Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use credentialName to specify credential resource name and support mTLS for external cert management at ingress gateway. #11496

Merged
merged 36 commits into from Feb 6, 2019

Conversation

10 participants
@JimmyCYJ
Copy link
Contributor

JimmyCYJ commented Feb 3, 2019

PR 780 updates API for the secret resource name, this PR implements functionalities at pilot and gateway agent side.
This PR also supports mTLS for external cert management at ingress gateway.

Fixes #11397, #9030 and #7976

JimmyCYJ added some commits Feb 1, 2019

cvc
@istio-testing

This comment has been minimized.

Copy link
Collaborator

istio-testing commented Feb 6, 2019

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: JimmyCYJ, myidpt
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: geeknoid

If they are not already assigned, you can assign the PR to them by writing /assign @geeknoid in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wenchenglu wenchenglu merged commit dc6c7b9 into istio:release-1.1 Feb 6, 2019

29 of 33 checks passed

ci/circleci: racetest Your tests failed on CircleCI
Details
prow/istio-integ-k8s-tests.sh Job failed.
Details
prow/istio-pilot-multicluster-e2e.sh Job failed.
Details
tide Not mergeable. Needs approved label.
Details
GolangCI No issues found!
Details
ci/circleci: build Your tests passed on CircleCI!
Details
ci/circleci: codecov Your tests passed on CircleCI!
Details
ci/circleci: e2e-dashboard Your tests passed on CircleCI!
Details
ci/circleci: e2e-galley Your tests passed on CircleCI!
Details
ci/circleci: e2e-mixer-noauth-v1alpha3-v2 Your tests passed on CircleCI!
Details
ci/circleci: e2e-pilot-auth-v1alpha3-v2 Your tests passed on CircleCI!
Details
ci/circleci: e2e-pilot-cloudfoundry-v1alpha3-v2 Your tests passed on CircleCI!
Details
ci/circleci: e2e-pilot-noauth-v1alpha3-v2 Your tests passed on CircleCI!
Details
ci/circleci: e2e-simple Your tests passed on CircleCI!
Details
ci/circleci: lint Your tests passed on CircleCI!
Details
ci/circleci: shellcheck Your tests passed on CircleCI!
Details
ci/circleci: test Your tests passed on CircleCI!
Details
ci/circleci: test-integration-local Your tests passed on CircleCI!
Details
cla/google All necessary CLAs are signed
prow/e2e-bookInfoTests-v1alpha3.sh Job succeeded.
Details
prow/e2e-bookInfoTests.sh Skipped
prow/e2e-dashboard.sh Job succeeded.
Details
prow/e2e-mixer-no_auth.sh Job succeeded.
Details
prow/e2e-simpleTests-cni.sh Skipped
prow/e2e-simpleTests-minProfile.sh Job succeeded.
Details
prow/e2e-simpleTests.sh Job succeeded.
Details
prow/e2e_pilotv2_auth_sds.sh Job succeeded.
Details
prow/istio-integ-local-tests.sh Job succeeded.
Details
prow/istio-pilot-e2e-envoyv2-v1alpha3.sh Job succeeded.
Details
prow/istio-pilot-e2e.sh Skipped
prow/istio-presubmit.sh Job succeeded.
Details
prow/istio-unit-tests.sh Job succeeded.
Details
prow/release-test.sh Job succeeded.
Details

@JimmyCYJ JimmyCYJ deleted the JimmyCYJ:release-1.1 branch Feb 6, 2019

louiscryan added a commit to louiscryan/istio that referenced this pull request Feb 8, 2019

Use credentialName to specify credential resource name and support mT…
…LS for external cert management at ingress gateway. (istio#11496)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

exiaohao pushed a commit to exiaohao/istio that referenced this pull request Feb 11, 2019

Use credentialName to specify credential resource name and support mT…
…LS for external cert management at ingress gateway. (istio#11496)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

smawson added a commit to smawson/istio that referenced this pull request Feb 12, 2019

Use credentialName to specify credential resource name and support mT…
…LS for external cert management at ingress gateway. (istio#11496)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

duderino added a commit that referenced this pull request Feb 13, 2019

Merge release-1.1 to master (#11722)
* Incremental EDS only need updated service names (#11117)

* Configure envoy_bootstrap_v2.json to use the configured admin port (#11214)

* Configure envoy_bootstrap_v2.json to use the configured admin port

* Also set the prometheus_stats cluster's port

* Fix bootstrap tests that override admin port

* Allow ipv6 local traffic. (#10738)

* Allow specifying multiple egress host entries with same namespace (#11258)

* allow multiple hosts in same namespace in sidecar egress host

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* merge

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Galley: Include full Pod resource (#11323)

The ServiceEntry transformation requires the Pod status, which is
not included in the PodSpec. We need to pass through the entire
Pod proto, so that it's available for the conversion.

* Delete the obsolete service control adapter. (#11275)

* [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996)

Addresses issue #9685

* Disable shared span context by default (#11281)

* Add logic to kubeenv adapter Close() to clean-up resources (#10839)

* Add logic to kubeenv adapter Close() to clean-up resources

* Add extra logging and robustness to daemon shutdown checking in runtime

* WIP

* Revert "WIP"

This reverts commit 74f22ec.

* Increase unit test coverage

* Address review comments

* Ensure xenial base image present before building proxy_init (#11277)

* Update codecov to use skip file as threshold as well (#11294)

* Fix e2e-simple test flake (#11271)

* Fix e2e-simple test flake

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.

* Fix a spelling error complaint from linter

* integrate new MCP stack into galley, pilot, and mixer (#11292)

This PR integrates the new MCP source/sink stack into Galley, Pilot,
and Mixer. The old stack is temporarily retained while we complete
extended scale/perf testing.

* Revert "Fix e2e-simple test flake (#11271)" (#11331)

This reverts commit f993e46.

* Update README.md (#9501)

* Add response_flags to metrics and logs (#9945)

* Use sdsName from Gateway config as the resource name in sds config (#11239)

* Use sdsName from Gateway config as the resource name in sds config

* Add test

* goimports

* Fix lint

* Fix test

* mixer: pod policy override (#10886)

* implement injection and override

Signed-off-by: Kuat Yessenov <kuat@google.com>

* lint

Signed-off-by: Kuat Yessenov <kuat@google.com>

* review

Signed-off-by: Kuat Yessenov <kuat@google.com>

* mend

* annotation from node metadata

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix a bug

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding --controlPlaneBootstrap pilot-agent flag (#11212)

* Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable
generation of Envoy bootstrap for Istio control plane components. Only
effective when --templateFile is provided as well.

If --templateFile is provided, but --controlPlaneBootstrap=false, then
template file will be passed through regular bootstrap config
processing, replacing default bootstrap config template.

Default flag value is "true" to be backward-compatible with existing
behavior, so that no other changes are required by other components that
rely on pilot-agent for control plane bootstrap config generation.

* Adding TODO to clean up Mixer and Pilot to use standard template

Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent.

* Fixing formatting errors on pilot/cmd/pilot-agent/main.go

* [Galley] Restructure runtime package to support multiple states. (#11325)

* [Galley] Restructure runtime package to support multiple states.

This is a follow-on to #11162 that moves the runtime state as well as
 its previously package-private dependencies into their
 own packages. This allows new "states" to exist in separate packages
 under runtime.

* addressing comments

* addressing comments

* extend istio-multi rbac rule (#11339)

* Galley file-source was occluding resources with the same name with different types in the same file (#11257)

* Only add localhost IP if no other IP address were found (#11367)

* not make PDB configurable (#11330)

* not allow users to configure pdb

* remove maxUnavailable

* incorporate google CA's merge APIs change in nodeagent  (#11341)

* merge api

* remove extra line

* Revert "Location based Load Balancing (#10720)" (#11371)

This reverts commit 3f05706.

* Support multiple Citadels running in one cluster. (#11312)

* Support multiple Citadels running.

* Small fix.

* Small fix.

* Small fix.

* consistent autoscaling config among control plane components (#11376)

* consistent autoscaling config among control plane components

* address Yossi comment

* add missing end

* use spec here

* support namespace/host in gateway (#11290)

* assorted cleanups

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Loosen secret type for ingress gateway (#11385)

* set conccurency according to cpu resource limit/request if it is not set (#11311)

* set conccurency according to cpu resource request if it is not set

* address comments

* fix ut

* fix ut

* fix ut

* run dep ensure

* cache proxy service instances to improve performance (#11368)

* cache proxy service instances to improve performance

* address comments & fix ut

* Support gateway agent to read TLS secret set by cert-manager (#11399)

* read tls secret format

* Update test

* fix lint

* fix lint

* fix lint

* update test

* format

* fix lint

* fix lint

* mixer: option for alternative language runtime (#11391)

* split the original PR

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add annotation support

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix simpletest flake in citadel testing (#11360)

* Fix simpletest flake in citadel testing

A PR was merged ~4 weeks ago which introduced built-in
testing of the Helm charts.  The readiness testing in these
Helm chart tests were defective.  This problem was masked by
a silently failing gate.

(cherry picked from commit bf9bc7b)

* Fix a flaky e2e_simpleTests (#11408)

* Add retries and delay trying to test connection to prometheus

* Also retry on connection refused errors

* Workaround due to old version of curl in proxy

(cherry picked from commit 0e937c7)

* Increase integ test deployment timeout (#11423)

* Increase integ test deployment timeout

* Skip flaky/failing TestTcpMetric

* Remove post-install job and (kubectl) apply security policy CRs to k8s directly (#11248) (#11418)

* Remove post-install job and (kubectl) apply security policy CRs to k8s directly

* Fix condition logic

* Exit on fatal logs (#11335)

* Exit on fatal logs

* Do not call Fatalf in the middle of Galley code

* envoy: use any instead of struct (#11419)

* fix tests

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix framework assuming json

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add gates

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Loops ends after first iteration (#11378) (#11383)

* Adding istio-init chart to release (#11443) (#11445)

* fix superfluous condition in pdb. (#11413)

* Set seconds as the value of MaxAge instead of Duration.String (#11447)

* Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226)

* Refactor identity domain handling and adapt unit tests

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Fix goimports error

*  set role.TrustDomain in pilot main

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Add end to end test e2e_bookinfo_trustdomain

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Use .Values.global.trustDomain as trustDomain for citadel

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Removed commented out code

Co-authored-by: Jakob Schmid <jakob.schmid@sap.com>

* Remove fallback to domain for trust domain

This became necessary due to #11050, which always set the domain
command line flag for executables. But we didn't expect this flag to
have two different meanings (dns-domain and domain-suffix).

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Tls fix (#11455)

* revert deleted TLS validation logic

* lint fixes

* Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456)

* Adding support for named components to the test framework (#11440)

Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup.

* Galley support for MCP Source Client dial out (#11291)

* Auth plugin to be used for Galley callout.

* Lint

* Add unit tests.

* Mock Google credentials

* Galley callout code.

* Review comments, fix client_source test.

* Lint

* Switch callout.go to use patch table for test vars.

* Rename callout cli args.

* Increase coverage

* newcallout args, syncWG change.

* Fatal->Error

* Review comments

* Review comments.

* Update metadata model. (#11477)

This is split out from #11293

Supporting work for #10497 and #10589

* [pilot] Export virtual service and destination rule metadata (#11384)

* [pilot] Export virtual service and destination rule metadata

* fixup bad rebase

* restore lost test

* Small fixes

* use URL for rule uid and config as key

* goimports

* update unit tests to match code changes in previous commit

* goimports, redux

* Randomize Galley ports for integration testing (#11285)

* Randomize Galley port for code-coverage runs.

* Remove runaway empty test.

* Update istio-proxy for source.uid fix (#11428)

* Update gateway_test.go to check for overrides

* update to include new proxy

* linter fix

* update client tests for whitelisted attributes

* use source fixed build

* disable TestSecretCreationKubernetes (#11479)

* Fix e2e-simple test flake (#11356) (#11481)

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.
(cherry picked from commit 1caa6ce)

* Enhance MCP index function to support multiple groups (#11478)

This is split out from #11293

In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection.

Support for #10497 and #10589

* Zipkin adapter supporting the tracespan template (#11282) (#11483)

* Zipkin adapter supporting the tracespan template (#11282)

* Zipkin adapter supporting the tracespan template

* Refactored generic OpenCensus trace support into a helper package
* Use this to implement Zipkin support using OpenCensus Zipkin exporter

* regenerate template.

* lint. move crd.

* dep ensure.

* new line.

* add zipkin to galley.

* dep ensure

* Default exports, and config root namespace (#11387)

* default exportTo flags

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* format

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* compile fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm stuff

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* istio-config namespace and default sidecar scope

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* spell fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* reorder initialization steps

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test compile fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm tweaks

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* missing helm file

* allow ~ in sidecar imports

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad copy paste

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo framework change

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Revert "bad copy paste"

This reverts commit 934b54a.

* Revert "missing helm file"

This reverts commit 992685d.

* Revert "helm tweaks"

This reverts commit 5b78b92.

* redos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lists

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* quotes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fixing race condition in Galley Server.Close() (#11484)

The issue was introduced by #11285

It causes a race with the startup of the gRPC server, which leads to a segfault.  From prow logs:

```
=== RUN TestServer_Basic 2019-02-01T20:33:05.867746Z	info	ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z	info ControlZ terminated 2019-02-01T20:33:05.867987Z	info	runtime Stopping processor... 2019-02-01T20:33:05.868000Z	warn	runtime Processor has already stopped 2019-02-01T20:33:05.867798Z	info runtime	Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL	istio.io/istio/galley/pkg/server 0.383s
```

* add labels to services and deployments (#11503)

* Quote accessLogFormat in configmap template in helm chart (#11449) (#11490)

* Make custom gateway works (#11320)

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* Add missing values global object and template (#11500)

* Envoy Graceful Shutdown (#11485)

* Add Draining bootstrap to Proxies

Signed-off-by: Liam White <liam@tetrate.io>

* Drain open connections

Signed-off-by: Liam White <liam@tetrate.io>

* typo and makefile fix for drain config

Signed-off-by: Liam White <liam@tetrate.io>

* Add proxy agent tests for draining

Signed-off-by: Liam White <liam@tetrate.io>

* appease our golangcibot overlord

Signed-off-by: Liam White <liam@tetrate.io>

* Windows Go doesn't have syscall.Kill

Signed-off-by: Liam White <liam@tetrate.io>

* Skip spybackend test when in racetest (#11497) (#11506)

* Workaround to make racetest skip this test due to low memory

* Lint

* Add mixer status to access log (#11471)

* Add mixer status to access log

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* review

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fixing default exports (#11507)

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fix 10971 p1 injector (#11512)

* Fix global DNS resolution in sidecar injector

The dnsConfig key was not honored by the sidecar injector.  This PR
ensures the dnsConfig key is honored by the sidecar injector.  This
enables the injected application can resolve DNS, but does not solve
routing via RDS.  Routing via RDS needs a followup PR.

* Fix syntax error in sidecar injector template

* HTTP probe rewrite for webhook part. (#10470)

* injector changes for health check, pilot agent take over app readiness check. (#9266)

* WIP injector change to modify istio-proxy.

* move out to app_probe.go

* Iterating sidecartmpl to find the statusPort.

* use the same name for ready path.

* Get rewrite work, almost.

* Some clean up on test and check one container criteria.

* fix the injected test file.

* Add inject test for readiness probe itself.

* Add missing added test file.

* fix helm test.

* fix lint.

* update header based finding the port.

* return to previous injected file status.

* fixing TestIntoResource test.

* sed fixing all remaining injecting files.

* handling named port.

* fixing merginge failure.

* remove the debug print.

* lint fixing.

* Apply the suggestions for finding statusPort arg.

* Address comments, regex support more port value format.

* add app_probe_test.go

* add more test.

* merge fix the test.

* webhook autoinject is ready for review.

* Squashed commit of the following:

commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 18:13:30 2019 -0800

    renaming env var.

commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 17:59:25 2019 -0800

    finish migrating test to yaml file based.

commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:55:00 2019 -0800

    get test working.

commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:49:58 2019 -0800

    WIP add some test files.

commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:13:06 2019 -0800

    WIP changing to using the environment var.

commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:52:47 2019 -0800

    add todo for the tests.

commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277 4b7b13a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:47:17 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit ca22277
Merge: 98fd48f 744b07a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:34 2019 -0800

    Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip

commit 98fd48f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:00 2019 -0800

    findsidecar.

commit 744b07a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 22:29:28 2019 -0800

    add FindSidecar.

commit 40ed002
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 21:55:51 2019 -0800

    refactor some code.

commit 0fdbb2e
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 18:19:32 2019 -0800

    Integration test works and fixing a bug.

commit 5085dfd
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 16:09:13 2019 -0800

    all inject tests pass.

commit fe3f156
Merge: a2a7744 010d5c2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:22:18 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit a2a7744
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:16:04 2019 -0800

    update the TestWebhookInject.

commit 36fd45c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 12:13:21 2019 -0800

    some document

commit 88dc922
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 11:43:44 2019 -0800

    new version works for kubeinject, webhook unit test.

commit 6efa0d6
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 18:17:38 2019 -0800

    WIP working on modifying sidecar.Args first, then modify app container patch.

commit 65a2194
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 15:20:36 2019 -0800

    WIP add what's missing to get e2e test working.

commit 1595e87
Merge: 256d963 ac78a55
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 13:26:05 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 256d963
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 12:14:04 2019 -0800

    add some debugging log.

commit f700963
Merge: bdce721 c7eb603
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 10:57:43 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit bdce721
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 18:04:37 2019 -0800

    refactor to host something up to caller.

commit b51763c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 16:31:32 2019 -0800

    get everything works.

commit 0815695
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:48:27 2019 -0800

    kubeinject test is working.

commit 14c99b5
Merge: d626bb8 5ea7962
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:30 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit d626bb8
Merge: 3561ae0 66153da
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:23 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3561ae0
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:49:44 2019 -0800

    WIP, policy is not taking effect, test passing without rewrite.

commit a9bef0f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:31:08 2019 -0800

    fix the json path in the patch.

commit f1aee91
Merge: 3a7eb48 abc53e1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 14:03:49 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3a7eb48
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 13:57:55 2019 -0800

    fix it, removing namespace since metadata not matching will fail for kubeapply

commit 2b12034
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 11:58:39 2019 -0800

    WIP, debuggin why mtls policy is not showed up.

commit 72e9c4e
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:24:16 2019 -0800

    working on integration2 test framework.

commit 90c1cce
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:04:38 2019 -0800

    add small comments.

commit 92a0eda
Merge: 7f5c8cb e45242c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 16:43:47 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 7f5c8cb
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:37:53 2018 -0800

    check rewriteAppProbe separately.

commit e2707c9
Merge: 20f02c0 1ae6b4f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:01:37 2018 -0800

    Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject

commit 20f02c0
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:59:57 2018 -0800

    duplicate the rewrite logic.

commit 4894cb1
Merge: 3b3bcbf d8c4579
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:53:44 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 1ae6b4f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Dec 17 21:56:51 2018 -0800

    address comments.

commit 3b3bcbf
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:24:33 2018 -0800

    massage comments.

commit ccd670d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:15:50 2018 -0800

    helm flag is off, so change the expected outoupt.

commit 43522c1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:09:46 2018 -0800

    make webhook support rewriteAppHTTPProbe flag.

commit f60f18f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 12:03:04 2018 -0800

    fixing the merge typo.

commit 05bbadf
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:56:38 2018 -0800

    remove unnecessary changes in test for debugging.

commit a81eacb
Merge: af1a679 f6b0ddc
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:53:07 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit af1a679
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 18:07:19 2018 -0800

    fixing all the test.

commit 58d0bef
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:51:34 2018 -0800

    Get TestInject happy.

commit fcd0ae2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:49:42 2018 -0800

    make TestHelmInject happy.

commit 7a3ffc8
Merge: fcca1f8 bd1631b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:53:01 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit fcca1f8
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:18:20 2018 -0800

    get webhook_test.TestInject working.

commit 06f517c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:10:55 2018 -0800

    restructure app_probe_test working for both.

commit 7142e96
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 13:19:41 2018 -0800

    starting to work on serious test

commit a3dfb97
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:50:19 2018 -0800

    prototyping get familar with the test.

commit 51659da
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:05:51 2018 -0800

    wip for adding test.

* resolve appprobetest.

* update the golden due to another injector change.

* remove unnecessary files in this pr.

* remove the test framework change.

* remove unnecessary testdata file.

* DeepCopy used.

* fix lint.

* Add longer timeouts for Galley tests. (#11517)

Addresses #11464

* Locality based load balancing for strict dns clusters (#11381)

* rework locality based load balancing

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* simplify

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad merge

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint again

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Update pilot/pkg/networking/core/v1alpha3/cluster.go

Co-Authored-By: rshriram <rshriram@users.noreply.github.com>

* move load balancer setting to a separate pkg

* should also apply applyLocalityLBSetting for non-cached outbound clusters

* set cluster locality_weighted_lb_config

* fix ci

* enable LocalityWeightedLbConfig only when cluster has outlier detection

* address comments

* Correct Citadel server log. (#11361)

* Correct Citadel server log.

* Small fix.

* Remove sidecar injection in istio-init jobs (#11317)

This PR aims to solve a problem where the injector is running
but a new job is added in an upgrade scenario.  In this condition
the job is injected, which can result in errors contacting the
injector.

* Only require go.opencensus.io on Linux (#11327)

* Only require go.opencensus.io on Linux

* Ran fmt.sh and goimports against
the stats_linux.go file.

Signed-off-by: Jason Clark <jason.clark.oss@gmail.com>

* Remove the istio-remote chart and make it an istio chart values (#11307)

* Remove the istio-remote chart and make it an istio chart values

* By default tracing should be disabled in remote as it's unsupported

* Fixing the path to values file in e2e MC test

* Fixing istio-pilot-multicluster-e2e.sh

* Correction for previous commit

* Better way to remove MeshPolicy on remote yaml

* Newline

* Newline

* Remove redundant and

* Fix for flakes in TestSource_MangledNames (#11538)

The source of the panic appeared to be access to the labels, which were not being explicitly set on the Unstructured object. This PR sets them directly, so that should no longer be an issue.

Fixes #11532

* Use istio namespace for global destination rule to avoid overwritting mixer policy (#11546)

* Change default monitoring port (#11421)

* Change default monitoring port

Update the default monitoring port from 9093 to 15014.

* Fix test cases

* Hardcode the monitoringPort in istio-remote

* Use credentialName to specify credential resource name and support mTLS for external cert management at ingress gateway. (#11496)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

* Add MCP stress test suite (#11465)

* add -labels option to mcpc for testing and debug

* fix typo in source CollectionOptions name

* increase queue test coverage to 100%

* add more tests for incremental mcp option (still off by default)

* add mcp stress test suite

* fix unit tests

* review comments and add README.md

* run goimports

* fix some wording

* fix bad merge

* formatting

* rebase stress test on latest snapshot group changes

* math.Rand is not safe for concurrent use

* address review comments

* add missing file

* plumb through serverIncSupported

* rename test file

* changing the default limits for init proxy (#11540)

* Add readiness check for Ingress Gateway (#3063) (#11001) (#11548)

Enabling the same readiness probe for Ingress Gateway that is being
used for sidecars.

* istioctl proxy-status should only exec into running pilot pods (#11539)

istioctl proxy-status uses kubectl exec on pilot pods to extract debug
and diagnostic information. Use
`--field-selector=status.phase=Running` to only exec into pods that
are actually running.

fixes #11488

* increase control plane component replicas during upgrade test (#11389)

* add multiple control plane component

* remove space

* Allow specify the path for SDS k8s token (#11460)

* Allow specify SDS token path

* Change the default value to empty string

* Rephrase the comment for sds token path

* Address review comments

* Change to use node metadata to pass SDS token path

* Address review comments (e.g., remove static variable)

* Use SDS token path if it is set

* remove chart.version label in pod template. (#11302)

* remove deprecated 'refreshInterval' option in chart. (#11412)

* remove deprecated option in chart.

* fix CI issue.

* Disable agent TestFull test. (#11562)

* remove istio cni subchart tar from source. (#11230)

* Moved subcharts into the istio chart (#11558)

* Moved subcharts into istio charts

* Removed helm dep update calls

* Removed also programatic helmDepUpdate calls

* Removing helm package call not necessary anymore

* Fix non-Linux builds. (#11580)

* add debug logs to print cert chain (#11575)

* revert #11558 Moved subcharts into the istio chart (#11597)

* add multiple control plane component

* remove space

* Revert "Moved subcharts into the istio chart (#11558)"

This reverts commit a5f9e9b.

* add missing attribute declarations (#11595)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix a few doc issues. (#11596)

* Update istio/api to #3094619 release 1.1 subject_alt_names in Service… (#11541)

* Update istio/api to #3094619 release 1.1 subject_alt_names in ServiceEntry

* Comment out sdsName

* Linter fix

* more linter fixes

* Comment out SDS test

* run bin/fmt.sh

* Skip gateway sds test completely

* Use issue # in t.Skip()

* revert sds changes

* Fix racetest in SDS service (#11615)

* Set the serviceCluster namespace based on env var, to also support specifying namespace on cli after kubeinject (#11587)

* Make image pull policy configurable in Makefile (#10269)

* Adds missing 1.1 attribute data to testdata for integration tests (#11313)

The request.url_path and request.query_params attributes have been added as of istio 1.1
These are required in the testdata attributes manifest in order for them to be useable in the integration test framework.

* Doc fixes. (#11619)

* [mixer:stackdriver] Initial changes to support dst svc edges in graph (#11426)

* Initial changes to support dst svc edges

* Add istio service to k8s service member relation

* Refactor of edge logic and add test

* Add <workload, service> relations

* Fix routing when DNS is resolved (#11522)

The DNSDomain variable needs to be enhanced to include more
then one DNS entry.  Change DNSDomain to DNSDomains as a meta
and add the dnsConfig in the meta.  As now DNSDomain is a slice
of strings instead of a string, the variable needs consolidation.

* adjust galley dashboard time range (#11627)

* Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631)

(cherry picked from commit f9b6866)

* [release-1.1] Update fluentd adapter to be more robust (#11623)

* Update fluentd adapter to be more robust

* Minor touchup of bad merge

* Lint fixes

* Fix kubernetesenv workload attributes for multicluster with one control plane (#11581)

* remove myself from pilot OWNERS (#11632)

* remove me (#11636)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add debug logs for citadel authenticate fail (#11633)

* move apply plugin below buildscript (#11625)

The Cloud Foundry open source licensing scanner has a plugin that
identifies dependencies from gradle scripts, but it requires the
buildscript and plugins block be before anything else in the file.
This change does not affect the build, but makes our lives a smidge
easier.

Co-authored-by: Teal Stannard <tstannard@pivotal.io>

* check key.pem (#11599)

* Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508)

* Samples for accessing apt-get repo, Github, and pip repo

* A Readme explaining the samples

* Link to future doc on default external comm capability

* Incorporate documentation feedback from venilnoronha

* Add support for metadata constraints in RBAC (#11459)

* Add support for metadata constraints in RBAC

This adds support for mapping RBAC constraints with keys in the a[b]
format to Envoy's filter metadata matcher.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Use SplitN instead of Split for completeness

This updates the metadata matcher definition to use strings.SplitN
instead of strings.Split in order to capture the whole binary key in two
parts.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Accomodate [list] and plain value type constraints

This adds logic to accomodate filter metadata matching over both [list]
and value type constraints.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Add extra experimental. prefix test for matching

This adds an extra experimental. prefix test while creating metadata
matchers based on Envoy filters.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Update comments

This updates code comments.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* add POST to ratings service to demonstrate security policies on HTTP Methods (#10778)

* add POST to ratings service

* put a space between if and opening parenthesis

* add comments

* remove extra line-break

* Enable remote clusters to check/report to local Mixer (#11585)

* Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570)

* Fix racetest in fluentd test (#11647)

* Bump the number of connection that can be re-use in Citadel (#11641)

* Bump the number of connection that can be re-use in Citadel

* A small fix

* First cut of xDS APi structural testing using the new integration tests (#11406)

* Fixes for k8s ingress (#11343)

* Fix ingress in pilot, writeback and multiple namespaces

* Fix tests, format

* Fix test - the generated service should be left in the namespace of ingress

* Additional test fixes, match the new 1.1 semantics

* Again make fmt and lint not matching

* Break up the helloworld sample into versions (#11650)

* Break up the helloworld sample into versions

* Moved to default namespace

* Seperated gateway file and added labels

* Update the doc

* Cleanup section updated too

* Fix build break due to #11406. (#11677)

https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215

* make stackdriver e2e test cluster wide (#11674)

* Add handling for independent encoding in Report batches to Mixer (#11640)

* Add handling for independent encoding in Report batches to Mixer

* fix lll

* Address review

* protect protobag done

* exit circleci test early if setup fails (#11572)

* wip: exit circleci test early if setup fails

Many of the circleci tests will attempt to run the e2e/integration
tests even after the test setup fails. This leads to misleading test
failures that suggest the problem is with the feature test and not the
test setup itself.

Example test runs where the setup failed and the test was run but
immediately errored out because a dependency was missing:

https://circleci.com/gh/istio/istio/316588
https://circleci.com/gh/istio/istio/317262
https://circleci.com/gh/istio/istio/318281
https://circleci.com/gh/istio/istio/316031
https://circleci.com/gh/istio/istio/315952
https://circleci.com/gh/istio/istio/315871
https://circleci.com/gh/istio/istio/315813

ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute
```
By default, CircleCI will execute job steps one at a time, in the
order that they are defined in config.yml, until a step fails (returns
a non-zero exit code). After a command fails, no further job steps
will be executed.

Adding the when attribute to a job step allows you to override this
default behaviour, and selectively run or skip steps depending on the
status of the job.

The default value of on_success means that the step will run only if
all of the previous steps have been successful (returned exit code 0).

A value of always means that the step will run regardless of the exit
status of previous steps. This is useful if you have a task that you
want to run regardless of whether the previous steps are successful or
not. For example, you might have a job step that needs to upload logs
or code-coverage data somewhere.
```

* re-add `when: always` to codecov job

* Implementation of isolation for EDS (#11672)

* Implementation of isolation for EDS

* Provide nil proxy for older calls

* Always call loadAssignmentsForClusterIsolated

* Revert "Always call loadAssignmentsForClusterIsolated"

This reverts commit db2c997.

* Env variable to disable

* Lint

* Environment Variable controlled Graceful Termination with low defaults. (#11630)

* Feature flag graceful shutdown

Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in.

Signed-off-by: Liam White <liam@tetrate.io>

* Address pr comments

Signed-off-by: Liam White <liam@tetrate.io>

* Clean up missed feature flag var

Signed-off-by: Liam White <liam@tetrate.io>

* Add turn off test case, todo comments and fix agent tests

Signed-off-by: Liam White <liam@tetrate.io>

* fix lint

Signed-off-by: Liam White <liam@tetrate.io>

* PR review comments

Signed-off-by: Liam White <liam@tetrate.io>

* Move TerminationDuration function and tests to Pilot features

Signed-off-by: Liam White <liam@tetrate.io>

* Update Proxy SHA to latest (release-1.1). (#11687)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* Add empty check for proxy's locality (#11681)

Make sure empty proxy locality will fall back to using proxy service's instance locality.

* Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685)

* cache ServiceAccounts and remove it drom Environment (#11442)

* cache ServiceAccounts and remove it drom Environment

* use allServices var

* fix ut

* Adding Envoy bootstrap template for a custom Pilot implementation. (#11395)

* Adding Envoy bootstrap template for a custom Pilot implementation.

New template connects to Pilot using Google gRPC Envoy client, which
allows to perform authz by passing additional credentials. Placed into
install/gcp due to being GCP installation specific.

To enable this template, introducing {{ .discovery_address }} variable,
which passes --discoveryAddress flag value "as is", without splitting it into
address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable.

* Removing static interception listener from gcp_envoy_bootstrap.json
as it is generated by the Pilot.

* Update bookinfo images, fix the script to bump bookinfo versions (#11701)

* add wildcard to digits in the sed regex, for setting version

* bump a minor version

* Add cli option to Galley to allow metadata on outgoing sink connections. (#11602)

* Add cli option to Galley to allow metadata on outgoing sink connections.

For use with sinkAddress, outgoing connections to MCP sink servers
will have gRPC stream metadata attached as defined by sinkMeta.

* Update sinkMeta to use key=value.

* Review comments.

* Error message if istioctl version doesn't match data plane version (#11592)

* Additional error text if istioctl version doesn't match data plane version

* Fix typo

* Revise wording of error msg

* Allow Envoy listener stats to be turned off/on with a pod annotation (#11398)

* If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection

* Versionize annotation tag

* Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid

* pin goimports in make fmt (#11645)

* fix fmt

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* just dont use circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add comment

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding namespace declaration in Grafana PersistentVolumeClaim (#11314)

When using the Helm chart with a user specific namespace and Grafana persistency
enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace,
leading in the Grafana pod to be stuck in the Pending state.

* Fix the periodic builds, add a non-mcp to presubmit (#11703)

* Update api sha (#11709)

* issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715)

(cherry picked from commit 1ad4e29)

* [WIP] Fix sync issue with policy enablement and check enablement (#11707)

* Fix sync issue with policy enablement and check enablement

* Remove outdated comment

* Fix deps and broken merge for mixer test

* Fix overly restrictive golang version match

* Fix integration test framework merge issues

* Fix line length lint issue

louiscryan added a commit to louiscryan/istio that referenced this pull request Feb 14, 2019

Use credentialName to specify credential resource name and support mT…
…LS for external cert management at ingress gateway. (istio#11496)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint
@muhlba91

This comment has been minimized.

Copy link

muhlba91 commented Feb 18, 2019

Is this PR already adding support for autoamatic certificate reloading through e.g. cert-manager and Let's Encrypt?

@myidpt

This comment has been minimized.

Copy link
Contributor

myidpt commented Feb 19, 2019

Yes. @JimmyCYJ is working on the tutorial on istio.io.

@JimmyCYJ

This comment has been minimized.

Copy link
Contributor Author

JimmyCYJ commented Feb 19, 2019

Hi @muhlba91, the tutorial istio/istio.io#3224 is under review. Thanks.

@thomschke

This comment has been minimized.

Copy link

thomschke commented Feb 26, 2019

I want to configure a mTLS ingress gateway, but

  • TLS certs comes from cert-manager as TLS secret
  • but the root cert for the client side certs comes from my own PKI as Generic secret

I run helm-chart istio-1.1.0-rc.0 with --set gateways.istio-ingressgateway.sds.enabled=true and configure a Gateway with tls.credentialName: istio-ingressgateway-certs like:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: topsecret
spec:
  selector:
    istio: ingressgateway-istio
  servers:
    - port:
        number: 443
        name: https-istio
        protocol: HTTPS
      tls:
        mode: MUTUAL
        credentialName: istio-ingressgateway-certs

The I configure a certificate with secretName: istio-ingressgateway-certs like:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: topsecret
  namespace: istio-system
spec:
  secretName: istio-ingressgateway-certs

and a separate generic secret with name: istio-ingressgateway-certs-cacert and the key cacert which contains the root-cert for the client side certs from my own pki like:

apiVersion: v1
kind: Secret
metadata:
  name: istio-ingressgateway-certs-cacert
  namespace: istio-system
type: Opaque
data:
  cacert: {...}

But the ingress-sds container throws following error: cannot find secret istio-ingressgateway-certs-cacert for ingress gateway.

When I look at secretfetcher then there is a delete statement for the cacert secret.

// If there is root cert secret with the same resource name, delete that secret now.
sf.secrets.Delete(rootCertResourceName)

But I need the possibility to define the root-cert for the client side in a separate generic secret due to cert-manager generates only TLS-secrets.

Any Idea?

@JimmyCYJ

This comment has been minimized.

Copy link
Contributor Author

JimmyCYJ commented Feb 26, 2019

Hi @thomschke, only one secret with secretName: istio-ingressgateway-certs is needed by ingress gateway agent. And this secret should contain key, server cert, and root cert for MUTUAL mode. The ingress gateway agent sends key and server cert in response to SDS request with resource name "istio-ingressgateway-certs", and sends root cert in response to SDS request with resource name "istio-ingressgateway-certs-cacert"

@thomschke

This comment has been minimized.

Copy link

thomschke commented Feb 26, 2019

Hi @JimmyCYJ, thanks for your prompt reply.

Cert-Manager generates only TLS secrets with key and server cert. So currently I have to manually merge this TLS secret into a generic secret together with my root cert. That's bad.

If secretfetcher will find a TLS secret then it can look for a responsible generic secret named with suffix IngressGatewaySdsCaSuffix and can merge the root-cert (instead of returning nothing):

What do you think?

@JimmyCYJ

This comment has been minimized.

Copy link
Contributor Author

JimmyCYJ commented Feb 26, 2019

@thomschke Thanks for providing more context. Is it possible to let cert-manager generate secret with key, server cert and root cert? Changing the ingress gateway agent to extract root cert by scanning secret name suffix is a kind of hack. This affects user experience and could mess up user setup. It would make more sense to let cert-manager provide an option to specify root cert.
cc @myidpt

@thomschke

This comment has been minimized.

Copy link

thomschke commented Feb 27, 2019

Hi @JimmyCYJ,

Cert-Manager only create TLS Secrets, which are a kind of Secret that only contains a crt and key file and far and widely no help in sight

Yes, at first glance my FR looks like a hack. But in my opinion it's the only way to support auto-reloading for mTLS gateways in the moment.

BTW: Istio helm chart bundles cert-manager. Maybe you have more persuasiveness when you talk to them :-)

@prune998

This comment has been minimized.

Copy link
Contributor

prune998 commented Feb 27, 2019

@JimmyCYJ you just found the biggest issue with Istio and Cert-Manager !

Your solution is to pre-create the secret istio-ingressgateway-certs as a plain Secret (not a TLS one), put your CA inside it, then push your Certificate resource.
Cert-Manager should add the key/CRT to your secret.

I won't rant again. Both Istio (Galley ?) and Cert-Manager need to do something to ease the creation and management of those certificates. I had a strong No on the Cert-Manager side, so far...
One thing you could do is create a new issue and explain your issue... maybe at some point someone will understand we need a change to support SSL certs from Cert-Manager in Istio...

@JimmyCYJ

This comment has been minimized.

Copy link
Contributor Author

JimmyCYJ commented Feb 27, 2019

Hi @prune998 @thomschke, thanks for all the context. I just create a feature request #12132, please feel free to add comments there. That would be easier for us to keep tracking of the issue.

@thomschke

This comment has been minimized.

Copy link

thomschke commented Feb 27, 2019

@JimmyCYJ Thanks!

BTW: CRD validation has to change --> If credentialName is specified then privateKey, serverCertificate and caCertificates are no longer required.

@JimmyCYJ

This comment has been minimized.

Copy link
Contributor Author

JimmyCYJ commented Feb 27, 2019

@thomschke That validation change is in #11991, you don't need to add privateKey, serverCertificate, and caCertificate if you have specified credentialName.

@thomschke

This comment has been minimized.

Copy link

thomschke commented Feb 28, 2019

istio-testing added a commit that referenced this pull request Mar 20, 2019

Merge master into collab-galley (#12630)
* Merge release-1.1 to master (#11722)

* Incremental EDS only need updated service names (#11117)

* Configure envoy_bootstrap_v2.json to use the configured admin port (#11214)

* Configure envoy_bootstrap_v2.json to use the configured admin port

* Also set the prometheus_stats cluster's port

* Fix bootstrap tests that override admin port

* Allow ipv6 local traffic. (#10738)

* Allow specifying multiple egress host entries with same namespace (#11258)

* allow multiple hosts in same namespace in sidecar egress host

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* merge

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Galley: Include full Pod resource (#11323)

The ServiceEntry transformation requires the Pod status, which is
not included in the PodSpec. We need to pass through the entire
Pod proto, so that it's available for the conversion.

* Delete the obsolete service control adapter. (#11275)

* [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996)

Addresses issue #9685

* Disable shared span context by default (#11281)

* Add logic to kubeenv adapter Close() to clean-up resources (#10839)

* Add logic to kubeenv adapter Close() to clean-up resources

* Add extra logging and robustness to daemon shutdown checking in runtime

* WIP

* Revert "WIP"

This reverts commit 74f22eced391bfbfb54834e7ffdc2505931b60b1.

* Increase unit test coverage

* Address review comments

* Ensure xenial base image present before building proxy_init (#11277)

* Update codecov to use skip file as threshold as well (#11294)

* Fix e2e-simple test flake (#11271)

* Fix e2e-simple test flake

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.

* Fix a spelling error complaint from linter

* integrate new MCP stack into galley, pilot, and mixer (#11292)

This PR integrates the new MCP source/sink stack into Galley, Pilot,
and Mixer. The old stack is temporarily retained while we complete
extended scale/perf testing.

* Revert "Fix e2e-simple test flake (#11271)" (#11331)

This reverts commit f993e46d69c2ae4f990eabdfa377034f23c3b807.

* Update README.md (#9501)

* Add response_flags to metrics and logs (#9945)

* Use sdsName from Gateway config as the resource name in sds config (#11239)

* Use sdsName from Gateway config as the resource name in sds config

* Add test

* goimports

* Fix lint

* Fix test

* mixer: pod policy override (#10886)

* implement injection and override

Signed-off-by: Kuat Yessenov <kuat@google.com>

* lint

Signed-off-by: Kuat Yessenov <kuat@google.com>

* review

Signed-off-by: Kuat Yessenov <kuat@google.com>

* mend

* annotation from node metadata

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix a bug

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding --controlPlaneBootstrap pilot-agent flag (#11212)

* Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable
generation of Envoy bootstrap for Istio control plane components. Only
effective when --templateFile is provided as well.

If --templateFile is provided, but --controlPlaneBootstrap=false, then
template file will be passed through regular bootstrap config
processing, replacing default bootstrap config template.

Default flag value is "true" to be backward-compatible with existing
behavior, so that no other changes are required by other components that
rely on pilot-agent for control plane bootstrap config generation.

* Adding TODO to clean up Mixer and Pilot to use standard template

Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent.

* Fixing formatting errors on pilot/cmd/pilot-agent/main.go

* [Galley] Restructure runtime package to support multiple states. (#11325)

* [Galley] Restructure runtime package to support multiple states.

This is a follow-on to #11162 that moves the runtime state as well as
 its previously package-private dependencies into their
 own packages. This allows new "states" to exist in separate packages
 under runtime.

* addressing comments

* addressing comments

* extend istio-multi rbac rule (#11339)

* Galley file-source was occluding resources with the same name with different types in the same file (#11257)

* Only add localhost IP if no other IP address were found (#11367)

* not make PDB configurable (#11330)

* not allow users to configure pdb

* remove maxUnavailable

* incorporate google CA's merge APIs change in nodeagent  (#11341)

* merge api

* remove extra line

* Revert "Location based Load Balancing (#10720)" (#11371)

This reverts commit 3f0570653f37ecaa5ccb75df0cb9619f84419624.

* Support multiple Citadels running in one cluster. (#11312)

* Support multiple Citadels running.

* Small fix.

* Small fix.

* Small fix.

* consistent autoscaling config among control plane components (#11376)

* consistent autoscaling config among control plane components

* address Yossi comment

* add missing end

* use spec here

* support namespace/host in gateway (#11290)

* assorted cleanups

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Loosen secret type for ingress gateway (#11385)

* set conccurency according to cpu resource limit/request if it is not set (#11311)

* set conccurency according to cpu resource request if it is not set

* address comments

* fix ut

* fix ut

* fix ut

* run dep ensure

* cache proxy service instances to improve performance (#11368)

* cache proxy service instances to improve performance

* address comments & fix ut

* Support gateway agent to read TLS secret set by cert-manager (#11399)

* read tls secret format

* Update test

* fix lint

* fix lint

* fix lint

* update test

* format

* fix lint

* fix lint

* mixer: option for alternative language runtime (#11391)

* split the original PR

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add annotation support

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix simpletest flake in citadel testing (#11360)

* Fix simpletest flake in citadel testing

A PR was merged ~4 weeks ago which introduced built-in
testing of the Helm charts.  The readiness testing in these
Helm chart tests were defective.  This problem was masked by
a silently failing gate.

(cherry picked from commit bf9bc7bada15288cd1e4d0c8fa4b04c39e4379b5)

* Fix a flaky e2e_simpleTests (#11408)

* Add retries and delay trying to test connection to prometheus

* Also retry on connection refused errors

* Workaround due to old version of curl in proxy

(cherry picked from commit 0e937c77b2d037a9216698a7c93037ccb5062dcc)

* Increase integ test deployment timeout (#11423)

* Increase integ test deployment timeout

* Skip flaky/failing TestTcpMetric

* Remove post-install job and (kubectl) apply security policy CRs to k8s directly (#11248) (#11418)

* Remove post-install job and (kubectl) apply security policy CRs to k8s directly

* Fix condition logic

* Exit on fatal logs (#11335)

* Exit on fatal logs

* Do not call Fatalf in the middle of Galley code

* envoy: use any instead of struct (#11419)

* fix tests

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix framework assuming json

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add gates

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Loops ends after first iteration (#11378) (#11383)

* Adding istio-init chart to release (#11443) (#11445)

* fix superfluous condition in pdb. (#11413)

* Set seconds as the value of MaxAge instead of Duration.String (#11447)

* Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226)

* Refactor identity domain handling and adapt unit tests

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Fix goimports error

*  set role.TrustDomain in pilot main

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Add end to end test e2e_bookinfo_trustdomain

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Use .Values.global.trustDomain as trustDomain for citadel

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Removed commented out code

Co-authored-by: Jakob Schmid <jakob.schmid@sap.com>

* Remove fallback to domain for trust domain

This became necessary due to #11050, which always set the domain
command line flag for executables. But we didn't expect this flag to
have two different meanings (dns-domain and domain-suffix).

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Tls fix (#11455)

* revert deleted TLS validation logic

* lint fixes

* Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456)

* Adding support for named components to the test framework (#11440)

Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup.

* Galley support for MCP Source Client dial out (#11291)

* Auth plugin to be used for Galley callout.

* Lint

* Add unit tests.

* Mock Google credentials

* Galley callout code.

* Review comments, fix client_source test.

* Lint

* Switch callout.go to use patch table for test vars.

* Rename callout cli args.

* Increase coverage

* newcallout args, syncWG change.

* Fatal->Error

* Review comments

* Review comments.

* Update metadata model. (#11477)

This is split out from #11293

Supporting work for #10497 and #10589

* [pilot] Export virtual service and destination rule metadata (#11384)

* [pilot] Export virtual service and destination rule metadata

* fixup bad rebase

* restore lost test

* Small fixes

* use URL for rule uid and config as key

* goimports

* update unit tests to match code changes in previous commit

* goimports, redux

* Randomize Galley ports for integration testing (#11285)

* Randomize Galley port for code-coverage runs.

* Remove runaway empty test.

* Update istio-proxy for source.uid fix (#11428)

* Update gateway_test.go to check for overrides

* update to include new proxy

* linter fix

* update client tests for whitelisted attributes

* use source fixed build

* disable TestSecretCreationKubernetes (#11479)

* Fix e2e-simple test flake (#11356) (#11481)

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.
(cherry picked from commit 1caa6cedcc7b0526f94bf3f9d3941df65ae4956f)

* Enhance MCP index function to support multiple groups (#11478)

This is split out from #11293

In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection.

Support for #10497 and #10589

* Zipkin adapter supporting the tracespan template (#11282) (#11483)

* Zipkin adapter supporting the tracespan template (#11282)

* Zipkin adapter supporting the tracespan template

* Refactored generic OpenCensus trace support into a helper package
* Use this to implement Zipkin support using OpenCensus Zipkin exporter

* regenerate template.

* lint. move crd.

* dep ensure.

* new line.

* add zipkin to galley.

* dep ensure

* Default exports, and config root namespace (#11387)

* default exportTo flags

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* format

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* compile fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm stuff

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* istio-config namespace and default sidecar scope

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* spell fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* reorder initialization steps

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test compile fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm tweaks

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* missing helm file

* allow ~ in sidecar imports

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad copy paste

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo framework change

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Revert "bad copy paste"

This reverts commit 934b54a922dd0a6102016901b77badba7774090f.

* Revert "missing helm file"

This reverts commit 992685db5e1fe3f68a484f01dac21f44c66acc8e.

* Revert "helm tweaks"

This reverts commit 5b78b920d18379253ea7c8ae37fd0c0611180c75.

* redos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lists

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* quotes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fixing race condition in Galley Server.Close() (#11484)

The issue was introduced by #11285

It causes a race with the startup of the gRPC server, which leads to a segfault.  From prow logs:

```
=== RUN TestServer_Basic 2019-02-01T20:33:05.867746Z	info	ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z	info ControlZ terminated 2019-02-01T20:33:05.867987Z	info	runtime Stopping processor... 2019-02-01T20:33:05.868000Z	warn	runtime Processor has already stopped 2019-02-01T20:33:05.867798Z	info runtime	Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL	istio.io/istio/galley/pkg/server 0.383s
```

* add labels to services and deployments (#11503)

* Quote accessLogFormat in configmap template in helm chart (#11449) (#11490)

* Make custom gateway works (#11320)

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* Add missing values global object and template (#11500)

* Envoy Graceful Shutdown (#11485)

* Add Draining bootstrap to Proxies

Signed-off-by: Liam White <liam@tetrate.io>

* Drain open connections

Signed-off-by: Liam White <liam@tetrate.io>

* typo and makefile fix for drain config

Signed-off-by: Liam White <liam@tetrate.io>

* Add proxy agent tests for draining

Signed-off-by: Liam White <liam@tetrate.io>

* appease our golangcibot overlord

Signed-off-by: Liam White <liam@tetrate.io>

* Windows Go doesn't have syscall.Kill

Signed-off-by: Liam White <liam@tetrate.io>

* Skip spybackend test when in racetest (#11497) (#11506)

* Workaround to make racetest skip this test due to low memory

* Lint

* Add mixer status to access log (#11471)

* Add mixer status to access log

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* review

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fixing default exports (#11507)

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fix 10971 p1 injector (#11512)

* Fix global DNS resolution in sidecar injector

The dnsConfig key was not honored by the sidecar injector.  This PR
ensures the dnsConfig key is honored by the sidecar injector.  This
enables the injected application can resolve DNS, but does not solve
routing via RDS.  Routing via RDS needs a followup PR.

* Fix syntax error in sidecar injector template

* HTTP probe rewrite for webhook part. (#10470)

* injector changes for health check, pilot agent take over app readiness check. (#9266)

* WIP injector change to modify istio-proxy.

* move out to app_probe.go

* Iterating sidecartmpl to find the statusPort.

* use the same name for ready path.

* Get rewrite work, almost.

* Some clean up on test and check one container criteria.

* fix the injected test file.

* Add inject test for readiness probe itself.

* Add missing added test file.

* fix helm test.

* fix lint.

* update header based finding the port.

* return to previous injected file status.

* fixing TestIntoResource test.

* sed fixing all remaining injecting files.

* handling named port.

* fixing merginge failure.

* remove the debug print.

* lint fixing.

* Apply the suggestions for finding statusPort arg.

* Address comments, regex support more port value format.

* add app_probe_test.go

* add more test.

* merge fix the test.

* webhook autoinject is ready for review.

* Squashed commit of the following:

commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 18:13:30 2019 -0800

    renaming env var.

commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 17:59:25 2019 -0800

    finish migrating test to yaml file based.

commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:55:00 2019 -0800

    get test working.

commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:49:58 2019 -0800

    WIP add some test files.

commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:13:06 2019 -0800

    WIP changing to using the environment var.

commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:52:47 2019 -0800

    add todo for the tests.

commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277d7 4b7b13aef
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:47:17 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861
Merge: 98fd48f59 744b07ad2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:34 2019 -0800

    Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip

commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:00 2019 -0800

    findsidecar.

commit 744b07ad2406d1eb94bcf5492125f91486ad6b10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 22:29:28 2019 -0800

    add FindSidecar.

commit 40ed002ff6f5dd4afe22afa984384addc1be1104
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 21:55:51 2019 -0800

    refactor some code.

commit 0fdbb2e832b7ac01f3e4ed185763b3b20bfbd2ac
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 18:19:32 2019 -0800

    Integration test works and fixing a bug.

commit 5085dfd0e6cb4f0c9cb5c25e7f24b0b94dec176a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 16:09:13 2019 -0800

    all inject tests pass.

commit fe3f156316c917854c2ef4c163e7e1fb070c4fa5
Merge: a2a774498 010d5c266
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:22:18 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit a2a774498e1021c1ca01c021c071e225fa330407
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 15:16:04 2019 -0800

    update the TestWebhookInject.

commit 36fd45c074bcc787702a5a9257d23103521f525c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 12:13:21 2019 -0800

    some document

commit 88dc922719e2c4723a334d1d8d959cac361b1ecb
Author: Jianfei Hu <jianfeih@google.com>
Date:   Fri Jan 25 11:43:44 2019 -0800

    new version works for kubeinject, webhook unit test.

commit 6efa0d64eca835dd860cdfc37d09ebfe110e083a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 18:17:38 2019 -0800

    WIP working on modifying sidecar.Args first, then modify app container patch.

commit 65a2194ae7a93581f60b56998aeb9480b4a4fde5
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 15:20:36 2019 -0800

    WIP add what's missing to get e2e test working.

commit 1595e871c640cdabead372eada2b17d717fa707f
Merge: 256d9635f ac78a552a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 13:26:05 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 256d9635f4d590936c473bf3be0299064cb9c716
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 12:14:04 2019 -0800

    add some debugging log.

commit f70096334464fd1d59a0e81997e8f0fd6623a564
Merge: bdce72119 c7eb603ee
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Jan 24 10:57:43 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit bdce72119ef78dab40b750861768c332811b9ee2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 18:04:37 2019 -0800

    refactor to host something up to caller.

commit b51763c21000ba2b7fe9e2bc728783ce530cfe87
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 16:31:32 2019 -0800

    get everything works.

commit 0815695a2fea828f06a31f14ed7795a3b3716111
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:48:27 2019 -0800

    kubeinject test is working.

commit 14c99b58f0212972d42e298fa4185275642d672c
Merge: d626bb85d 5ea79622c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:30 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit d626bb85dee628771f8f41fc90335ac608dea923
Merge: 3561ae0a6 66153da4d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 23 15:38:23 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3561ae0a69350730834e625c0710394968f9fcde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:49:44 2019 -0800

    WIP, policy is not taking effect, test passing without rewrite.

commit a9bef0f01964a14f6ace0da6217d7a36f364b661
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 16:31:08 2019 -0800

    fix the json path in the patch.

commit f1aee91189e16beb0dadee6c612464b1aa9bad21
Merge: 3a7eb48e6 abc53e120
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 14:03:49 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 3a7eb48e6b8e4687ffc38973bf18fca11b06c957
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 13:57:55 2019 -0800

    fix it, removing namespace since metadata not matching will fail for kubeapply

commit 2b120347ae887b8a4aa5f955a1a8cb0bdd46d3da
Author: Jianfei Hu <jianfeih@google.com>
Date:   Wed Jan 16 11:58:39 2019 -0800

    WIP, debuggin why mtls policy is not showed up.

commit 72e9c4e488f875ffea0c3a279403277010160ee1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:24:16 2019 -0800

    working on integration2 test framework.

commit 90c1cce9ddc55ce339aa65eac06602591d3113c9
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 17:04:38 2019 -0800

    add small comments.

commit 92a0edaa11734d1c6fb1c367fae56dc104c6e676
Merge: 7f5c8cbd8 e45242c0d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 15 16:43:47 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 7f5c8cbd8d4aa57eaf8f8d739cae6dbfdab0445d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:37:53 2018 -0800

    check rewriteAppProbe separately.

commit e2707c9b8f1b01bd4b03b2c6adb9fc79f0dcb479
Merge: 20f02c045 1ae6b4fde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 09:01:37 2018 -0800

    Merge branch 'health-autoinject' of https://github.com/incfly/istio into health-autoinject

commit 20f02c04563fab9b81b418c00a5455994fda5148
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:59:57 2018 -0800

    duplicate the rewrite logic.

commit 4894cb16804d9c5a0406c2dc1b02e3395be08e64
Merge: 3b3bcbff8 d8c4579fa
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 18 08:53:44 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit 1ae6b4fde00ae641637d44c0f417f635b6d9a6b1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Dec 17 21:56:51 2018 -0800

    address comments.

commit 3b3bcbff86f982c8abc705518a0fd4ec37bf4840
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:24:33 2018 -0800

    massage comments.

commit ccd670d31ef2c1817f87fe932d6f0d2ed4f609d7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:15:50 2018 -0800

    helm flag is off, so change the expected outoupt.

commit 43522c15d06054e4bb173ab2c37333a4de647c2d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 15:09:46 2018 -0800

    make webhook support rewriteAppHTTPProbe flag.

commit f60f18f4144482874c1219c7da90e97f19f1172f
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 12:03:04 2018 -0800

    fixing the merge typo.

commit 05bbadfd851b3a5ad013e733d6eb5eacf5491b15
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:56:38 2018 -0800

    remove unnecessary changes in test for debugging.

commit a81eacb6892509d8938be8d64f1435cf64e22317
Merge: af1a67989 f6b0ddc30
Author: Jianfei Hu <jianfeih@google.com>
Date:   Thu Dec 13 11:53:07 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit af1a6798988f9fe70e40add2a6d4971efa9b50ed
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 18:07:19 2018 -0800

    fixing all the test.

commit 58d0bef3520037a81db8baa34d6e13849d20af10
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:51:34 2018 -0800

    Get TestInject happy.

commit fcd0ae2f7a6ba2f067f460f4baad2194e517b7f1
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 17:49:42 2018 -0800

    make TestHelmInject happy.

commit 7a3ffc8d8e4b5509e1bbed2facc6e4ba14d70fa0
Merge: fcca1f89a bd1631be3
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:53:01 2018 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-autoinject

commit fcca1f89af2fddfc0edb3824982aa0b81390fa6d
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:18:20 2018 -0800

    get webhook_test.TestInject working.

commit 06f517cfc4214994be1be848d40b12f09ba8a4b8
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 16:10:55 2018 -0800

    restructure app_probe_test working for both.

commit 7142e96ed8a3200fc91bc73aee86d471117232fc
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 13:19:41 2018 -0800

    starting to work on serious test

commit a3dfb97b4ec4de375984c2a17eb4374bc1c5046a
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:50:19 2018 -0800

    prototyping get familar with the test.

commit 51659dacbc569f4532dc6a37b2091f39c7cf115b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Dec 11 11:05:51 2018 -0800

    wip for adding test.

* resolve appprobetest.

* update the golden due to another injector change.

* remove unnecessary files in this pr.

* remove the test framework change.

* remove unnecessary testdata file.

* DeepCopy used.

* fix lint.

* Add longer timeouts for Galley tests. (#11517)

Addresses #11464

* Locality based load balancing for strict dns clusters (#11381)

* rework locality based load balancing

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* simplify

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad merge

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint again

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Update pilot/pkg/networking/core/v1alpha3/cluster.go

Co-Authored-By: rshriram <rshriram@users.noreply.github.com>

* move load balancer setting to a separate pkg

* should also apply applyLocalityLBSetting for non-cached outbound clusters

* set cluster locality_weighted_lb_config

* fix ci

* enable LocalityWeightedLbConfig only when cluster has outlier detection

* address comments

* Correct Citadel server log. (#11361)

* Correct Citadel server log.

* Small fix.

* Remove sidecar injection in istio-init jobs (#11317)

This PR aims to solve a problem where the injector is running
but a new job is added in an upgrade scenario.  In this condition
the job is injected, which can result in errors contacting the
injector.

* Only require go.opencensus.io on Linux (#11327)

* Only require go.opencensus.io on Linux

* Ran fmt.sh and goimports against
the stats_linux.go file.

Signed-off-by: Jason Clark <jason.clark.oss@gmail.com>

* Remove the istio-remote chart and make it an istio chart values (#11307)

* Remove the istio-remote chart and make it an istio chart values

* By default tracing should be disabled in remote as it's unsupported

* Fixing the path to values file in e2e MC test

* Fixing istio-pilot-multicluster-e2e.sh

* Correction for previous commit

* Better way to remove MeshPolicy on remote yaml

* Newline

* Newline

* Remove redundant and

* Fix for flakes in TestSource_MangledNames (#11538)

The source of the panic appeared to be access to the labels, which were not being explicitly set on the Unstructured object. This PR sets them directly, so that should no longer be an issue.

Fixes #11532

* Use istio namespace for global destination rule to avoid overwritting mixer policy (#11546)

* Change default monitoring port (#11421)

* Change default monitoring port

Update the default monitoring port from 9093 to 15014.

* Fix test cases

* Hardcode the monitoringPort in istio-remote

* Use credentialName to specify credential resource name and support mTLS for external cert management at ingress gateway. (#11496)

* use CredentialName for SIMPLE

* cvc

* rootca

* update test.

* update test

* fix format

* update gateway config

* fix test

* fix lint

* fix test

* add comments.

* add nolint

* update cvc

* update

* update

* update

* update

* update

* update

* format

* dep ensure --update istio.io/api

* Revise per comments

* Revise

* lint

* Add MCP stress test suite (#11465)

* add -labels option to mcpc for testing and debug

* fix typo in source CollectionOptions name

* increase queue test coverage to 100%

* add more tests for incremental mcp option (still off by default)

* add mcp stress test suite

* fix unit tests

* review comments and add README.md

* run goimports

* fix some wording

* fix bad merge

* formatting

* rebase stress test on latest snapshot group changes

* math.Rand is not safe for concurrent use

* address review comments

* add missing file

* plumb through serverIncSupported

* rename test file

* changing the default limits for init proxy (#11540)

* Add readiness check for Ingress Gateway (#3063) (#11001) (#11548)

Enabling the same readiness probe for Ingress Gateway that is being
used for sidecars.

* istioctl proxy-status should only exec into running pilot pods (#11539)

istioctl proxy-status uses kubectl exec on pilot pods to extract debug
and diagnostic information. Use
`--field-selector=status.phase=Running` to only exec into pods that
are actually running.

fixes https://github.com/istio/istio/issues/11488

* increase control plane component replicas during upgrade test (#11389)

* add multiple control plane component

* remove space

* Allow specify the path for SDS k8s token (#11460)

* Allow specify SDS token path

* Change the default value to empty string

* Rephrase the comment for sds token path

* Address review comments

* Change to use node metadata to pass SDS token path

* Address review comments (e.g., remove static variable)

* Use SDS token path if it is set

* remove chart.version label in pod template. (#11302)

* remove deprecated 'refreshInterval' option in chart. (#11412)

* remove deprecated option in chart.

* fix CI issue.

* Disable agent TestFull test. (#11562)

* remove istio cni subchart tar from source. (#11230)

* Moved subcharts into the istio chart (#11558)

* Moved subcharts into istio charts

* Removed helm dep update calls

* Removed also programatic helmDepUpdate calls

* Removing helm package call not necessary anymore

* Fix non-Linux builds. (#11580)

* add debug logs to print cert chain (#11575)

* revert #11558 Moved subcharts into the istio chart (#11597)

* add multiple control plane component

* remove space

* Revert "Moved subcharts into the istio chart (#11558)"

This reverts commit a5f9e9bb30eb4240ee0b00893796126b5b434c5d.

* add missing attribute declarations (#11595)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Fix a few doc issues. (#11596)

* Update istio/api to #3094619 release 1.1 subject_alt_names in Service… (#11541)

* Update istio/api to #3094619 release 1.1 subject_alt_names in ServiceEntry

* Comment out sdsName

* Linter fix

* more linter fixes

* Comment out SDS test

* run bin/fmt.sh

* Skip gateway sds test completely

* Use issue # in t.Skip()

* revert sds changes

* Fix racetest in SDS service (#11615)

* Set the serviceCluster namespace based on env var, to also support specifying namespace on cli after kubeinject (#11587)

* Make image pull policy configurable in Makefile (#10269)

* Adds missing 1.1 attribute data to testdata for integration tests (#11313)

The request.url_path and request.query_params attributes have been added as of istio 1.1
These are required in the testdata attributes manifest in order for them to be useable in the integration test framework.

* Doc fixes. (#11619)

* [mixer:stackdriver] Initial changes to support dst svc edges in graph (#11426)

* Initial changes to support dst svc edges

* Add istio service to k8s service member relation

* Refactor of edge logic and add test

* Add <workload, service> relations

* Fix routing when DNS is resolved (#11522)

The DNSDomain variable needs to be enhanced to include more
then one DNS entry.  Change DNSDomain to DNSDomains as a meta
and add the dnsConfig in the meta.  As now DNSDomain is a slice
of strings instead of a string, the variable needs consolidation.

* adjust galley dashboard time range (#11627)

* Add update permissions to deployments/finalizers for galley clusterrole (#11586) (#11631)

(cherry picked from commit f9b6866731aabe056c699b608a8e93eb850d13c0)

* [release-1.1] Update fluentd adapter to be more robust (#11623)

* Update fluentd adapter to be more robust

* Minor touchup of bad merge

* Lint fixes

* Fix kubernetesenv workload attributes for multicluster with one control plane (#11581)

* remove myself from pilot OWNERS (#11632)

* remove me (#11636)

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add debug logs for citadel authenticate fail (#11633)

* move apply plugin below buildscript (#11625)

The Cloud Foundry open source licensing scanner has a plugin that
identifies dependencies from gradle scripts, but it requires the
buildscript and plugins block be before anything else in the file.
This change does not affect the build, but makes our lives a smidge
easier.

Co-authored-by: Teal Stannard <tstannard@pivotal.io>

* check key.pem (#11599)

* Sample ServiceEntries for apt-get, pip, and git tools showing how to grant access to mesh. (#11508)

* Samples for accessing apt-get repo, Github, and pip repo

* A Readme explaining the samples

* Link to future doc on default external comm capability

* Incorporate documentation feedback from venilnoronha

* Add support for metadata constraints in RBAC (#11459)

* Add support for metadata constraints in RBAC

This adds support for mapping RBAC constraints with keys in the a[b]
format to Envoy's filter metadata matcher.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Use SplitN instead of Split for completeness

This updates the metadata matcher definition to use strings.SplitN
instead of strings.Split in order to capture the whole binary key in two
parts.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Accomodate [list] and plain value type constraints

This adds logic to accomodate filter metadata matching over both [list]
and value type constraints.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Add extra experimental. prefix test for matching

This adds an extra experimental. prefix test while creating metadata
matchers based on Envoy filters.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Update comments

This updates code comments.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* add POST to ratings service to demonstrate security policies on HTTP Methods (#10778)

* add POST to ratings service

* put a space between if and opening parenthesis

* add comments

* remove extra line-break

* Enable remote clusters to check/report to local Mixer (#11585)

* Print error message if istio-sidecar-injector invalid, allow toJson as synonym for toJSON (#11570)

* Fix racetest in fluentd test (#11647)

* Bump the number of connection that can be re-use in Citadel (#11641)

* Bump the number of connection that can be re-use in Citadel

* A small fix

* First cut of xDS APi structural testing using the new integration tests (#11406)

* Fixes for k8s ingress (#11343)

* Fix ingress in pilot, writeback and multiple namespaces

* Fix tests, format

* Fix test - the generated service should be left in the namespace of ingress

* Additional test fixes, match the new 1.1 semantics

* Again make fmt and lint not matching

* Break up the helloworld sample into versions (#11650)

* Break up the helloworld sample into versions

* Moved to default namespace

* Seperated gateway file and added labels

* Update the doc

* Cleanup section updated too

* Fix build break due to https://github.com/istio/istio/pull/11406. (#11677)

https://k8s-gubernator.appspot.com/build/istio-prow/pr-logs/pull/istio_istio/11645/istio-integ-local-tests/5215

* make stackdriver e2e test cluster wide (#11674)

* Add handling for independent encoding in Report batches to Mixer (#11640)

* Add handling for independent encoding in Report batches to Mixer

* fix lll

* Address review

* protect protobag done

* exit circleci test early if setup fails (#11572)

* wip: exit circleci test early if setup fails

Many of the circleci tests will attempt to run the e2e/integration
tests even after the test setup fails. This leads to misleading test
failures that suggest the problem is with the feature test and not the
test setup itself.

Example test runs where the setup failed and the test was run but
immediately errored out because a dependency was missing:

https://circleci.com/gh/istio/istio/316588
https://circleci.com/gh/istio/istio/317262
https://circleci.com/gh/istio/istio/318281
https://circleci.com/gh/istio/istio/316031
https://circleci.com/gh/istio/istio/315952
https://circleci.com/gh/istio/istio/315871
https://circleci.com/gh/istio/istio/315813

ref: https://circleci.com/docs/2.0/configuration-reference/#the-when-attribute
```
By default, CircleCI will execute job steps one at a time, in the
order that they are defined in config.yml, until a step fails (returns
a non-zero exit code). After a command fails, no further job steps
will be executed.

Adding the when attribute to a job step allows you to override this
default behaviour, and selectively run or skip steps depending on the
status of the job.

The default value of on_success means that the step will run only if
all of the previous steps have been successful (returned exit code 0).

A value of always means that the step will run regardless of the exit
status of previous steps. This is useful if you have a task that you
want to run regardless of whether the previous steps are successful or
not. For example, you might have a job step that needs to upload logs
or code-coverage data somewhere.
```

* re-add `when: always` to codecov job

* Implementation of isolation for EDS (#11672)

* Implementation of isolation for EDS

* Provide nil proxy for older calls

* Always call loadAssignmentsForClusterIsolated

* Revert "Always call loadAssignmentsForClusterIsolated"

This reverts commit db2c99778edb69a9522320a2271ec8b965bad450.

* Env variable to disable

* Lint

* Environment Variable controlled Graceful Termination with low defaults. (#11630)

* Feature flag graceful shutdown

Turn graceful shutdown off by default for 1.1 with a feature flag that allows users to opt-in.

Signed-off-by: Liam White <liam@tetrate.io>

* Address pr comments

Signed-off-by: Liam White <liam@tetrate.io>

* Clean up missed feature flag var

Signed-off-by: Liam White <liam@tetrate.io>

* Add turn off test case, todo comments and fix agent tests

Signed-off-by: Liam White <liam@tetrate.io>

* fix lint

Signed-off-by: Liam White <liam@tetrate.io>

* PR review comments

Signed-off-by: Liam White <liam@tetrate.io>

* Move TerminationDuration function and tests to Pilot features

Signed-off-by: Liam White <liam@tetrate.io>

* Update Proxy SHA to latest (release-1.1). (#11687)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* Add empty check for proxy's locality (#11681)

Make sure empty proxy locality will fall back to using proxy service's instance locality.

* Increase sleep value to account for Galley default aggregation of 1 sec with MCP (#11685)

* cache ServiceAccounts and remove it drom Environment (#11442)

* cache ServiceAccounts and remove it drom Environment

* use allServices var

* fix ut

* Adding Envoy bootstrap template for a custom Pilot implementation. (#11395)

* Adding Envoy bootstrap template for a custom Pilot implementation.

New template connects to Pilot using Google gRPC Envoy client, which
allows to perform authz by passing additional credentials. Placed into
install/gcp due to being GCP installation specific.

To enable this template, introducing {{ .discovery_address }} variable,
which passes --discoveryAddress flag value "as is", without splitting it into
address/port_value parts as currently done for the {{ .pilot_grpc_address }} variable.

* Removing static interception listener from gcp_envoy_bootstrap.json
as it is generated by the Pilot.

* Update bookinfo images, fix the script to bump bookinfo versions (#11701)

* add wildcard to digits in the sed regex, for setting version

* bump a minor version

* Add cli option to Galley to allow metadata on outgoing sink connections. (#11602)

* Add cli option to Galley to allow metadata on outgoing sink connections.

For use with sinkAddress, outgoing connections to MCP sink servers
will have gRPC stream metadata attached as defined by sinkMeta.

* Update sinkMeta to use key=value.

* Review comments.

* Error message if istioctl version doesn't match data plane version (#11592)

* Additional error text if istioctl version doesn't match data plane version

* Fix typo

* Revise wording of error msg

* Allow Envoy listener stats to be turned off/on with a pod annotation (#11398)

* If sidecar.istio.io/statsPatterns supplied, customize Envoy stats collection

* Versionize annotation tag

* Change annotation to sidecar.istio.io/v1alpha1/statsInclusionPrefixes per Doug Reid

* pin goimports in make fmt (#11645)

* fix fmt

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* trying to run docker in circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* circling

Signed-off-by: Kuat Yessenov <kuat@google.com>

* just dont use circle

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add comment

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding namespace declaration in Grafana PersistentVolumeClaim (#11314)

When using the Helm chart with a user specific namespace and Grafana persistency
enabled, the generated PersistentVolumeClaim for Grafana was missing a namespace,
leading in the Grafana pod to be stuck in the Pending state.

* Fix the periodic builds, add a non-mcp to presubmit (#11703)

* Update api sha (#11709)

* issue #11244 - demo should install a default secret for kiali so out-of-box experience is nicer for users kicking the tires (#11272) (#11715)

(cherry picked from commit 1ad4e29576da6c722dcf19fc5df703beede92a4d)

* [WIP] Fix sync issue with policy enablement and check enablement (#11707)

* Fix sync issue with policy enablement and check enablement

* Remove outdated comment

* Fix deps and broken merge for mixer test

* Fix overly restrictive golang version match

* Fix integration test framework merge issues

* Fix line length lint issue

* handle multiple streams in nodeagent  (#11738)

* service change

* unit test

* debug log

* lint

* remove annoying log

* Add duration time to stale EDS (#11568)

* Revert "Merge release-1.1 to master (#11722)" (#11761)

This reverts commit 727e719b56362060924cd75bef6ed731cc41b272.

* Rename node agent in README.md (#11751)

* Tests for drain duration function (#11691)

* Tests for drain duration function

Signed-off-by: Liam White <liam@tetrate.io>

* Licenses...

Signed-off-by: Liam White <liam@tetrate.io>

* typo

Signed-off-by: Liam White <liam@tetrate.io>

* Ability to override SAN from destination rule for ISTIO_MUTUAL (#11747)

* Add ability to override SAN from destination rule for ISTIO_MUTUAL

Fixes issue https://github.com/istio/istio/issues/11737

* Reformat code.

* Incremental EDS only need updated service names (#11117)

* Configure envoy_bootstrap_v2.json to use the configured admin port (#11214)

* Configure envoy_bootstrap_v2.json to use the configured admin port

* Also set the prometheus_stats cluster's port

* Fix bootstrap tests that override admin port

* Allow ipv6 local traffic. (#10738)

* Allow specifying multiple egress host entries with same namespace (#11258)

* allow multiple hosts in same namespace in sidecar egress host

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* merge

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Galley: Include full Pod resource (#11323)

The ServiceEntry transformation requires the Pod status, which is
not included in the PodSpec. We need to pass through the entire
Pod proto, so that it's available for the conversion.

* Delete the obsolete service control adapter. (#11275)

* [DO NOT MERGE] Rollout Status timeout during e2e tests (#10996)

Addresses issue #9685

* Disable shared span context by default (#11281)

* Add logic to kubeenv adapter Close() to clean-up resources (#10839)

* Add logic to kubeenv adapter Close() to clean-up resources

* Add extra logging and robustness to daemon shutdown checking in runtime

* WIP

* Revert "WIP"

This reverts commit 74f22eced391bfbfb54834e7ffdc2505931b60b1.

* Increase unit test coverage

* Address review comments

* Ensure xenial base image present before building proxy_init (#11277)

* Update codecov to use skip file as threshold as well (#11294)

* Fix e2e-simple test flake (#11271)

* Fix e2e-simple test flake

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.

* Fix a spelling error complaint from linter

* integrate new MCP stack into galley, pilot, and mixer (#11292)

This PR integrates the new MCP source/sink stack into Galley, Pilot,
and Mixer. The old stack is temporarily retained while we complete
extended scale/perf testing.

* Revert "Fix e2e-simple test flake (#11271)" (#11331)

This reverts commit f993e46d69c2ae4f990eabdfa377034f23c3b807.

* Update README.md (#9501)

* Add response_flags to metrics and logs (#9945)

* Use sdsName from Gateway config as the resource name in sds config (#11239)

* Use sdsName from Gateway config as the resource name in sds config

* Add test

* goimports

* Fix lint

* Fix test

* mixer: pod policy override (#10886)

* implement injection and override

Signed-off-by: Kuat Yessenov <kuat@google.com>

* lint

Signed-off-by: Kuat Yessenov <kuat@google.com>

* review

Signed-off-by: Kuat Yessenov <kuat@google.com>

* mend

* annotation from node metadata

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix a bug

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Adding --controlPlaneBootstrap pilot-agent flag (#11212)

* Adding --controlPlaneBootstrap pilot-agent flag to explicitly enable
generation of Envoy bootstrap for Istio control plane components. Only
effective when --templateFile is provided as well.

If --templateFile is provided, but --controlPlaneBootstrap=false, then
template file will be passed through regular bootstrap config
processing, replacing default bootstrap config template.

Default flag value is "true" to be backward-compatible with existing
behavior, so that no other changes are required by other components that
rely on pilot-agent for control plane bootstrap config generation.

* Adding TODO to clean up Mixer and Pilot to use standard template

Mixer and Pilot use custom Envoy bootstrap templates, that have special processing in pilot-agent. They should migrate to the standard bootstrap template and special processing should be removed from pilot-agent.

* Fixing formatting errors on pilot/cmd/pilot-agent/main.go

* [Galley] Restructure runtime package to support multiple states. (#11325)

* [Galley] Restructure runtime package to support multiple states.

This is a follow-on to #11162 that moves the runtime state as well as
 its previously package-private dependencies into their
 own packages. This allows new "states" to exist in separate packages
 under runtime.

* addressing comments

* addressing comments

* extend istio-multi rbac rule (#11339)

* Galley file-source was occluding resources with the same name with different types in the same file (#11257)

* not make PDB configurable (#11330)

* not allow users to configure pdb

* remove maxUnavailable

* incorporate google CA's merge APIs change in nodeagent  (#11341)

* merge api

* remove extra line

* Revert "Location based Load Balancing (#10720)" (#11371)

This reverts commit 3f0570653f37ecaa5ccb75df0cb9619f84419624.

* Support multiple Citadels running in one cluster. (#11312)

* Support multiple Citadels running.

* Small fix.

* Small fix.

* Small fix.

* consistent autoscaling config among control plane components (#11376)

* consistent autoscaling config among control plane components

* address Yossi comment

* add missing end

* use spec here

* support namespace/host in gateway (#11290)

* assorted cleanups

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Loosen secret type for ingress gateway (#11385)

* set conccurency according to cpu resource limit/request if it is not set (#11311)

* set conccurency according to cpu resource request if it is not set

* address comments

* fix ut

* fix ut

* fix ut

* run dep ensure

* cache proxy service instances to improve performance (#11368)

* cache proxy service instances to improve performance

* address comments & fix ut

* Support gateway agent to read TLS secret set by cert-manager (#11399)

* read tls secret format

* Update test

* fix lint

* fix lint

* fix lint

* update test

* format

* fix lint

* fix lint

* mixer: option for alternative language runtime (#11391)

* split the original PR

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add annotation support

Signed-off-by: Kuat Yessenov <kuat@google.com>

* Exit on fatal logs (#11335)

* Exit on fatal logs

* Do not call Fatalf in the middle of Galley code

* envoy: use any instead of struct (#11419)

* fix tests

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix framework assuming json

Signed-off-by: Kuat Yessenov <kuat@google.com>

* add gates

Signed-off-by: Kuat Yessenov <kuat@google.com>

* fix superfluous condition in pdb. (#11413)

* Allow identity domain to be configured in istio: Ensure e2e tests are working with different identity domain (#9226)

* Refactor identity domain handling and adapt unit tests

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Fix goimports error

*  set role.TrustDomain in pilot main

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Add end to end test e2e_bookinfo_trustdomain

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Use .Values.global.trustDomain as trustDomain for citadel

Co-authored-by: Holger Oehm <holger.oehm@sap.com>

* Removed commented out code

Co-authored-by: Jakob Schmid <jakob.schmid@sap.com>

* Remove fallback to domain for trust domain

This became necessary due to #11050, which always set the domain
command line flag for executables. But we didn't expect this flag to
have two different meanings (dns-domain and domain-suffix).

Co-authored-by: Ulrich Kramer <u.kramer@sap.com>

* Make TestDuplicateResourceNamesDifferentTypes have consistent ordering. (#11456)

* Adding support for named components to the test framework (#11440)

Each component can be created with a name and optionally a configuration. This allows multiple echo instances, policy backends, envoy proxies, etcetera to be managed independently. Also adding a standard way to configure components but support for that is in a followup.

* Galley support for MCP Source Client dial out (#11291)

* Auth plugin to be used for Galley callout.

* Lint

* Add unit tests.

* Mock Google credentials

* Galley callout code.

* Review comments, fix client_source test.

* Lint

* Switch callout.go to use patch table for test vars.

* Rename callout cli args.

* Increase coverage

* newcallout args, syncWG change.

* Fatal->Error

* Review comments

* Review comments.

* Update metadata model. (#11477)

This is split out from #11293

Supporting work for #10497 and #10589

* [pilot] Export virtual service and destination rule metadata (#11384)

* [pilot] Export virtual service and destination rule metadata

* fixup bad rebase

* restore lost test

* Small fixes

* use URL for rule uid and config as key

* goimports

* update unit tests to match code changes in previous commit

* goimports, redux

* Randomize Galley ports for integration testing (#11285)

* Randomize Galley port for code-coverage runs.

* Remove runaway empty test.

* Update istio-proxy for source.uid fix (#11428)

* Update gateway_test.go to check for overrides

* update to include new proxy

* linter fix

* update client tests for whitelisted attributes

* use source fixed build

* disable TestSecretCreationKubernetes (#11479)

* Fix e2e-simple test flake (#11356) (#11481)

istio-init.yaml was not being applied. Atleast on bare metal,
this caused e2e-simple to fail nearly 100% of the time in a race
between the kubeapi server applying CRD's and the applicaton of
custom resources in the manifest.

This problem is less pervasive on slower (vm) environments.
(cherry picked from commit 1caa6cedcc7b0526f94bf3f9d3941df65ae4956f)

* Enhance MCP index function to support multiple groups (#11478)

This is split out from #11293

In #11293 we modify the index function to return a different group when choosing the synthetic ServiceEntry collection.

Support for #10497 and #10589

* Zipkin adapter supporting the tracespan template (#11282) (#11483)

* Zipkin adapter supporting the tracespan template (#11282)

* Zipkin adapter supporting the tracespan template

* Refactored generic OpenCensus trace support into a helper package
* Use this to implement Zipkin support using OpenCensus Zipkin exporter

* regenerate template.

* lint. move crd.

* dep ensure.

* new line.

* add zipkin to galley.

* dep ensure

* Default exports, and config root namespace (#11387)

* default exportTo flags

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* format

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nit

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* compile fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm stuff

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* istio-config namespace and default sidecar scope

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* spell fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* reorder initialization steps

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test compile fixes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* helm tweaks

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* missing helm file

* allow ~ in sidecar imports

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* bad copy paste

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* test fix

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undo framework change

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Revert "bad copy paste"

This reverts commit 934b54a922dd0a6102016901b77badba7774090f.

* Revert "missing helm file"

This reverts commit 992685db5e1fe3f68a484f01dac21f44c66acc8e.

* Revert "helm tweaks"

This reverts commit 5b78b920d18379253ea7c8ae37fd0c0611180c75.

* redos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* lists

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* quotes

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* tests

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* undos

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* Fixing race condition in Galley Server.Close() (#11484)

The issue was introduced by #11285

It causes a race with the startup of the gRPC server, which leads to a segfault.  From prow logs:

```
=== RUN TestServer_Basic 2019-02-01T20:33:05.867746Z	info	ControlZ available at 10.44.58.28:9876 2019-02-01T20:33:05.867968Z	info ControlZ terminated 2019-02-01T20:33:05.867987Z	info	runtime Stopping processor... 2019-02-01T20:33:05.868000Z	warn	runtime Processor has already stopped 2019-02-01T20:33:05.867798Z	info runtime	Starting processor... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x9e4bc8] goroutine 148 [running]: istio.io/istio/vendor/google.golang.org/grpc.(*Server).Serve(0xc42046d080, 0x0, 0x0, 0x0, 0x0) /home/prow/go/src/istio.io/istio/vendor/google.golang.org/grpc/server.go:522 +0x748 istio.io/istio/galley/pkg/server.(*Server).Run.func1(0xc4202d9490) /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:242 +0xfb created by istio.io/istio/galley/pkg/server.(*Server).Run /home/prow/go/src/istio.io/istio/galley/pkg/server/server.go:233 +0x5c FAIL	istio.io/istio/galley/pkg/server 0.383s
```

* add labels to services and deployments (#11503)

* Make custom gateway works (#11320)

Signed-off-by: clyang82 <clyang@cn.ibm.com>

* Add missing values global object and template (#11500)

* Envoy Graceful Shutdown (#11485)

* Add Draining bootstrap to Proxies

Signed-off-by: Liam White <liam@tetrate.io>

* Drain open connections

Signed-off-by: Liam White <liam@tetrate.io>

* typo and makefile fix for drain config

Signed-off-by: Liam White <liam@tetrate.io>

* Add proxy agent tests for draining

Signed-off-by: Liam White <liam@tetrate.io>

* appease our golangcibot overlord

Signed-off-by: Liam White <liam@tetrate.io>

* Windows Go doesn't have syscall.Kill

Signed-off-by: Liam White <liam@tetrate.io>

* Add mixer status to access log (#11471)

* Add mixer status to access log

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* review

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* fixing default exports (#11507)

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

* HTTP probe rewrite for webhook part. (#10470)

* injector changes for health check, pilot agent take over app readiness check. (#9266)

* WIP injector change to modify istio-proxy.

* move out to app_probe.go

* Iterating sidecartmpl to find the statusPort.

* use the same name for ready path.

* Get rewrite work, almost.

* Some clean up on test and check one container criteria.

* fix the injected test file.

* Add inject test for readiness probe itself.

* Add missing added test file.

* fix helm test.

* fix lint.

* update header based finding the port.

* return to previous injected file status.

* fixing TestIntoResource test.

* sed fixing all remaining injecting files.

* handling named port.

* fixing merginge failure.

* remove the debug print.

* lint fixing.

* Apply the suggestions for finding statusPort arg.

* Address comments, regex support more port value format.

* add app_probe_test.go

* add more test.

* merge fix the test.

* webhook autoinject is ready for review.

* Squashed commit of the following:

commit 501b92c76c010d3adcd2e52a9abe8cb149eb90f2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 18:13:30 2019 -0800

    renaming env var.

commit 1a82b2c0de292a34643f59ce802858c8d26a7a46
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 17:59:25 2019 -0800

    finish migrating test to yaml file based.

commit 99bda1d7d2521b965a0f71e28d235ada469ba7b7
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:55:00 2019 -0800

    get test working.

commit 28225cd409c7790636c11da74ad8f69d0e7cf89b
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:49:58 2019 -0800

    WIP add some test files.

commit 612b8aa3db468850d8e34f47d0dc05c536f57dde
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 13:13:06 2019 -0800

    WIP changing to using the environment var.

commit 7dabcb1695fa375de1b93add014528ae7509c94c
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:52:47 2019 -0800

    add todo for the tests.

commit 7af6ba524176616d67d35867665225e27f4a96ce
Merge: ca22277d7 4b7b13aef
Author: Jianfei Hu <jianfeih@google.com>
Date:   Tue Jan 29 10:47:17 2019 -0800

    Merge branch 'release-1.1' of https://github.com/istio/istio into health-wip

commit ca22277d76ed8d1c1b7c3b44cb05edfe52ccf861
Merge: 98fd48f59 744b07ad2
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:34 2019 -0800

    Merge branch 'health-wip' of https://github.com/incfly/istio into health-wip

commit 98fd48f59f748bafe5e8518bff3d8cbfd64a2135
Author: Jianfei Hu <jianfeih@google.com>
Date:   Mon Jan 28 23:15:00 2019 -0800

    findsidecar.

commit 744b07ad2406d1eb94bcf5492125f91486ad6b10
Author: Jianfei Hu <jianfeih@goo…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.