dump script often fails for the same reason the test fails. The dump
script should probably be hardened, but in the mean time we can just
make sure we report the failure (high priority) before we dump the
state.

* Add integration tests for RBAC v2 (#13353)

* Implement RBAC v2 intergration test

* Add Galley to app for security tests

* Disable locality LB tests (#13305)

* [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry (#13255)

* [Galley] Add NotReadyEndpoints to Synthetic ServiceEntry
…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philrud philrud

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests